开发者

Check login script letting in guests?

问答 作者:

For some reason my check login script is letting in guests.

I have not made the site live yet so its all good.

I check the database for the username and the password the user puts in the html form but for some reason if it don't even get a result it still sets the username to nil if it gets the result it sets the username to the username but if it don't get any results it sets the username to nothing.

I have a if statement but still setting it.

$myusername = mysql_real_escape_string($_POST['myusername']);
$mypassword = mysql_real_escape_string($_POST['mypassword']);


$sql        = "SELECT * FROM users WHERE username='$myusername'";
$result     = mysql_query($sql) or die(mysql_error());
$battle_get 开发者_开发百科= mysql_fetch_array($result);    

if ($battle_get['password'] == $mypassword)
{    
    $_SESSION['username'] = $myusername ; // store session data    
    header('Location: http://mydomainname.net/new_rpg/dashboard.php');      
} else {
    echo "wrong password" ;
}

You don't check if the user account actually exists. You just blindly fetch a row from the result set, even if that result set has NO records in it. That means $battle_get will be an empty array (or a boolean false if the query failed). You then do a string comparison against the submitted password. If that password is also empty, you're doing if (empty == empty) and boom... the user's in.

What you SHOULD be doing is:

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$sql = "SELECT ... FROM users WHERE (username = '$username') AND (password = '$password')";
$result = mysql_query($sql) or die(mysql_error());

if (mysql_num_rows($sql) != 1) {
    die("Invalid username and/or password"); // don't tell the user which failed.
}

Checking how many rows were returned is critical - if no rows are returned, then the user doesn't exist or the password is wrong. If 1 row is returned, then it's a valid login. If more than 1 row is returned, you've got duplicate username/password pairs in the database and need to fix that right away.

And, having just seen your "md5 is hard" comment above: You're dead wrong. MD5 is trivially EASY.

When you create the user record, you can hash the password easily:

INSERT INTO users (password) VALUES (MD5('$password'));

and for the login check:

SELECT ... WHERE (password = MD5('$password'));

Nothing to it at all.

Yur mistake:

Say I am not a user.

So $battle_get['password'] = false;

and $mypassword is also false,

so $battle_get['password'] equals $mypassword

Two way you can resolve this.

First, chek the password with sql:

$sql = "SELECT * FROM users WHERE username='$myusername' AND password = '$mypassword'";

or

if(!$battle_get) {

echo "wrong password" ;

}

继续阅读:phpsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9