//sql query to get user details from db
$sql = "SELECT * FROM usertable WHERE username=\"$form_username\" LIMIT 1";
//connect to db and query
$link = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
$result = mysql_query($sql);
//return result as associative array
$user = mysql_fetch_assoc($result);
//set a flag
$err = FALSE;
//username check (shouldnt be needed, as only returns db row with matching name, but anyways
if($form_username != $user['username']){
$err = TRUE;
}
//next check
if(md5($form_password) != $user['password']){
$err = TRUE;
}
//do all checks, then
if($err){
die("there was a problem with your login");
} else {
echo "login details correct";
}
instead of matching the usernames and passwords, i set an error if they don't match. it just works out easier i find.
also, stop me if you know this; when passwords are saved into a db(or other file) they are generally encrypted using md5(). This is a one-way encryption, meaning that once a string has been md5'd, the md5 hash cannot be converted back to reveal the original password. This means that if someone sees your user database, they cannot find out the users' passwords.
so in the example above, we take the password from the form, md5 it, and then compare it with the md5 stored in the db.
oh, md5's are always strings of length 32.
adam
