help please!
Moderator: General Moderators
help please!
ok this is a customer login script that the user types in their name and password and then it directs them to a template page of their personal product. for some reason only the admin user (u:1/p:1) can login in and work but everyone else cant. the values in the mssql database are not seeming to match and their redirected to the the login page. here is the script below. any help?
<?
include("inc/config.php");
$conn = mssql_connect($hostname, $user, $pass) or die('Error: MSSQL connection');
$query = "SELECT * FROM clients WHERE clientid = '$clientid' AND password = PASSWORD('$password')";
$result = mssql_query($database, $query, $connection);
if (num_rows($result) == 1)
{
session_start();
session_register("client_id");
session_register("client_name");
list($clientid, $name) = mssql_fetch_row($result);
$client_id = $clientid;
$client_name = $name;
header("Location: hollywood.php");
mssql_free_result ($result);
mssql_close($conn);
}
else
{
mssql_free_result ($result);
mssql_close($conn);
header("Location: relogin.php");
exit;
}
?>
<?
include("inc/config.php");
$conn = mssql_connect($hostname, $user, $pass) or die('Error: MSSQL connection');
$query = "SELECT * FROM clients WHERE clientid = '$clientid' AND password = PASSWORD('$password')";
$result = mssql_query($database, $query, $connection);
if (num_rows($result) == 1)
{
session_start();
session_register("client_id");
session_register("client_name");
list($clientid, $name) = mssql_fetch_row($result);
$client_id = $clientid;
$client_name = $name;
header("Location: hollywood.php");
mssql_free_result ($result);
mssql_close($conn);
}
else
{
mssql_free_result ($result);
mssql_close($conn);
header("Location: relogin.php");
exit;
}
?>
Re: plain text
then why do you use mysql's password() function?duranike wrote:plain text
but there's a conflict between "plain text" and "password"
the password() function is used to crypt/hash as password.
see also: http://www.mysql.com/search/index.php?q=password
the password() function is used to crypt/hash as password.
see also: http://www.mysql.com/search/index.php?q=password
Just abit down on this page, there is some info about password(); http://www.mysql.com/doc/en/Miscellaneo ... tions.html
So...
if ('Foo' == 'Foo') : True
if (password('Foo') == '7c786c222596437b') : True
if ('foo' == password($variable)) : <insert True or False here>, and take actions according to it...
Hope the message was sublime enough to be understandable...
Edit: Gah @ volka, up early are we?
So...
if ('Foo' == 'Foo') : True
if (password('Foo') == '7c786c222596437b') : True
if ('foo' == password($variable)) : <insert True or False here>, and take actions according to it...
Hope the message was sublime enough to be understandable...
Edit: Gah @ volka, up early are we?
we traced the problem to the login.php script. what's wrong with this. we are getting an error at "'You must fill in your username and serial" could it possibly be a problem with the form or is it a problem with the script itself?
Code: Select all
<?
include("inc/config.php");
if (!$username || !$serial)
{
echo 'You must fill in your username and serial number.';
exit;
}
else
{
$conn = mssql_connect($host, $dbusername, $dbpass) or die('Error: MSSQL
connection');
mssql_select_db($dbname) or die('Error: Database Selection');
$query = "SELECT * FROM support_101 where alias = '$username' AND serial =
'$serial' ";
$result = mssql_query($query) or die('Error: Query');
$num_rows = mssql_num_rows($result);
if ($num_rows > 0)
{
mssql_close($conn);
header ('Location: http://www.go-l.com/support/products/hollywood.php');
}
else
{
echo 'Your username and/or serial number do not match our records.<br
/>Please try again.';
exit;
}
}
$sql = "SELECT ALIAS FROM support_101 WHERE ALIAS='$ALIAS'";
$sql_result = mssql_query($sql, $connection)
or die ("Couldn't execute query.");
?>