Login page recognizing gibberish as a 'successful match'

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mosk
Forum Newbie
Posts: 9
Joined: Mon Jun 08, 2009 6:49 am

Login page recognizing gibberish as a 'successful match'

Post by mosk »

I'm working on my login page (I've temporarily gotten rid of most of the security features but will add them back later). The problem right now is that my login is registering as successful every time, even if I put in junk. My understanding of this code is it's supposed to take the userName a user enters through the form and compare it to the names already in my database. It's also supposed to take the password that was entered and convert it to a hashed 40 character password which will then be compared to the hashed password already stored in my database.

Would appreciate it if someone can tell me where I've messed up since random garbage is still counted as a successful match. Thanks. (code pasted below)

Code: Select all

 
<?php require_once("includes/functions.php");?>
<?php require_once("includes/form_functions.php");?>
<?php require_once("includes/constants.php");?>
<?php require_once("includes/connection.php");?>
<?php 
    if(isset($_POST['submit']))
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $hashedPassword = sha1($password);
    }       
    
    $query = "SELECT * ";
    $query .= "FROM users ";
    $query .= "WHERE userName = '{$username}' ";
    $query .= "AND hashedPassword = '{$hashedPassword}' ";
    
    $result=mysql_query($query);
    if($result){
        echo "<br/> successful match";
    }
    else 
    {
        echo "<br/> failed to match";
    }
?>
<?php require_once("includes/header.php");?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>LOGIN PAGE</title>
<link href="oneColElsCtr.css" rel="stylesheet" type="text/css" />
</head>
 
<body class="oneColElsCtr">
 
<div id="container">
  <div id="mainContent">
    <h1> LOGIN HERE </h1>
    
 
    
    <form action="login.php" method="post">
            userName: <input name="userName" value="<?php echo htmlentities($username);?>" type="text"/>    <br/> <br/>
            Password: <input name="password" type="password"  value="<?php echo htmlentities($password);?>" />  <br/> <br/>
            
            <input name="submit" type="submit" value="submit" />
        </form>
    <!-- end #mainContent --></div>
<!-- end #container --></div>
<?php require_once("includes/footer.php");?>
</body>
</html>
 
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: Login page recognizing gibberish as a 'successful match'

Post by Robert07 »

When you are checking for if ($result), you are just checking that the query executed without errors. What you really need to check for is if a record was returned by the query. You can check if (mysql_num_rows($result)>0) after the if ($result) before you decide the login is valid.
mosk
Forum Newbie
Posts: 9
Joined: Mon Jun 08, 2009 6:49 am

Re: Login page recognizing gibberish as a 'successful match'

Post by mosk »

Hey robert07 - thanks for explaining that. Working great. Now on to the next step . . .
Post Reply