Check username and password in database (including script)

Question

Check username and password in database (including script)

^{I posted my question here , and before I edited the post, it was closed as not a real question!}

I have a login form:

<html> <head> <title>Password Checking Script</title> </head> <body> <form action="check_user-pass.php" method="POST"> <h3>Please Login</h3> User Name: <input type="text" name="user_name"><br> Password: <input type="password" name="password"> <input type="submit" name="submit" value="Login!"> </form> </body> </html>

As you can see, this form authenticates the user through check_user-pass.php .
He searches for these credentials in my database; if they exist, returns OK , else returns NO .

So my question is, exactly, what code should I include in check_user-pass.php ?
I tried to add more code, but could not do it! My current code is:

 <?php ob_start(); $host=""; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name $tbl_name=""; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password") or die(mysql_error()); echo "Connected to MySQL<br />"; mysql_select_db("$db_name") or die(mysql_error()); echo "Connected to Database<br />"; // Check $username and $password /* if(empty($_POST['username'])) { echo "UserName/Password is empty!"; return false; } if(empty($_POST['password'])) { echo "Password is empty!"; return false; } */ // Define $username and $password $username=$_POST['username']; $password=md5($_POST['pass']); // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if ($count==1) { echo "Success! $count"; } else { echo "Unsuccessful! $count"; } ob_end_flush(); ?>

+6

sql php login

Pds ir May 21 '12 at 19:41

source share

3 answers

In most cases, passwords in mysql databases are encrypted. If you entered them directly into the database, they may not have salt. Try encrypting the password before passing it to the request:

 $crypted_pass = crypt($password);

If there is salt (often the first two letters of the username), pass this using the crypt function:

 $salt = substr($username, 0, 2); $crypted_pass = crypt($password, $salt);

+2

aynber May 21 '12 at 19:47

source share

Try something simple:

  if ($count==1) { echo "Success! $count"; } else { echo "Unsuccessful! $count"; }

This will see if you return more than 1 or more values.

+2

n_starnes May 21 '12 at 19:48

source share

Musa · Accepted Answer · 2012-05-21T19:46:27+0000

The name in your form is user_name , but in your script you are looking for username

 $username=$_POST['username'];

it should be

 $username=$_POST['user_name'];

EDIT:
If you use crypt to encrypt your password before putting it into the database, try

 $sql="SELECT * FROM $tbl_name WHERE username='$username'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ $row = mysql_fetch_assoc($result); if (crypt($password, $row['password']) == $row['password']){ session_register("username"); session_register("password"); echo "Login Successful"; return true; } else { echo "Wrong Username or Password"; return false; } } else{ echo "Wrong Username or Password"; return false; }

EDIT: myBB seems to use md5 hash crapload for its passwords, try this

 $sql="SELECT * FROM $tbl_name WHERE username='$username'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ $row = mysql_fetch_assoc($result); if (md5(md5($row['salt']).md5($password)) == $row['password']){ session_register("username"); session_register("password"); echo "Login Successful"; return true; } else { echo "Wrong Username or Password"; return false; } } else{ echo "Wrong Username or Password"; return false; }

Also hashing is one of the ways, so you cannot return passwords already in db, you just need to force users to change / update their passwords.
If this works, you do not have to turn off encryption, and everything should be fine.

Check username and password in database (including script)

More articles: