Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    problems validating user....

    I am fairly new to PHP and i have a problem . When I login, it redirects me to the desired page. but when the password is incorrect, it still redirects to the same page.

    PHP Code:
    <?
    session_start
    ();

    $user $_POST["username"];
    $pass md5($_POST["password"]);

    $host "localhost";
    $dbuser "rsf_dredd";
    $dbase "rsfdredd_uk_db";

    mysql_connect($host,$dbuser);
    mysql_select_db($dbase);
    $sql mysql_query("SELECT * FROM cms WHERE user=$user and password=$pass");

    $num mysql_num_rows($sql);
    if (
    $num 1) {
         
    header("Location:admin_index.php");
    } else {
         
    $_SESSION["error"] = "<font color=red>Wrong username or passowrd. Try again.</font>";
         
    header("Location:admin.php");
    }
    ?>
    Last edited by mrgeoff; 05-14-2004 at 05:01 PM.

  • #2
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    PHP Code:
    if($num 1
    will always returns true.

    I think you want

    PHP Code:
    if($num == 1

  • #3
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I tried that and it won't let me login with the correct user name and password... it seems to keep jumping to the else statement

  • #4
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    Well, you're using md5 to encrypt your password, then accessing a plain text password in the database.

    Are your passwords in the DB stored as text, using the PASSWORD('field') command, or a result of encryption using md5?

  • #5
    New to the CF scene
    Join Date
    May 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I figured it out... i needed the single quotes over the variables within the query and the == ... thanx 4 your help. Yes, I'm using md5 to encrypt. It's just a result of the encryption then the string is inserted into the db directly... is there a better/more secure way of doing it?

  • #6
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    md5 is a pretty good method for an average system. You should probably be more concerned about someone grabbing the posted form data over http vs. https than someone breaking md5 encryption.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •