开发者

Not logging in..?

问答 作者:

Can anyone spot why this wouldn't be working? I get "Does not match!" whenever I try to login? The password in the database is md5 hashed but this should log me in still.. Thank you in advance. EDIT: I also get the headers already sent error, this is for line 16, session_start();

<?php

session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if ($username && password)
{
include("scripts/connect.php");
mysql_select_db("table") or die("Could not connect");

$epass = md5($password);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$epass'");

$nunmrows = mysql_num_rows($query);

if ($numrows !== 0){

    while($row = mysql_fetch_assoc($query)){
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
    //check match
        if ( $username == $dbusername && $password==$dbpassword){
            echo "You're in!";
        }
        else
            echo "Does not match!";

    }
  开发者_StackOverflow  else
        echo "Not found";
}
else
    die("Please enter in a username and password?");

?>

Long story short, because you are comparing the initial password value ($password) with the hashed value from the DB ($dbpassword).

In any case, that is a terrible piece of code you have there, I can't even start counting how many no-nos there are.

First investigate which values all the variables have, $username, $password, $dbusername etc.

Apart from that, the password you retrieve from the DB is the MD5 hash, so you need to compare this value with the hash and not with the plain text password:

if( $username == $dbusername && $epass==$dbpassword)

But as you already provided this condition in your SQL query, you might also just drop it:

if( $username == $dbusername)


if ( $username == $dbusername && $password==$dbpassword){
            echo "You're in!";
        }

Should become ( becouse $dbpassword is allready hashed with md5 )

if ( $username == $dbusername && $epass==$dbpassword){
            echo "You're in!";
        }


if ( $username == $dbusername && $password==$dbpassword)

$dbpassword is a hash, $password is the non-hashed password. They don't match.

There should also be no need to check if the password matches in code, since it already matched in the database.

Apart from that you have SQL injection vulnerabilities in your code.

继续阅读:authenticationphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9