Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

Problem with Code

Schmidty
Guest
  
Posts: n/a
#1: Jan 11 '07
I have this simple problem with some PHP5 code using MySQL 5 on Windows
and IIS 6. I think it has to do with my programming logic but I still
can't figure it out?

1. What is happening is the password function works BUT if you put in
the right username and wrong password it DOES NOT print out the message
'Password doesn't match!' Am I not using the 'elseif' statement
properly?
2. Not sure if this is a logic problem, using MySQL functions properly
or not using PHP5 functions properly. Thanks for any help anyone can
give me!

Schmidty

Here is the code;
------------------------------------------------------------------------------------------------------
function auth() {

if ($this->user =="" or $this->pass == "") { echo "ERROR"; exit; }

$mysqli = new mysqli("$network","$user","$password","$database") or
die("ERROR connecting to database server!");

$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user' AND pswd = '$this->pass'";

$result = $mysqli->query($query);

while(list($uname, $upass, $type) = $result->fetch_row()) {

if($uname == $this->user and $upass == $this->pass) {print "$uname -
$type<br />";} elseif ($upass !== $this->pass) { print "Password
doesn't match!<br />";} // <===== NOT SURE IF THIS IS CORRECT????
}

$result->free();
echo "Cleared results<br />";
$mysqli->close();
echo "Closed database<br />";

}
--------------------------------------------------------------------------------------------------------------------
Hendri Kurniawan
Guest
  
Posts: n/a
#2: Jan 11 '07

re: Problem with Code

Schmidty wrote:
Quote:
I have this simple problem with some PHP5 code using MySQL 5 on Windows
and IIS 6. I think it has to do with my programming logic but I still
can't figure it out?
>
1. What is happening is the password function works BUT if you put in
the right username and wrong password it DOES NOT print out the message
'Password doesn't match!' Am I not using the 'elseif' statement
properly?
2. Not sure if this is a logic problem, using MySQL functions properly
or not using PHP5 functions properly. Thanks for any help anyone can
give me!
>
Schmidty
>
Here is the code;
------------------------------------------------------------------------------------------------------
function auth() {
>
if ($this->user =="" or $this->pass == "") { echo "ERROR"; exit; }
>
$mysqli = new mysqli("$network","$user","$password","$database") or
die("ERROR connecting to database server!");
>
$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user' AND pswd = '$this->pass'";
>
$result = $mysqli->query($query);
>
while(list($uname, $upass, $type) = $result->fetch_row()) {
>
if($uname == $this->user and $upass == $this->pass) {print "$uname -
$type<br />";} elseif ($upass !== $this->pass) { print "Password
doesn't match!<br />";} // <===== NOT SURE IF THIS IS CORRECT????
}
>
$result->free();
echo "Cleared results<br />";
$mysqli->close();
echo "Closed database<br />";
>
}
--------------------------------------------------------------------------------------------------------------------
>
The query will actually match the password for you.
$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user' AND pswd = '$this->pass'";

Therefore right username with wrong password will not return anything
from the query

Hendri Kurniwan
Schmidty
Guest
  
Posts: n/a
#3: Jan 11 '07

re: Problem with Code

Hendri,
Thanks for the quick reply.
How would I validate and reply with an error message if 'the right
username with wrong password' came up? Thanks...

Schmidty


Hendri Kurniawan wrote:
Quote:
Schmidty wrote:
Quote:
I have this simple problem with some PHP5 code using MySQL 5 on Windows
and IIS 6. I think it has to do with my programming logic but I still
can't figure it out?

1. What is happening is the password function works BUT if you put in
the right username and wrong password it DOES NOT print out the message
'Password doesn't match!' Am I not using the 'elseif' statement
properly?
2. Not sure if this is a logic problem, using MySQL functions properly
or not using PHP5 functions properly. Thanks for any help anyone can
give me!

Schmidty

Here is the code;
------------------------------------------------------------------------------------------------------
function auth() {

if ($this->user =="" or $this->pass == "") { echo "ERROR"; exit; }

$mysqli = new mysqli("$network","$user","$password","$database") or
die("ERROR connecting to database server!");

$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user' AND pswd = '$this->pass'";

$result = $mysqli->query($query);

while(list($uname, $upass, $type) = $result->fetch_row()) {

if($uname == $this->user and $upass == $this->pass) {print "$uname -
$type<br />";} elseif ($upass !== $this->pass) { print "Password
doesn't match!<br />";} // <===== NOT SURE IF THIS IS CORRECT????
}

$result->free();
echo "Cleared results<br />";
$mysqli->close();
echo "Closed database<br />";

