1) Change
ToPHP Code:$query = mysql_query( "SELECT `password`, `salt`, FROM `users` WHERE `username` = '".$username."'" );
You're right, you have done that wrongPHP Code:$query = mysql_query( "SELECT `password`, `salt` FROM `users` WHERE `username` = '".$username."'" );
Don't worry about anyone guessing the name to your session. Even if they know it, they won't be able to do anything with it, as it's all server side. Unless you're going to be doing stuff with sessions in the database, I wouldn't bother with a complex logged in session.
Results 11 to 20 of 24
-
-
Yes! It's fixed! ^^; Thanks! No error, but now something else has decided to not work.
I type the correct password in for the username, and it comes up with "Incorrect password."
Here's the code:
Without your help, Beau, I wouldn't be going anywhere.PHP Code:<?php
session_start();
include 'config.php';
$username = $_POST[username];
$password = $_POST[password];
if ($_POST['submit']) {
$query = mysql_query( "SELECT `password`, `salt` FROM `users` WHERE `username` = '".$username."'" );
$rows = mysql_fetch_array( $query );
$encrypted = md5($password . $rows["salt"] );
if( $encrypted == $rows["password"] )
{
echo "Correct password!";
$_SESSION["logged"] = "logged";
}
else
{
echo "Incorrect password.";
}
} else {
if (!$_POST['submit']) {
echo "
<form action=\"login.php\" method=\"POST\">
Username: <input type=\"text\" size=\"30\" name=\"username\"></br>
Password: <input type=\"password\" size=\"20\" name=\"password\"></br>
<input type=\"submit\" value=\"Login!\" name=\"submit\">
";
}
}
?>
-
Can't edit but I fixed it!
Now I may have a problem with sessions, 2 secs.
Yeah, with sessions I think I have a problem.
When I login I get a session, and it's content is random numbers and letters. Even if you get the pass wrong you get a session. The session name is PHPSESSID hmm?
That's login.phpPHP Code:<?php
session_start();
include 'config.php';
$username = $_POST[username];
$password = $_POST[password];
if ($_POST['submit']) {
$query = mysql_query( "SELECT `salt`, `password` FROM `users` WHERE `username` = '".$username."'" );
$rows = mysql_fetch_array( $query );
$encrypted = md5($rows["salt"] . $password );
if( $encrypted == $rows["password"] )
{
echo "Correct password!";
$_SESSION["logged"] = "logged";
}
else
{
echo "Incorrect password.";
}
} else {
if (!$_POST['submit']) {
echo "
<form action=\"login.php\" method=\"POST\">
Username: <input type=\"text\" size=\"30\" name=\"username\"></br>
Password: <input type=\"password\" size=\"20\" name=\"password\"></br>
<input type=\"submit\" value=\"Login!\" name=\"submit\">
";
}
}
?>
Hmm, not sure what's going on.
Beau, I need your good help again!
Last edited by Hitman; 25-11-2007 at 02:52 PM.
-
* CANT EDIT *
I've fixed it, it's allllll working fine!
-
Oh good
Just so you know, PHPSESSID a cookie that is made automatically, that holds your session id. You can rename it, but you can't delete it
-
Woot, thanks for all your help you're the PHP man.
I have one tiny problem, I've made a change pass - I'm not sure what's wrong. :S
It encrypts the password and does something - but it isn't correct.PHP Code:<?php
session_start();
include 'config.php';
if ($_SESSION['logged_user'] == true) {
if ($_POST['submit']){
$query = mysql_query("SELECT `salt` FROM `users` WHERE `username` = '".$_SESSION['logged_user']."'");
$rows = mysql_fetch_array( $query );
$encrypted_pass = md5($rows['salt'] . $_POST['password'] );
$query = mysql_query("UPDATE `users` SET `password` = '$encrypted_pass' WHERE `username` = '".$_SESSION['logged_user']."'");
echo "Updated!";
}
}
if ($_SESSION['logged_user'] == false) {
echo "Not logged in!";
} else {
if (!$_POST['submit']){
echo "<form action=\"edit.php\" method=\"POST\"><b>Edit your profile!</b></br></br>Edit password: <input type=\"password\" size=\"20\"><input type=\"submit\" name=\"submit\" value=\"Change!\">";
}
}
?>Last edited by Hitman; 26-11-2007 at 03:10 PM.
-
Salting or peppering your md5s is basicly there to stop people useing google to get a pass from the hash.
Basiicly the idea works, becuse alot of wana be hackers write write down the pass that produce certain hashes, then when u google a hash, it can often come up with the assoiated pass. if you salt it, aka add a few charcs before the pass within the hash calcualtion, what you actualy get is saltPassword being hashed, so when an md5 is run, the pass its assoaited with is likley not the pass needed to be entered in order to gain access to the account. A more random hash can be created using the time the registed or some other unchanging value, since then each users pass salting will be differnt adding yet another layer of protection
-
Oh boy, I'm a proper noob. LOL. Why you ask? I forgot the name=\"password\" on the form so it was sending the salt only.
Haha, it's all good now. Change pass works!
-
Thats good
Originally Posted by Hitman
Oh boy, I'm a proper noob. LOL. Why you ask? I forgot the name=\"password\" on the form so it was sending the salt only.
Haha, it's all good now. Change pass works! You seem to be learning fast.
Need help on anything else?
-
Hi Dentafrice!
I have one problem... I've made a page to see all users, with their info like email etc... It only shows my info, not anybody elses... hmm.
Code.
I can't see anything wrong...PHP Code:<?php
session_start();
include 'config.php';
if ($_SESSION['logged_user'] == true) {
$query = mysql_query("SELECT `level` FROM `users` WHERE `username` = '".$_SESSION['logged_user']."'");
$rows = mysql_fetch_array( $query );
if ($rows['level'] == 5) {
$query = mysql_query("SELECT * FROM `users`");
$rows = mysql_fetch_array($query2);
echo "Username: ".$rows['username']."</br></br> Email: ".$rows['email']."</br></br>Join date: ".$rows['date']."</BR></BR>Signature: ".$rows['signature']."";
} else {
echo "Don't try and get where you shouldn't be...";
}
}
if ($_SESSION['logged_user'] == false) {
echo "Not logged in. Redirecting... <meta http-equiv=\"REFRESH\" content=\"1;url=./login.php\">";
}
?>
I will learn to spot mistakes though 
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts