Back to General and Gameplay Programming

MySQL Wont Check The Password

ajm113 · 2012-02-08T07:05:39

I'm working on a login system for my website and I dont know if I'm just being stupid, but I dont know why MySQL wont check to make sure the password is equal to the "username". I.E: Lets say I have a table that looks like this: username, password, id. And someone registers on the website or inserts a row: ['ajm113', '12345', 0]. When they attempt to login they will have no problem of course as long as they have the username correct, but when it comes to the password check, MySQL completely doesn't bother to check it. Someone can type in a password such as "2312asadfasfrer" and login into someone's account! D: Here is my login script when someone hits the login button. function HighLevelSecurityString($string) { return htmlentities(stripslashes(mysql_real_escape_string($string))); } $username = HighLevelSecurityString($_POST['user']); $password = md5(HighLevelSecurityString($_POST['password1'])); $sql="SELECT * FROM UserList WHERE Username='$username' or email='$username' and Password='$password'"; $result=mysql_query($sql); $row = mysql_fetch_array($result) or die(mysql_error()); // Mysql_num_row is counting table row $count=mysql_num_rows($result) or die(mysql_error()); if($count == 1) { $_SESSION['username'] = $row['Username']; header("location:index.php"); }else{ echo"User not found!"; } As you can tell, very straight forward code. I dont get any errors from MySQL, so I'm not sure how it could possibly return 1 result each time even if the password is completely wrong. What I find strikingly odd is that I'm getting a somewhat reversed effect for when I'm just trying to UPDATE a row. When I do something like. "UPDATE UserList Password='$newPassword' WHERE Username='$username' and Password='$currentPassword'"

General and Gameplay Programming Programming

Started by ajm113 February 05, 2012 06:23 AM

10 comments, last by ajm113 12 years, 2 months ago

All8Up

5,999

February 07, 2012 02:06 PM

Part of the reason I (in a C++ app) did it this way was specifically so the password was never sent on the wire and was immediately zero'd in memory after sending.

The problem with such a protocol is that the hash of the "password" effectively is the password. That is, the server requires the client knows H(password + salt) to login (call this the "pass token"). While the password is not sent over the wire, the pass token is. If there was a flaw in the cryptography such that I can view the data on the wire, then I can see and replay the pass token to gain access. Note I do not need to brute force the pass token to do this!
[/quote]
My apologies, I revisited the code to make sure about this and I realized that I was actually sending the username+password under encryption. Guess I had already considered what you mention and fixed it but forgot about it. Oops.

As to the rest of it, I completely agree, this is not a web app of course and salsa was chosen for performance reasons and not for the ultimate security.

ajm113

355

Author

February 08, 2012 07:05 AM

Sorry for the few slow feed back (working loong hours at work), I got it working after fixing a few bugs I found in my html and it seems to even work a lot better with the brackets.

Thank you very much guys!

Check out my open source code projects/libraries! My Homepage You may learn something.

MySQL Wont Check The Password

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

MySQL Wont Check The Password

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines