No pass check

youri · June 9, 2011, 11:55am

Hello,

I have a login. Everything works correct, except the password check. I can fill in anything and I Log in. Can anyone help me to check this out?

Thanks in advance!

[php]<?php

session_start();

$username = ($_POST[‘username’]);
$password = ($_POST[‘password’]);

if ($username&&$password)
{

$connect=mysql_connect(“localhost”, “forum”, “”) or die(“Could not connect.”);
mysql_select_db(“name”) or die(“Couldn’t find db”);

$query = mysql_query(“SELECT * FROM users WHERE username=’$username’”);

$numrows = mysql_num_rows($query);

if ($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row[‘username’];
$dbpassword = $row[‘password’];
}

    // check to see if they match
    if ($username==$dbusername&&sha1(md5($password)==$dbpassword))  
    {
     header("location:homee.php");
     $_SESSION ['username']=$username;    
     exit;
    }
                    else
        echo("Incorrect password!");
           include("index.php");
           exit;        
}

else
echo(“that user doesn’t exist”);
include(“index.php”);
exit;

}
else
echo("Please enter username and password ");
include(“index.php”);
exit;

?>

Parsed in 0.383 seconds, using GeSHi 1.0.8.4[/php]

codeguru · June 9, 2011, 12:12pm

Hi youri,

Try this:
[php]

<?php session_start(); $username = ($_POST['username']); $password = md5($_POST['password']); ////i assumed you have md5-encrypted password if ($username && $password){ $connect=mysql_connect("localhost", "forum", "") or die("Could not connect."); mysql_select_db("name") or die("Couldn't find db"); $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $numrows = mysql_num_rows($query); if ($numrows!=0){ header("location:homee.php"); $_SESSION ['username']=$username; exit; } else{ echo("Username or password is invalid."); include("index.php"); exit; } } else{ echo("Please enter username and password "); include("index.php"); exit; } ?>

[/php]

youri · June 9, 2011, 12:23pm

@codeguru

It doesn’t work, I just get more errors.

sarthakpatel · June 9, 2011, 5:27pm

Hi,

Try this hope this will work for you.

[php]

<?php session_start(); $username = $_POST['username']; $password = $_POST['password']; if($username&&$password) { $connect=mysql_connect("localhost", "forum", "") or die("Could not connect."); mysql_select_db("name") or die("Couldn't find db"); $query = mysql_query("SELECT * FROM users WHERE username='$username'"); $numrows = mysql_num_rows($query); if($numrows!=0) { while($row = mysql_fetch_assoc($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; } // check to see if they match if ($username == $dbusername && md5($password)==$dbpassword) { header("location:homee.php"); $_SESSION['username']=$username; exit; } else echo("Incorrect password!"); include("index.php"); exit; } else echo("that user doesn't exist"); include("index.php"); exit; } else echo("Please enter username and password "); include("index.php"); exit; ?>

[/php]

DavidAM · June 10, 2011, 9:16pm

You’ve got your last (rather, next to last) closing parenthesis in the wrong place.

Try using some white space in your code. It makes it easier to see what is happening, and its cheap.

[php]if ($username == $dbusername && sha1(md5($password)) == $dbpassword)
// Should be here ^
[/php]

In fact, I wrap each condition in another set of parenthesis just to make it real clear (to a human reader) what is being done:

[php]if ( ($username == $dbusername) && (sha1(md5($password)) == $dbpassword) )[/php]