stackoom
  简体   繁体   中英

PHP login with wrong password still works

 原文  2014-07-23 08:42:24       php/ mysql

Question

I've created a login page with PHP and a MySQL database. Everything works fine except when I login with the right username and wrong password it still sends me to the logged in page and doesn't keep me on the login page. 

<?php
$user = $_POST['user'];
$pass = stripslashes($_POST['pass']);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);

$connect = mysql_connect("$host", "$ad_user", "$ad_pass") or die("Unable to connect to MySQL");
$db = mysql_select_db("$db", $connect) or die("Could not select examples");

$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
$p = mysql_fetch_array($result);
If($count == 1){
    If($p['password'] == $pass){
        session_start();
        $_SESSION['loggedin'] = 1;
        $_SESSION['username'] = $user;
        header('Location: //members.polydodo.com');
    }else{
        header('Location: ../login.php?error');
    }
}else{
    header('Location: ../login.php?error');
}

mysql_close($connect);
?>

I can't see any mistakes in this and I've double checked orders of password encryption, etc. already. Using the wrong username redirects to the error page and doesn't log me in but it logs me in with the right username regardless of the password.

PS I am aware of MySQLi and PDO but have't had time to look into that yet so I'm sticking with standard MySQL until I do.

2 answers

solution1
 4  2014-07-23 08:43:48

problem is in below line 

$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);

change it to 

$query = "SELECT * FROM members WHERE username='$user' LIMIT 1";
$result = mysql_query($query) or die(mysql_error());

UPDATE :

also use password for authentication directly in the query like 

  $query = "SELECT * FROM members WHERE username='$user' AND password='$pass' LIMIT 1";
  $result = mysql_query($query) or die(mysql_error());

Note: mysql_* is deprecated use mysqli_* or PDO

solution2
 0  2014-07-23 08:43:30

Use password field as well. 

$query = "SELECT * FROM members WHERE username='$user' AND password='$pass'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
//$p = mysql_fetch_array($result);
if($count == 1){
        session_start();
        $_SESSION['loggedin'] = 1;
        $_SESSION['username'] = $user;
        header('Location: //members.polydodo.com');
}else{
    header('Location: ../login.php?error');
}

Try to pass both the values in query. You dont need to match it after

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP login works with wrong username and password Login successfull with wrong password in php Users still can login although email and password that insert is wrong,why? login using ajax and php always wrong password Php login error password or username wrong PHP Session Login return wrong username and password Every entered username and password works in PHP login Password never works in PHP login system PHP Login System Any password works My PHP login system still Logging in even if the password or username is incorrect
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM