PHP and Database checking

121212

Hello everyone,
I'm having this code to check if a user is exists in my database and check his password, everything goes well until i enter the real password of a user, in register form, i fill the password as "hello" , but i can't login with that password, i've tried to modify the password field in MySQL, but it still. I think this happen because my PHP code, the IF statement must be wrong somewhere, i'll be greatly appreciate your help


<?php 
require_once("MySQL.php"); 
if ( $_GET['act'] == "do" ) 
{ 


$username = addslashes( $_POST['UserName'] ); 
$password = md5( addslashes( $_POST['Password'] ) ); 

$sql_query = mysql_query("SELECT id, username, password FROM members WHERE username='$username'"); 
$member = mysql_fetch_array( $sql_query ); 


if ( mysql_num_rows( $sql_query ) <= 0 ) 
{ 
echo "<p id=NormalText>This Username isn't exist !"; 
exit; 
} 

if ( $password != $member['Password'] ) 
{ 
echo "<p id=NormalText>Incorrect Password !"; 
exit; 
} 

//session_start(); 
//$_SESSION['user_id'] = $member['id']; 

echo "<p id=NormalText>Thanks, you're now log in !"; 


}


?>

rsmith

Are you sure the password when the user is created is being md5()'d? And what's the point of the addslashes() around the username and password submitted? I can't think of a single instance where you would want to put slashes into a password let alone a username.

roscor

<?PHP session_start();
//use session start if requiring session enabled pages plus always use long tags PHP


//preg_match validation text box, valid char plus 4 min characters, then $_POST
 if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['username'])){
        $user = $_POST['username'];     

    }
        else {
        $error1 .= "your error message 1";
        // you can echo out this error in your form for dynamic form validation
             }   

  if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['password'])){
        $passw = md5($_POST['password']);
    }
        else {
        $error2 .= "your error message 2";
        // you can echo out this error in your form for dynamic form validation
            }   


//database connection info
require_once("MySQL.php");

//connect to database-select table
$conn = mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db($database,$conn) or die(mysql_error());

//select * or everything (not best practice you could just select as per your code)
    $query="SELECT * FROM members WHERE  username ='$user' and password ='$passw'";

//prevent sql, injection using mysql_real_escape_string
     $user = mysql_real_escape_string($_POST['username']);
     $passw = mysql_real_escape_string(md5($_POST['password']));

//use mysql_error when debugging code, later you can use @mysql_error to suppress.
    $result = mysql_query($query) or die die(mysql_error());

// then set sessions/cookies, echo results whatever
// e.g. $_SESSION['valid_user']=$user;
// e.g. $_SESSION['reg_id']=$id;
?>

121212

rsmith;10877498 wrote:
Are you sure the password when the user is created is being md5()'d? And what's the point of the addslashes() around the username and password submitted? I can't think of a single instance where you would want to put slashes into a password let alone a username.

Thanks for 2 replys,
Yes, The password is created with md5(), i think addslashes() will help me avoid SQL injection, but as you said, i'll try to trip it out and check against
Thanks