Page 1 of 1

unable to login

Posted: Wed Jun 22, 2011 5:21 am
by nadeem14375
Dear all,

I am new to PHP. here I want to develop a login page. what's wrong in the following page?

<?php
include ('/includes/dbConfig.php');
session_start();
// username and password sent from form
$email=$_POST['email'];
$password=md5($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password);

$query="SELECT * FROM member_info WHERE email='$email' and password='$password'";

$result=mysql_query($query);

if (mysql_num_rows($result) != 1) {
//$error = "Bad Login";
echo "Bad Login";

}
else
{
header("location:index.php");
}
?>

Regards:
Muhammad Nadeem

Re: unable to login

Posted: Wed Jun 22, 2011 6:20 am
by GimbaL
What kind of error or problem do you get?
nadeem14375 wrote:$password=md5($_POST['password']);
It's been pointed out before: it's good that you hash the password but NOT with md5 and NOT without salt. See password security rule #1 especially about hashing.
else
{
header("location:index.php");
}
How does this prevent anyone from not logging in and just going straight to index.php ?

Re: unable to login

Posted: Wed Jun 22, 2011 7:37 am
by nadeem14375
thanks dear,

1. i have inserted the password md5(). can you suggest how do md5()?
2. by else { header("location:index.php"); } I want to redirect the user to index page and now he can select items from a list.

Re: unable to login

Posted: Wed Jun 22, 2011 8:46 am
by Apollo
nadeem14375 wrote:1. i have inserted the password md5(). can you suggest how do md5()?
Well the idea so to NOT use md5.

As suggested by the Gimbal's link above, instead of md5($password) you should do something like:

Code: Select all

hash( 'sha512' , $password . "gI8sj25wq^yH86J#xvp/bMdZ2-ug!mrQiSB" . $member_id )
2. by else { header("location:index.php"); } I want to redirect the user to index page and now he can select items from a list.
Ok, but your code essentially does this:

Code: Select all

if (password not correct)
{
 echo "Bad Login";
}
else
{
 redirect to index.php
}
So someone who doesn't know the password, can still simply visit index.php himself, and get access. Why do you have a login anyway?