hi friends,,,,
now i am doing a simple login program with database application,,,here is my code--->
<html>
<body>
<div style='position:absolute;top:150px;left:780px'>
<table border='0'>
<form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">
<tr>
<td>User Name:<input type=text name=uname>
</tr>
<tr>
<td>Password: <input type=password name=pwd>
</tr>
<tr>
<td>
<center><input type=submit name=sub value=submit></center>
</td>
</tr>
</form>
</div>
</body>
</html>
<?php
if(isset($_POST['sub']))
{
$uname=$_POST['uname'];
$pwd=$_POST['pwd'];
$con=mysql_connect("localhost","root","");
mysql_select_db("my_db",$con);
$result=mysql_query("select * from logi where uname='$uname' and pwd='$pwd' ");
if($result)
{
echo "login sucess";
}
else
{
echo "loggin error";
}
}
?>
But it is not working ,,,if i gave anything as uname ,pwd it would show login success ,,,wat is the problem here,,,,,,,,,
login
Moderator: General Moderators
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: login
The code below will work even if you enter two non-existant values because to check for $result means to check if the query has been completed successfully and NOT if a match has been found.
To check for a match, use mysql_num_rows() or COUNT()
Lastly, you should use mysql_real_escape_string() for any input received from a user and hash your login details.
Code: Select all
<?php $result=mysql_query("select * from logi where uname='$uname' and pwd='$pwd' "); ?>Code: Select all
<?php
// other code
if ($result) {
// if the query is correct, look for matches
$row = mysql_num_rows($result);
//
if ($row != 1) {
// invalid login details
}
else {
// valid username + password
echo 'Success login';
}
}
else {
// at this point there was a problem with the query
}
?>“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- DigitalMind
- Forum Contributor
- Posts: 152
- Joined: Mon Sep 27, 2010 2:27 am
- Location: Ukraine, Kharkov
Re: login
That's suppose to prevent an SQL injection.social_experiment wrote:Lastly, you should use mysql_real_escape_string() for any input received from a user and hash your login details.
Try to enter something like " ' or 1=1 " as a user name.
- DigitalMind
- Forum Contributor
- Posts: 152
- Joined: Mon Sep 27, 2010 2:27 am
- Location: Ukraine, Kharkov
Re: login
I would probably use "select 1 from logi where uname='...' and pwd='...' limit 1", but it depends on goals.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: login
If the registration process is set up correctly "LIMIT 1" would be moot because this would prevent usernames from being similar so (in theory) there will never be 2 similar usernames.DigitalMind wrote:I would probably use "select 1 from logi where uname='...' and pwd='...' limit 1", but it depends on goals.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- DigitalMind
- Forum Contributor
- Posts: 152
- Joined: Mon Sep 27, 2010 2:27 am
- Location: Ukraine, Kharkov
Re: login
I know but as you said above:
social_experiment wrote:If the registration process is set up correctly...
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: login
And if it isn't the application won't be worth much use anyway regardless of the query.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering