And please use code tags..
Regards
Dheeraj Joshi
Regards
Dheeraj Joshi
-
-
Your current script is a bit over-complicated and is wrong (you are using = assignment rather than ==, === or, even better, strcmp). And your script is open to SQL injection. Here's something I have used before, adapted:
Code:session_start(); $username = isset($_POST['username']) ? $_POST['username'] : NULL; $password = isset($_POST['password']) ? $_POST['password'] : NULL; $sql = "SELECT salt, pass_hash FROM users WHERE username = '%s'"; $sql = sprintf( $sql, mysql_real_escape_string($username) ); $result = mysql_query( $sql ); if (!mysql_num_rows($result)) { /* incorrect username */ } else { $row = mysql_fetch_row($result); $pass_hash = pack( "H*", md5($password . $row[0]) ); if ( strcmp($pass_hash, $row[1]) === 0 ) { $_SESSION['username'] = $username; header("Location: account.php"); exit; } else { /* Incorrect password */ } }Comment
-
ok thanks,
but there is an error
Warning: mysql_num_rows( ): supplied argument is not a valid MySQL result resource,
can i know how to fixed it.thxComment
-
is that the pass_hash, salt as a field in database?
And strcmp is for?
Thz
but why that any user which not in database also can login?Comment
-
There is probably a mysql error (echo mysql_error() to see), probably due to those fields missing
Yes, `pass_hash` and `salt` are BINARY(16) fields in the database.pass_s alt is the result of
$salt could be, for example:Code:$pass_salt = md5 ( $pass . $salt, true );
strcmp is binary-safe string comparison: it returns 0 if they match (see php.net). We need this because values may be mis-represented in a normal string comparison (I think/am sure).Code:$salt = md5(uniqid(mt_rand(), true), true);
Comment
Comment