|
|
Posted by Hendri Kurniawan on 01/11/07 23:47
Schmidty wrote:
> Hendri,
> Thanks for the quick reply.
> How would I validate and reply with an error message if 'the right
> username with wrong password' came up? Thanks...
>
> Schmidty
>
>
> Hendri Kurniawan wrote:
>> Schmidty wrote:
>>> I have this simple problem with some PHP5 code using MySQL 5 on Windows
>>> and IIS 6. I think it has to do with my programming logic but I still
>>> can't figure it out?
>>>
>>> 1. What is happening is the password function works BUT if you put in
>>> the right username and wrong password it DOES NOT print out the message
>>> 'Password doesn't match!' Am I not using the 'elseif' statement
>>> properly?
>>> 2. Not sure if this is a logic problem, using MySQL functions properly
>>> or not using PHP5 functions properly. Thanks for any help anyone can
>>> give me!
>>>
>>> Schmidty
>>>
>>> Here is the code;
>>> ------------------------------------------------------------------------------------------------------
>>> function auth() {
>>>
>>> if ($this->user =="" or $this->pass == "") { echo "ERROR"; exit; }
>>>
>>> $mysqli = new mysqli("$network","$user","$password","$database") or
>>> die("ERROR connecting to database server!");
>>>
>>> $query = "SELECT username, pswd, type FROM userauth WHERE username =
>>> '$this->user' AND pswd = '$this->pass'";
>>>
>>> $result = $mysqli->query($query);
>>>
>>> while(list($uname, $upass, $type) = $result->fetch_row()) {
>>>
>>> if($uname == $this->user and $upass == $this->pass) {print "$uname -
>>> $type<br />";} elseif ($upass !== $this->pass) { print "Password
>>> doesn't match!<br />";} // <===== NOT SURE IF THIS IS CORRECT????
>>> }
>>>
>>> $result->free();
>>> echo "Cleared results<br />";
>>> $mysqli->close();
>>> echo "Closed database<br />";
>>>
>>> }
>>> --------------------------------------------------------------------------------------------------------------------
>>>
>> The query will actually match the password for you.
>> $query = "SELECT username, pswd, type FROM userauth WHERE username =
>> '$this->user' AND pswd = '$this->pass'";
>>
>> Therefore right username with wrong password will not return anything
>> from the query
>>
>> Hendri Kurniwan
>
No prob
Change the query and ommit paswd checking
$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user'";
BTW... with password checking it's more secure.
The "user" won't know if he/she has the correct username or not.
Potential attackers won't know if they stumble upon an active username
Hendri Kurniawan
Navigation:
[Reply to this message]
|