Validating Username And Password

SP8600

This script is used to validate the users username and password by the id. However the password has to be encrypted before it is validated but even if it is not it still continues with the IF statemnet and not the ELSE. Does anyone have any idea how i can solve this so it validates properly. And the encryption is the md5 function.

$sql_clients_id = mysql_escape_string($_COOKIE['clients_id']);

$clients_sqlquery = "SELECT * FROM clients WHERE id = '$sql_clients_id'";		/*Select the news from the database by id.*/	
$clients_result = mysql_query($clients_sqlquery);
$clients_number = mysql_num_rows($clients_result);
$clients_row = mysql_fetch_assoc($clients_result);

if ($_COOKIE['clients_username']=== $clients_row["username"] || ($_COOKIE['clients_password']===$clients_row["password"])) {

echo $_COOKIE['clients_username'];
echo("<BR>");
echo $clients_row["username"];
echo("<BR>");
echo $_COOKIE['clients_password'];
echo("<BR>");
echo $clients_row["password"];
}
else{echo("jOther");}
}

planetsim

I dont fully understand all your code there but this is how i do it. I Presume they are loggin in.

$password=md5("$_POST[password]");
$result=@mysql_query("SELECT username,password FROM clients WHERE username='$username' AND password='$password'");

SP8600

Right, what i need to do is select the clients_id from the cookie and then use that to select a row from the database. With that row i want to take the username and password and make sure they are the same as the one in the cookie and if not make the current cookie expire so they have to login again. Has anyone got a full script to do this that i can read through so i know what to do.

Thanks loads for your help.

SP8600

Anyone have any ideas about that last post

keith73

I have a question for planetsim.

In the code you posted, you are encrypting the PW before calling the DB. Wouldn't that fail everytime unless you are specifying the SALT?

I always let PHP choose a random salt. But then when I verify the user, I first find the username in the DB with:

SELECT * FROM users WHERE username = '_POST[username]'

Then I encrypt the _POST[password] using the one on file so that the salt is the same.

Have I been doing it wrong?

keith