Hey

I have this login script but then i put the username and password in that is in my database it says incorrect... but its not (password is MD5ed in database)

NOTE: THIS IS IN SIMPLE I KNOW THERE IS NO SECRUTY YET!

<?php
require('connect.php');
session_start();
if ($_POST['username']) {
$username=$_POST['username'];
$passwrd=$_POST['passwrd'];
if ($passwrd==NULL) {
echo "<center><b>A password was not supplied.</b></center><p>";
}else{
$hash = md5($passwrd);
$query = mysql_query("SELECT username,passwrd FROM users WHERE username = '$username'") or die(mysql_error());
$data = mysql_fetch_array($query);
if($data['passwrd'] != $hash ) {
echo "<center><b>The supplied login is incorrect.</b></center><p>";
}else{
echo "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=home.php\">";
}
}
?>

First, your password is not in the query.
Second check if the variable names and field names are correct.
Third see if the password in the db was created with php's md5 or mysql's md5.

You must use "mysql_fetch_assoc" instead of "mysql_fetch_array"

That's it, you have your script up.

And, don't use
echo "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=home.php\">";

instead use:

header("Location: home.php");
exit;

And don't forget to

mysql_free_result($query);

after you are done.

i have sorted this problem thanks guys it was my database i made it so it cann only have 20 in the password table and it needed more then 20 for the MD5

You must use "mysql_fetch_assoc" instead of "mysql_fetch_array"


Why? They both will work.

Peace,

Yeah the scriot still works with either..
Danny

From php.net:


Returns an array of strings that corresponds to the fetched row, or FALSE if there are no more rows. The type of returned array depends on how result_type is defined. By using MYSQL_BOTH (default), you'll get an array with both associative and number indices. Using MYSQL_ASSOC, you only get associative indices (as mysql_fetch_assoc() works), using MYSQL_NUM, you only get number indices (as mysql_fetch_row() works).


Yes it looks like it still works, but for associative values, mysql_fetch_assoc is recommended.

Anyway, you should consider my other two recommendations :) Don't use meta refreshes, and you should free the result.

is there anyway of seeing the seccsions the script had made?

Do you mean the session id? or the $_SESSION array?

its ok i have done it now :)..

would this work to make a session

$_SESSION['bob'] = "him";

im just making random SESSIONs... did anyone answer me as to this:

is this correct the more sessions that are made the more secure it is?

Danny

I'm not sure where you came up with that idea Danny. Store what you need to store in sessions. But don't confuse that with the idea that more sessions=more security, because that's just not true.

ok so how do i get more secury?

Danny

First, for debug, you can do a print_r($data) to see what in the array.
Maybe the problem is the array index ($array[n][field]).

Post the print result here.

Also, I recommend you that all variables receiving by POST or GET check and protect them with magic_quotes. Create a function like this:

function Var_protect($var) {
return (!get_magic_quotes_gpc()) ? addslashes($var) : $var;
}

And Remember, print_r() is the best way to debug, also then you can use die() to stop the script.

I hope this help you.

Try sha1() , MySQL supports it, and you can always make 40ch. varchar field to store previously hashed string (when processing the registration data) :)

cheers :)