...

View Full Version : problems validating user....



mrgeoff
05-14-2004, 02:48 PM
I am fairly new to PHP and i have a problem :D . When I login, it redirects me to the desired page. but when the password is incorrect, it still redirects to the same page.



<?
session_start();

$user = $_POST["username"];
$pass = md5($_POST["password"]);

$host = "localhost";
$dbuser = "rsf_dredd";
$dbase = "rsfdredd_uk_db";

mysql_connect($host,$dbuser);
mysql_select_db($dbase);
$sql = mysql_query("SELECT * FROM cms WHERE user=$user and password=$pass");

$num = mysql_num_rows($sql);
if ($num = 1) {
header("Location:admin_index.php");
} else {
$_SESSION["error"] = "<font color=red>Wrong username or passowrd. Try again.</font>";
header("Location:admin.php");
}
?>

bcarl314
05-14-2004, 04:24 PM
if($num = 1)

will always returns true.

I think you want



if($num == 1)

mrgeoff
05-14-2004, 04:58 PM
I tried that and it won't let me login with the correct user name and password... it seems to keep jumping to the else statement

bcarl314
05-14-2004, 05:14 PM
Well, you're using md5 to encrypt your password, then accessing a plain text password in the database.

Are your passwords in the DB stored as text, using the PASSWORD('field') command, or a result of encryption using md5?

mrgeoff
05-14-2004, 05:19 PM
I figured it out... i needed the single quotes over the variables within the query and the == ... thanx 4 your help. Yes, I'm using md5 to encrypt. It's just a result of the encryption then the string is inserted into the db directly... is there a better/more secure way of doing it?

bcarl314
05-14-2004, 05:43 PM
md5 is a pretty good method for an average system. You should probably be more concerned about someone grabbing the posted form data over http vs. https than someone breaking md5 encryption.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum