Login

So I have been trying to figure why my login page keeps logging me in with just the username. I can just type in the username without the password and it logs me in. This is the code:
[php]<?php
include(“config.php”);
session_start();
if($_SERVER[“REQUEST_METHOD”] == “POST”)

// username and password sent from Form
$myusername=mysql_real_escape_string($_POST[‘username’]);
$mypassword=mysql_real_escape_string($_POST[‘password’]);
$passcode=sha1(md5($mypassword)*(12)); // Encrypted Password

$sql=“SELECT id FROM user WHERE username=’”.$myusername."’ and password=’".$passcode."’";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row
if($count==1)
{
$_SESSION[‘username’];
$_SESSION[‘login_user’]=$myusername;
header(“location: welcome.php”);
}
else
{
$error=“Your Login Name or Password is invalid”;
}
?>[/php]

This is the form:

<form action="" method="post"> <p><input type="text" name="username" id="username" placeholder="Username" ></p> <p><input type="password" name="password" id="password" placeholder="Password" ></p> <p align="center" class="submit"><input type="submit" name="commit" value="Login"></p> </form>

Do you have a User in the user table with the same username and an empty password field?

You could also do something like this:

[php]
if (($strUser != “”)&&($strPass != “”)){
$sql=“SELECT id FROM user WHERE username=’”.$myusername."’ and password=’".$passcode."’";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
$_SESSION[‘username’];
$_SESSION[‘login_user’]=$myusername;
header(“location: welcome.php”);
}
else{
$error=“Your Login Name or Password is invalid”;
}
}
[/php]

Thanks xerxes, but I tried using alternative script you wrote and it didn’t work. I echo the passcode and it shows the hashed password for the user on the first row. I can’t figure it out.

Thanks

This is most likely the problem. Let’s see the table structure + data

Sponsor our Newsletter | Privacy Policy | Terms of Service