Page 1 of 1

login

Posted: Fri Dec 31, 2010 12:49 am
by madu
hi friends,,,,
now i am doing a simple login program with database application,,,here is my code--->

<html>
<body>
<div style='position:absolute;top:150px;left:780px'>
<table border='0'>
<form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">
<tr>
<td>User Name:<input type=text name=uname>
</tr>
<tr>
<td>Password: &nbsp; <input type=password name=pwd>
</tr>
<tr>
<td>
<center><input type=submit name=sub value=submit></center>
</td>
</tr>
</form>
</div>
</body>
</html>

<?php

if(isset($_POST['sub']))
{
$uname=$_POST['uname'];
$pwd=$_POST['pwd'];
$con=mysql_connect("localhost","root","");
mysql_select_db("my_db",$con);
$result=mysql_query("select * from logi where uname='$uname' and pwd='$pwd' ");
if($result)
{
echo "login sucess";
}
else
{
echo "loggin error";
}
}
?>


But it is not working ,,,if i gave anything as uname ,pwd it would show login success ,,,wat is the problem here,,,,,,,,,

Re: login

Posted: Fri Dec 31, 2010 1:55 am
by social_experiment
The code below will work even if you enter two non-existant values because to check for $result means to check if the query has been completed successfully and NOT if a match has been found.

Code: Select all

<?php $result=mysql_query("select * from logi where uname='$uname' and pwd='$pwd' "); ?>
To check for a match, use mysql_num_rows() or COUNT()

Code: Select all

<?php
 // other code
 if ($result) {
 // if the query is correct, look for matches
 $row = mysql_num_rows($result);
 //
 if ($row != 1) { 
 // invalid login details
 }
 else {
 // valid username + password 
 echo 'Success login';
 }
 }
 else {
 // at this point there was a problem with the query
 }
?>
Lastly, you should use mysql_real_escape_string() for any input received from a user and hash your login details.

Re: login

Posted: Fri Dec 31, 2010 6:00 pm
by DigitalMind
social_experiment wrote:Lastly, you should use mysql_real_escape_string() for any input received from a user and hash your login details.
That's suppose to prevent an SQL injection.
Try to enter something like " ' or 1=1 " as a user name.

Re: login

Posted: Sat Jan 01, 2011 6:10 am
by DigitalMind
I would probably use "select 1 from logi where uname='...' and pwd='...' limit 1", but it depends on goals.

Re: login

Posted: Sat Jan 01, 2011 7:48 am
by social_experiment
DigitalMind wrote:I would probably use "select 1 from logi where uname='...' and pwd='...' limit 1", but it depends on goals.
If the registration process is set up correctly "LIMIT 1" would be moot because this would prevent usernames from being similar so (in theory) there will never be 2 similar usernames.

Re: login

Posted: Sun Jan 02, 2011 12:12 pm
by DigitalMind
I know but as you said above:
social_experiment wrote:If the registration process is set up correctly...

Re: login

Posted: Sun Jan 02, 2011 3:41 pm
by social_experiment
And if it isn't the application won't be worth much use anyway regardless of the query.