Page 1 of 1

Login...

Posted: Fri Jul 16, 2010 4:27 pm
by ManiZach
Hi there! ;p

this is my first post here! :drunk: This is my second day of trying out PHP, and so far I love it.
Though, I did not like playing around with the databases this early... *Shivers from all the errors*

Ok, so I made a php script that registers you and converts the password into md5. THat wasn't a probleme at all... but the login part... now that was something different!

Code: Select all

<?php 
   $username = str_replace("'","''",$_GET["un"]);
   $password = md5($_GET["pw"]);
$host="X";
$un="X";
$pw="X";
$con = mysql_connect($host,$un,$pw);
if(!$con) {
	die("Could not connect!" . mysql_error());
}
mysql_select_db("Users",$con);
$pw = md5($_GET['pw']);
$r1 = mysql_query("SELECT * FROM Users WHERE un = '$_GET[un]'");
$r2 = mysql_query("SELECT * FROM Users WHERE pw = '$password'");

if(mysql_fetch_array($r1) && mysql_fetch_array($r2)) {
	echo("Correct login!");
}
if(!mysql_fetch_array($r1)) {
    echo("Incorrect login!");
}
elseif(!mysql_fetch_array($r2)) {
	echo("Incorrect password!");
}
?>
That's the code. You'll have to excuse me if it's NOT correct at all xD. Also, I did some reading about md5 encoding... It says it's impossible to decode, how on earth would it know what encrypted password is correct? :s

Thanks.

Sincerely,

Zach.

Re: Login...

Posted: Fri Jul 16, 2010 4:37 pm
by liljester
its not correct at all :) atleast the part that checks the database. your 2 queries just check to see if there is someone with a user of $_GET['un'] and then it checks to see if someone has the password of $pw.. it doesnt check to see if its the same user.

try this: select * from users where username = '{$_GET['un']}' and password = '{$pw}';

also, to make sure you have a valid user check the number of rows returned from that query with mysql_num_rows(), if it returns a row, you have a good user then continue to process the login by creating sessions and such.

Re: Login...

Posted: Sun Jul 18, 2010 5:54 pm
by ManiZach
hi again! Due to some light headache, I could not continue with this with this educational project.

My question is, any reason why this wont work?

Code: Select all

mysql_select_db($un,$con);
$result = mysql_query("SELECT * FROM Users WHERE un='$_GET[un]' AND pw='{$pass}'");
	if (mysql_num_rows($result) > 0) {
		while($row = mysql_fetch_array($result)) {
		echo("You're logged in!");
		}
		}
	else {
		echo("Failed login!?");
	}
?>
Where as $pass = md5($_GET["pw"]);

Now... this script works GREAT if you don't take the password into account, and only check for the username. I get a big smily text, "You're logged in". Sadly, the same message doesn't do the same, when taking password into account. EVEN when I registered like this: 2 - 2 - 2@2.com

This is how the un = username, pw = password, and email = well.. it kinda speaks for itself :p

Thanks. ;p

Edit: The while loop is supposed to be before if/else... I just tried to switch it around to see if anything happened xD