password storage in php?

[jen0dorf]

Hi

as a complete novice I'm trying to get my head around security in php and mysql

I know how to set up users in mysql but I've just taken over a site which uses php and mysql and the following code gives access to the mysql database but the password and username listed is not shown as a user in mysql.

Is it that the session is not started unless the username entered matches that of the entries in 4?

thanks

Ian

<?php
session_start();
$user = $_REQUEST["username"];
$pass = $_REQUEST["password"];
if ($user == 'admin' && $pass =='password') {
$_SESSION['loggedin'] = TRUE;
header( 'Location: index.php' ) ;
} elseif ($user == 'marketing' && $pass =='puxton123') {
$_SESSION['loggedin'] = TRUE;
header( 'Location: index.php' ) ;
} else {
?>

 

[vacunita]

There's a difference between MYSQL login users, and users you simply create for a webpage.

There is no MYSLQ in the code you posted. The Passwords are hard coded into the code, its a little crude, and not particularly safe but it does work. But is in no way related to users that would have access to a MYSLQ database.






----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[jen0dorf]

Hi

thanks for that, I admit I was given the code but I have this thing about understanding how things work.

Another puzzle solved

cheers

Ian