Page 1 of 1

does this code make sense?

Posted: Mon Aug 16, 2004 6:16 pm
by grudz
Hi,

I basically have a page where users log in. And I would just like to know if how I did it is ok, or is there a flaw.

this is in my head

Code: Select all

<?php ob_start(); 
session_start(); 
$username = $_POST['username'];
$_SESSION['username'] = $username;
?> 
<?php require_once('Connections/marketbr.php'); ?>
<?php
//encrypte the password when user logs in to match the one in the database
$md5 = md5(md5($password));

mysql_select_db($database_marketbr, $marketbr);
$query_Login = "SELECT * FROM signup WHERE username = '$username' AND password = '$md5'";
$Login = mysql_query($query_Login, $marketbr) or die(mysql_error());
$row_Login = mysql_fetch_assoc($Login);
$totalRows_Login = mysql_num_rows($Login);
?>
and this is in my body

Code: Select all

<?php if ($totalRows_Login >= 1) {
						print 'show restricted information';
}else {
						header ('Location: error.php?login=No Login');
}
?>

Posted: Mon Aug 16, 2004 6:27 pm
by feyd
jumping in and out of php like that without needing to can create problems, or maintanence issues. You should probably run an escape routine over the username. If the query returns more than 1 row, then you have a hacking attempt or you have some duplicate users, either of which you shouldn't allow..

header Location, although isn't required for a lot of browsers, some older ones will require a full url in it.

Posted: Mon Aug 16, 2004 7:25 pm
by grudz
but is my if ($totalRows_Login >= 1) ok for what i'm trying to do (a members area). I honestly never saw that type of code, but it looks good to me, and it's pretty simple. However, there could be a flaw that i'm overlooking.

You should probably run an escape routine over the username
i don't understand that....an escape routine?
Something to make sure the proper username was put in?

Posted: Mon Aug 16, 2004 8:09 pm
by feyd
I was suggesting something like [php_man]addslashes[/php_man]