what is wrong with this code

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
umang40
Forum Newbie
Posts: 8
Joined: Wed May 20, 2009 7:31 am

what is wrong with this code

Post by umang40 »

//login is successfully made with wrong username and password.

<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect".mysql_error());

}
mysql_select_db("db1",$con);
$uname=$_POST['FirstName'];
$pwd=$_POST['passwordd'];
$sql="select username,password from register where username='$uname' and password='$pwd' ";
$result=mysql_query($sql);
if(!$result)
{
echo "invalid username or password";
}
else
{
echo "go";
}
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: what is wrong with this code

Post by mattpointblank »

if(!$result) won't give you the answer you expect - $result is 'true' in the sense that it has returned something (in this case, 0 rows), so your code evaluates to true. Try this:

if(mysql_num_rows($result) > 0)

This counts the number of results the query returned, rather than the success of the query itself.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: what is wrong with this code

Post by Chalks »

also, good lord. Please, please, PLEASE don't insert raw POST data into a query. Don't store plaintext passwords (hash them!).

read this: http://en.wikipedia.org/wiki/SQL_injection
and this: http://blog.moertel.com/articles/2006/1 ... a-database

now use the following to (at least partially) combat both of those issues:
mysql_real_escape_string - for basic escaping
hash("sha256", $password) - for hashing passwords

then read this for more general security information: http://forums.devshed.com/php-developme ... ge=1&pp=15 (specifically #4)
Post Reply