is this login code is correct?

**aymenbnr** · Nov 20, 2009 08:22

PHP Code:


<?php

include("db.php");

$check="";

$mpass=$_POST['mpass'];

$login=$_POST['login'];

$needle = "'";





if(!$con)

{ die('could not connect:'.mysql_error());

}

Mysql_select_db("mydb",$con);

$requet="select login,mpass from users where login='",.$login.,"' and mpass='",.$mpass.,"';";

$resultat=mysql_query($requet);

if(false !== strpos($login, $needle))



{

$check="This character is not allowed,try again"



else if(!$resultat)

$check="Password or login incorrect"

 else

 mysql_query($requet);

 }

 header('location:users/index.php');

 

 mysql_close($con);

?>

**Shrapnel_N5** · Nov 20, 2009 08:30

sorry, no.
It is vulnerable and not working.

first of all you need to escape data going into query

PHP Code:


$mpass=mysql_real_escape_string($_POST['mpass']);
$login=mysql_real_escape_string($_POST['login']);

Next, your login and password checking is wrong
It should be not if(!$resultat) but

PHP Code:


if(!mysql_num_rows($resultat))

By the way, you don't have to disallow "'" symbol in login. It makes no sense.

**aymenbnr** · Nov 20, 2009 08:33

Originally Posted by Shrapnel_N5

sorry, no.
It is vulnerable and not working.

first of all you need to escape data going into query

PHP Code:


$mpass=mysql_real_escape_string($_POST['mpass']);

$login=mysql_real_escape_string($_POST['login']);

Next, your login and password checking is wrong
It should be not if(!$resultat) but

PHP Code:


if(!mysql_num_rows($resultat))

By the way, you don't have to disallow "'" symbol in login. It makes no sense.

i thought is is good to prevent from sql ingection,no?

**Shrapnel_N5** · Nov 20, 2009 08:41

nope

Surprisingly, your database can save any data, any symbol.
There is no such thing, "SQL injection". But just simple syntax rules.

Enclose your data into quotes and do mysql_real_escape_string() and you'll never encounter an error or injection.

**Shrapnel_N5** · Nov 20, 2009 08:46

Anyway, your protection code should be placed before query execution. not after &#37

**PHPycho** · Nov 20, 2009 10:58

some better attempts:

PHP Code:


<?php 
include("db.php"); 
$check     = ""; 
$mpass     = mysql_real_escape_string($_POST['mpass']); 
$login     = mysql_real_escape_string($_POST['login']); 

/*if(!$con) { //this can be moved to db.php
    die('could not connect:'.mysql_error()); 
} 
mysql_select_db("mydb",$con); 
*/

//make clean readable query
$requet = "SELECT 
                login
                ,mpass 
            FROM 
                users 
            WHERE 
                login='".$login."' 
                AND mpass='".$mpass."'";
$resultat = mysql_query($requet); 
$num_rows = mysql_num_rows($resultat);
/* //No need
if(false !== strpos($login, $needle)) 

{ 
$check="This character is not allowed,try again" 

else if(!$resultat) 
$check="Password or login incorrect" 
else 
mysql_query($requet); 
} 
*/
if($num_rows < 1){
    //throw errors
}else{
    //set required session here & redirect
    header('location:users/index.php'); 
        exit();
}
mysql_close($con); 
?>

User Tag List

Thread: is this login code is correct?

Thread Tools

Display

is this login code is correct?

Bookmarks

Bookmarks

Posting Permissions