SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2009
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    is this login code is correct?

    PHP Code:
    <?php
    include("db.php");
    $check="";
    $mpass=$_POST['mpass'];
    $login=$_POST['login'];
    $needle "'";


    if(!
    $con)
    { die(
    'could not connect:'.mysql_error());
    }
    Mysql_select_db("mydb",$con);
    $requet="select login,mpass from users where login='",.$login.,"' and mpass='",.$mpass.,"';";
    $resultat=mysql_query($requet);
    if(
    false !== strpos($login$needle))

    {
    $check="This character is not allowed,try again"

    else if(!$resultat)
    $check="Password or login incorrect"
     
    else
     
    mysql_query($requet);
     }
     
    header('location:users/index.php');
     
     
    mysql_close($con);
    ?>

  2. #2
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sorry, no.
    It is vulnerable and not working.

    first of all you need to escape data going into query
    PHP Code:
    $mpass=mysql_real_escape_string($_POST['mpass']);
    $login=mysql_real_escape_string($_POST['login']); 
    Next, your login and password checking is wrong
    It should be not if(!$resultat) but
    PHP Code:
    if(!mysql_num_rows($resultat)) 
    By the way, you don't have to disallow "'" symbol in login. It makes no sense.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2009
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shrapnel_N5 View Post
    sorry, no.
    It is vulnerable and not working.

    first of all you need to escape data going into query
    PHP Code:
    $mpass=mysql_real_escape_string($_POST['mpass']);
    $login=mysql_real_escape_string($_POST['login']); 
    Next, your login and password checking is wrong
    It should be not if(!$resultat) but
    PHP Code:
    if(!mysql_num_rows($resultat)) 
    By the way, you don't have to disallow "'" symbol in login. It makes no sense.
    i thought is is good to prevent from sql ingection,no?

  4. #4
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    nope
    Surprisingly, your database can save any data, any symbol.
    There is no such thing, "SQL injection". But just simple syntax rules.

    Enclose your data into quotes and do mysql_real_escape_string() and you'll never encounter an error or injection.

  5. #5
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anyway, your protection code should be placed before query execution. not after &#37

  6. #6
    SitePoint Wizard PHPycho's Avatar
    Join Date
    Dec 2005
    Posts
    1,201
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    some better attempts:
    PHP Code:
    <?php 
    include("db.php"); 
    $check     ""
    $mpass     mysql_real_escape_string($_POST['mpass']); 
    $login     mysql_real_escape_string($_POST['login']); 

    /*if(!$con) { //this can be moved to db.php
        die('could not connect:'.mysql_error()); 

    mysql_select_db("mydb",$con); 
    */

    //make clean readable query
    $requet "SELECT 
                    login
                    ,mpass 
                FROM 
                    users 
                WHERE 
                    login='"
    .$login."' 
                    AND mpass='"
    .$mpass."'";
    $resultat mysql_query($requet); 
    $num_rows mysql_num_rows($resultat);
    /* //No need
    if(false !== strpos($login, $needle)) 


    $check="This character is not allowed,try again" 

    else if(!$resultat) 
    $check="Password or login incorrect" 
    else 
    mysql_query($requet); 

    */
    if($num_rows 1){
        
    //throw errors
    }else{
        
    //set required session here & redirect
        
    header('location:users/index.php'); 
            exit();
    }
    mysql_close($con); 
    ?>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •