stackoom
  简体   繁体   中英

My MySQL session won't start

 原文  2013-09-26 22:55:10       php/ html/ mysql

Question

My MySQL session will start if $count is equal to 1 but its not equal to 1 and I have no idea how to fix it, I'm fairly new to php, and I prefer to use sha1 rather than BCrypt 

  <?php
     //login form
     mysql_connect("xxxxx","xxxxxx","xxxxxx") or die( mysql_error() );
     mysql_select_db("u940004575_chat");

     $myusername = stripslashes( $myusername );
     $mypassword = stripslashes( $mypassword );
     $sha1mypassword = sha1( $mypassword );
     $myusername = mysql_real_escape_string( $myusername );
     $mypassword = mysql_real_escape_string( $mypassword );
     $sha1mypassword = mysql_real_escape_string( $sha1mypassword );
     $sql = mysql_query("SELECT id FROM users WHERE username='$myusername' and         password='$sha1mypassword'")or die( mysql_error() );
     $result = mysql_query( $sql );

     if ( $sql ) {
         $count = mysql_num_rows( $sql );
     }

     if ( $count == 1 ) {
        session_register("myusername");
        session_register("mypassword"); 
        header("location:home.php");
     } else {
        echo "Wrong Username or Password";
     }
?>

If anyone can help me that would be great, any fix will be greatly appreciated.

4 answers

solution1
 1  2013-09-26 23:25:36

You should really be using PHP's PDO or MySQLi instead of the deprecated mysql_* functions.

note: using PHP PDO your parameters are being escaped automagically.

see: this notice on PHP doc

Unless you absolutely need SHA1, you'll want to first seek the user and then challenging the stored password hash. This is far more portable as some hashing algorithms such as Bcrypt will not work with a simple string comparison.

That brings me to my next point: do not use FAST hashing algorithms (SHA, MD5, etc) for password hashing. These hashing algorithms are meant for hashing large amounts of data quickly which means that an attacker could generate a reverse lookup table quickly for small data such as passwords. Algorithms such as Bcrypt, Scrypt, pbkdf2, etc are good examples of specialized hashing algorithms designed to be slower or harder to generate lookup tables for. 

<?php
    session_start()
    $myusername = 'foo';
    $mypassword = '123';

    try {
       $pdo = new PDO('mysql:host=' . DB_HOSTNAME . ';dbname=' . DB_DATABASE, DB_USERNAME, DB_PASSWORD);
       $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch ( PDOException $e ) {
       die ('ERROR: ' . $e->getMessage() );
    }

    $query = 'SELECT id, password FROM users WHERE username = :username';
    $params = array('username' => $myusername);

    $stmt = $pdo->prepare( $query );
    $stmt->execute( $params );

    // user not found?
    if ( ! $stmt->rowCount() ) {
       die ('unknown user');
    }

    $row = $stmt->fetch( PDO::FETCH_OBJ );

    // challenge password hash
    if ( $row->password == sha1( $mypassword ) ) {
       // success!
       header("location:home.php");
    } else {
       die ('wrong password');
    }

EDIT:

Also make sure you're starting a session with session_start() . This will allow you to store session variables on the PHP backend with the $_SESSION superglobal. 

// run login script

$_SESSION['user_id'] = $row->id;

// redirect to an authenticated page

then on all your authenticated pages you can query/cache the user by ID and get the user object containing all of the current user data 

    session_start()
    // make sure logged in

    if ( ! $_SESSION['user_id'] ) {
       // not logged in
       // redirect to login
       die ('not logged in');
    }       
    $query = 'SELECT * FROM users WHERE id = :id';
    $stmt = $pdo->prepare( $query );
    $stmt->execute( array('id' => $_SESSION['user_id'] ) );

    $user = $stmt->fetch( PDO::FETCH_OBJ );
    print 'Hello, ' . $user->username;

solution2
 0  2013-09-26 22:55:55

Try: 

if ( $result ) {
    $count = mysql_num_rows( $result );
}

instead of: 

if ( $sql ) {
    $count = mysql_num_rows( $sql );
}

solution3
 0 ACCPTED  2013-09-26 23:03:50

Look, it must be this way: 

 $sql = "SELECT id FROM users WHERE username = '$myusername' and password = '$sha1mypassword'";
 // you defined the sql query

 $result = mysql_query( $sql );
 // now you executed it and have the result

 // and you can go on with this result
 if ( $result ) {
     $count = mysql_num_rows( $result );
 }

and by the way, move to mysqli_query() , because mysql_query() will soon be deprecated. See the official docs.

solution4
 0  2013-09-26 23:20:46

Give this a shot 

if ( !$result ) {
   die( mysqli_error() );
} else {
    // check if $result row == 1
    if ( mysqli_num_rows( $result ) == 1 ) {
        // do stuff here
    }
}

As mentioned before, use mysqli_ because development for mysql_ has stopped. Read More

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MySQL session won't start on XAMPP Session Won't Start My SESSION won't work Session won't start and server variables are incorrect IE won't start session from an iframe? XMPP (XMPPHP) session won't start Form validation with session_start() and jQuery won't display neither errors, where is my mistake? MySQL Database won't start XAMPP PHP cookie won't set unless I start session linux-xampp-mysql : Mysql database won't start
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM