Validate user login

[hb25]

Hi
I am using the code below to validate user when they login to my website, the first part check if user have typed their username and the second part search the table to check user exist. These two parts work fine but the last part the while condition don’t work it keep give me the error massage “You provided an incorrect password. Please try again.”
Any help?
Regards
HB 25

<?php

// Have they entered a ClientID?
if(empty($_POST['username']))
{
	die("Please enter your correct username.");
}

$con = mysql_connect("xxxxxx","xxxxxx","xxxxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("xxxxxx", $con);

// Get variables from the previous page. Remove possible hack attempts.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
// Build the query used to see if that account exists.
$query = "SELECT `username`,`password` FROM tbluser WHERE `username`='".$username."'";
$result = mysql_query($query);
// If the records returned isn't exactly 1, then that username doesn't exist. Or, there may be a strange glitch where two users have the same name, but the registration script will get rid of any chance of that anyway.
if(mysql_num_rows($result)!=1)
{
	die('We don\'t have a user called '.$username.'. If this is your first visit to our website, you may need to <a href="../register.htm">create an account</a>. Otherwise, check your spelling.');
}
// Now, validate the password.
while($record = mysql_fetch_assoc($result))
{
	if(md5($password)!=$record['password'])
	{
		die("You provided an incorrect password. Please try again.");
	}
}



mysql_close($con);
?>

 

[vacunita]

Are you sure the password in the database is stored after being run through the md5 function?

what do you get if you echo out $record['password'] are you getting the expected password hash?

How big is the password field in the DB?






----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[jpadie]

not that it may be relevant, but why are you escaping $_POST['password'] for use in a php comparison? and I also note that you are using the escaped version of $_POST['username'] in output text, which may well lead to unwanted results.

consider adjusting your approach as follow

$query = "SELECT count(*) FROM tbluser WHERE `username`='%s' and `password`='%s'";
$sql = sprintf($query, mysql_real_escape($_POST['username']), md5($_POST['password']);
$result = mysql_query($sql);
list($numRecords) = mysql_fetch_array($result, MYSQL_NUM);
if ($numRecords <> 1) {
die("We don't have a user called $_POST[username]. If this is your first visit to our website, you may need to <a href=\"../register.htm\">create an account</a>. Otherwise, check your spelling.");
}

 

[hb25]

Hi
Thank you, I have managed to sort this problem but I do have another page where user could delete their booking with us, my questions is what will be the if statement before the MySQL delete statement to check the bookingID which user provided is exist in the table bookings if not exist then an error message should be displayed to user.
Any suggestion will be highly appreciated.
HB25

<?php
// Have they entered a BookingID?
if(empty($_POST['bookingID']))
{
	die("Please enter your BookingID number.");
}

$con = mysql_connect("xxxxx","xxxx","xxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("xxxx", $con);


mysql_query("DELETE FROM bookings WHERE bookingID=$_POST[bookingID]");


print "your booking number  ".$bookingID ;

echo "has been cancelled";
echo " we hope you come back and stay with us another time.";
 
mysql_close($con)

?>

 

[jpadie]

if (mysql_affected_rows() === 0){
 echo "no such booking ID exists";
}

 

[hb25]

Hi
I have put the if statement before the MySQL query in my code but it did not work.
Any more advice?

I am new to PHP and MySQL

Thanks.

 

[hb25]

Hi
Sorry my mistake, i have put your code in the wrong place, I have placed it after the query and it works .
Thank you very much for your help
HB 25

 

[jpadie]

here

mysql_query("DELETE FROM bookings WHERE bookingID=$_POST[bookingID]");

you are using user submitted values without validating them first. this leaves you open to SQL injection attacks

for example i could POST your site a bookingID value of

'1 OR 1=1'

and this would delete your whole table.

always validate user input before using it. in this case you know that bookingID must be an integer so you might at the very least do this

$query = "DELETE FROM bookings WHERE bookingID=%d";
$sql = sprintf($query, intval($_POST['bookingID']);
$result = mysql_query($sql);

or in shortform

$query = "DELETE FROM bookings WHERE bookingID=". intva($_POST['bookingID']);
$result = mysql_query($query);