Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    problems validating user....

    I am fairly new to PHP and i have a problem . When I login, it redirects me to the desired page. but when the password is incorrect, it still redirects to the same page.

    PHP Code:
    <?
    session_start
    ();

    $user $_POST["username"];
    $pass md5($_POST["password"]);

    $host "localhost";
    $dbuser "rsf_dredd";
    $dbase "rsfdredd_uk_db";

    mysql_connect($host,$dbuser);
    mysql_select_db($dbase);
    $sql mysql_query("SELECT * FROM cms WHERE user=$user and password=$pass");

    $num mysql_num_rows($sql);
    if (
    $num 1) {
         
    header("Location:admin_index.php");
    } else {
         
    $_SESSION["error"] = "<font color=red>Wrong username or passowrd. Try again.</font>";
         
    header("Location:admin.php");
    }
    ?>
    Last edited by mrgeoff; 05-14-2004 at 05:01 PM.

  2. #2
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    PHP Code:
    if($num 1
    will always returns true.

    I think you want

    PHP Code:
    if($num == 1

  3. #3
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I tried that and it won't let me login with the correct user name and password... it seems to keep jumping to the else statement

  4. #4
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    Well, you're using md5 to encrypt your password, then accessing a plain text password in the database.

    Are your passwords in the DB stored as text, using the PASSWORD('field') command, or a result of encryption using md5?

  5. #5
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I figured it out... i needed the single quotes over the variables within the query and the == ... thanx 4 your help. Yes, I'm using md5 to encrypt. It's just a result of the encryption then the string is inserted into the db directly... is there a better/more secure way of doing it?

  6. #6
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    md5 is a pretty good method for an average system. You should probably be more concerned about someone grabbing the posted form data over http vs. https than someone breaking md5 encryption.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •