unable to login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nadeem14375
Forum Newbie
Posts: 23
Joined: Sat Oct 30, 2010 2:11 am

unable to login

Post by nadeem14375 »

Dear all,

I am new to PHP. here I want to develop a login page. what's wrong in the following page?

<?php
include ('/includes/dbConfig.php');
session_start();
// username and password sent from form
$email=$_POST['email'];
$password=md5($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password);

$query="SELECT * FROM member_info WHERE email='$email' and password='$password'";

$result=mysql_query($query);

if (mysql_num_rows($result) != 1) {
//$error = "Bad Login";
echo "Bad Login";

}
else
{
header("location:index.php");
}
?>

Regards:
Muhammad Nadeem
User avatar
GimbaL
Forum Newbie
Posts: 18
Joined: Thu Apr 16, 2009 3:28 am

Re: unable to login

Post by GimbaL »

What kind of error or problem do you get?
nadeem14375 wrote:$password=md5($_POST['password']);
It's been pointed out before: it's good that you hash the password but NOT with md5 and NOT without salt. See password security rule #1 especially about hashing.
else
{
header("location:index.php");
}
How does this prevent anyone from not logging in and just going straight to index.php ?
nadeem14375
Forum Newbie
Posts: 23
Joined: Sat Oct 30, 2010 2:11 am

Re: unable to login

Post by nadeem14375 »

thanks dear,

1. i have inserted the password md5(). can you suggest how do md5()?
2. by else { header("location:index.php"); } I want to redirect the user to index page and now he can select items from a list.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: unable to login

Post by Apollo »

nadeem14375 wrote:1. i have inserted the password md5(). can you suggest how do md5()?
Well the idea so to NOT use md5.

As suggested by the Gimbal's link above, instead of md5($password) you should do something like:

Code: Select all

hash( 'sha512' , $password . "gI8sj25wq^yH86J#xvp/bMdZ2-ug!mrQiSB" . $member_id )
2. by else { header("location:index.php"); } I want to redirect the user to index page and now he can select items from a list.
Ok, but your code essentially does this:

Code: Select all

if (password not correct)
{
 echo "Bad Login";
}
else
{
 redirect to index.php
}
So someone who doesn't know the password, can still simply visit index.php himself, and get access. Why do you have a login anyway?
Post Reply