PHP/SQL login question - Overclock.net

Sypher250 · 02-10-08

Hey guys, i have a database with a table for users in it. When people register on my site it automatically puts all their info into my users table. But im trying to make a simple login for it and I cant figure out what I should be typing. I think all i need to do is have it check the table for whatever user name and password they provide. Then if it all matches it will logem in or take them to an error page. Any ideas, scripts, or good links you guys can send me?

stupid · 02-10-08

you are on the right track - sounds like most of the work is already done. I am not much of a php programmer, so I can't really poitn you to any pre-made utilities... sorry.

Starholdest · 02-11-08

basically

mysql_query("SELECT `password` FROM `users` WHERE `username` = '".$_POST['username']."'");
if($_POST['password'] == $row['password'])

That's basically the mysql_query and the if line. If you're not using salts, already, I suggest using them right now, or else you're in big risk of getting hacked. There's a good tutorial here:

http://www.phpit.net/article/handlin...ds-safely-php/

Basically when the user registers, you put their salted password (as shown below) and the salt ($salt) into the db (put the salt into a different row), it's just like:

$salt = rand(1,2000)."xK]=3qd".rand(1,2000);
$pass_salted = md5(sha1($salt.$_POST['password'].$salt));

If you find it confusing or need anymore help just post here or PM me.

Dismounted · 02-12-08

I nearly threw up reading that query. Are you trying to invite hackers into his website or something? Although this isn't the most elegant system, try something more like:

mysql_query("SELECT `password` FROM `users` WHERE `username` = '" . mysql_real_escape_string($_POST['username']) . "'");

Starholdest · 02-12-08

Quote:

Originally Posted by Dismounted

I nearly threw up reading that query. Are you trying to invite hackers into his website or something? Although this isn't the most elegant system, try something more like:

I was writing it quick...I didn't intend for him to use it. Also you don't need dots in between the quotes unless you're connecting two things.

Thanks for correcting me, though.

Dismounted · 02-14-08

Quote:

Originally Posted by Starholdest

I was writing it quick...I didn't intend for him to use it. Also you don't need dots in between the quotes unless you're connecting two things.

Thanks for correcting me, though.

The word you're looking for is concatenating. I AM concatenating in the posted code.

version2 · 02-14-08

I was going to post code, but the forums barked at me:
[code]
Fatal error: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Failed evaluating code: ame_substitute(4, "$result = mysql_query(\"SELECT `username`, `password` FROM `users` WHERE `username` = \'\".$_POST[\'username\'].\"\' AND `password` = BINARY \'\" .$_POST[\'password\']. \"\'\&quot

; if (mysql_num_row($result) == 0) { // Successfully logged in. }", "", $subbed) in /home/over/public_html/includes/ame_bbcode.php on line 192[/quote]

Anyway, basically you should check to see if rows are returned, but check for password matching (as "binary")

		Overclock.net - Overclocking.net > Software, Programming and Coding > Coding and Programming > Web Coding
PHP/SQL login question

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)