problems validating user....

[mrgeoff]

I am fairly new to PHP and i have a problem . When I login, it redirects me to the desired page. but when the password is incorrect, it still redirects to the same page.

PHP Code:

<?
session_start();

$user = $_POST["username"];
$pass = md5($_POST["password"]);

$host = "localhost";
$dbuser = "rsf_dredd";
$dbase = "rsfdredd_uk_db";

mysql_connect($host,$dbuser);
mysql_select_db($dbase);
$sql = mysql_query("SELECT * FROM cms WHERE user=$user and password=$pass");

$num = mysql_num_rows($sql);
if ($num = 1) {
     header("Location:admin_index.php");
} else {
     $_SESSION["error"] = "<font color=red>Wrong username or passowrd. Try again.</font>";
     header("Location:admin.php");
}
?>

[bcarl314]

PHP Code:

if($num = 1) 


will always returns true.

I think you want

PHP Code:

if($num == 1) 


[mrgeoff]

I tried that and it won't let me login with the correct user name and password... it seems to keep jumping to the else statement

[bcarl314]

Well, you're using md5 to encrypt your password, then accessing a plain text password in the database.

Are your passwords in the DB stored as text, using the PASSWORD('field') command, or a result of encryption using md5?

[mrgeoff]

I figured it out... i needed the single quotes over the variables within the query and the == ... thanx 4 your help. Yes, I'm using md5 to encrypt. It's just a result of the encryption then the string is inserted into the db directly... is there a better/more secure way of doing it?

[bcarl314]

md5 is a pretty good method for an average system. You should probably be more concerned about someone grabbing the posted form data over http vs. https than someone breaking md5 encryption.