Login page recognizing gibberish as a 'successful match'
Posted: Fri Sep 04, 2009 11:01 pm
I'm working on my login page (I've temporarily gotten rid of most of the security features but will add them back later). The problem right now is that my login is registering as successful every time, even if I put in junk. My understanding of this code is it's supposed to take the userName a user enters through the form and compare it to the names already in my database. It's also supposed to take the password that was entered and convert it to a hashed 40 character password which will then be compared to the hashed password already stored in my database.
Would appreciate it if someone can tell me where I've messed up since random garbage is still counted as a successful match. Thanks. (code pasted below)
Would appreciate it if someone can tell me where I've messed up since random garbage is still counted as a successful match. Thanks. (code pasted below)
Code: Select all
<?php require_once("includes/functions.php");?>
<?php require_once("includes/form_functions.php");?>
<?php require_once("includes/constants.php");?>
<?php require_once("includes/connection.php");?>
<?php
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$hashedPassword = sha1($password);
}
$query = "SELECT * ";
$query .= "FROM users ";
$query .= "WHERE userName = '{$username}' ";
$query .= "AND hashedPassword = '{$hashedPassword}' ";
$result=mysql_query($query);
if($result){
echo "<br/> successful match";
}
else
{
echo "<br/> failed to match";
}
?>
<?php require_once("includes/header.php");?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>LOGIN PAGE</title>
<link href="oneColElsCtr.css" rel="stylesheet" type="text/css" />
</head>
<body class="oneColElsCtr">
<div id="container">
<div id="mainContent">
<h1> LOGIN HERE </h1>
<form action="login.php" method="post">
userName: <input name="userName" value="<?php echo htmlentities($username);?>" type="text"/> <br/> <br/>
Password: <input name="password" type="password" value="<?php echo htmlentities($password);?>" /> <br/> <br/>
<input name="submit" type="submit" value="submit" />
</form>
<!-- end #mainContent --></div>
<!-- end #container --></div>
<?php require_once("includes/footer.php");?>
</body>
</html>