}
--------------------------------------------------------------------------------------------------------------------
>
The query will actually match the password for you.
$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user' AND pswd = '$this->pass'";
>
Therefore right username with wrong password will not return anything
from the query
>
Hendri Kurniwan
Hendri Kurniawan
Guest
  
Posts: n/a
#4: Jan 11 '07

re: Problem with Code

Schmidty wrote:
Quote:
Hendri,
Thanks for the quick reply.
How would I validate and reply with an error message if 'the right
username with wrong password' came up? Thanks...
>
Schmidty
>
>
Hendri Kurniawan wrote:
Quote:
>Schmidty wrote:
Quote:
>>I have this simple problem with some PHP5 code using MySQL 5 on Windows
>>and IIS 6. I think it has to do with my programming logic but I still
>>can't figure it out?
>>>
>>1. What is happening is the password function works BUT if you put in
>>the right username and wrong password it DOES NOT print out the message
>>'Password doesn't match!' Am I not using the 'elseif' statement
>>properly?
>>2. Not sure if this is a logic problem, using MySQL functions properly
>>or not using PHP5 functions properly. Thanks for any help anyone can
>>give me!
>>>
>>Schmidty
>>>
>>Here is the code;
>>------------------------------------------------------------------------------------------------------
>>function auth() {
>>>
>> if ($this->user =="" or $this->pass == "") { echo "ERROR"; exit; }
>>>
>> $mysqli = new mysqli("$network","$user","$password","$database") or
>>die("ERROR connecting to database server!");
>>>
>> $query = "SELECT username, pswd, type FROM userauth WHERE username =
>>'$this->user' AND pswd = '$this->pass'";
>>>
>> $result = $mysqli->query($query);
>>>
>> while(list($uname, $upass, $type) = $result->fetch_row()) {
>>>
>> if($uname == $this->user and $upass == $this->pass) {print "$uname -
>>$type<br />";} elseif ($upass !== $this->pass) { print "Password
>>doesn't match!<br />";} // <===== NOT SURE IF THIS IS CORRECT????
>> }
>>>
>> $result->free();
>> echo "Cleared results<br />";
>> $mysqli->close();
>> echo "Closed database<br />";
>>>
>> }
>>--------------------------------------------------------------------------------------------------------------------
>>>
>The query will actually match the password for you.
> $query = "SELECT username, pswd, type FROM userauth WHERE username =
>'$this->user' AND pswd = '$this->pass'";
>>
>Therefore right username with wrong password will not return anything
>from the query
>>
>Hendri Kurniwan
>
No prob

Change the query and ommit paswd checking
$query = "SELECT username, pswd, type FROM userauth WHERE username =
'$this->user'";

BTW... with password checking it's more secure.
The "user" won't know if he/she has the correct username or not.
Potential attackers won't know if they stumble upon an active username

Hendri Kurniawan
Gordon Burditt
Guest
  
Posts: n/a
#5: Jan 12 '07

re: Problem with Code

>How would I validate and reply with an error message if 'the right
Quote:
>username with wrong password' came up? Thanks...
You shouldn't have a different error message for the cases:
right username with the wrong password
vs.
wrong username with any password at all

If you do, you're giving away which usernames are correct.
Schmidty
Guest
  
Posts: n/a
#6: Jan 12 '07

re: Problem with Code

Okay I answered my own question "How would I validate and reply with an
error message if the right username with wrong password came up?" It
was pretty simple fix. At the end of the function 'auth()' I put the
line 'echo "ERROR";'. I might even add a function at this point to send
an email to the actual user indicating that someone tried to log-on
using their username with an invalid password!

Gordon Burditt wrote:
Quote:
Quote:
How would I validate and reply with an error message if 'the right
username with wrong password' came up? Thanks...
>
You shouldn't have a different error message for the cases:
right username with the wrong password
vs.
wrong username with any password at all
>
If you do, you're giving away which usernames are correct.
Gordon Burditt
Guest
  
Posts: n/a
#7: Jan 13 '07

re: Problem with Code

>Okay I answered my own question "How would I validate and reply with an
Quote:
>error message if the right username with wrong password came up?" It
>was pretty simple fix. At the end of the function 'auth()' I put the
>line 'echo "ERROR";'. I might even add a function at this point to send
>an email to the actual user indicating that someone tried to log-on
>using their username with an invalid password!
In other words, you're going to allow your site to be used as a weapon
to mail-bomb your users? This is NOT a good idea unless you've got strict
limits on how often you can send that email (e.g. once every 24 hours max,
and even that's very annoying).
Quote:
>
>Gordon Burditt wrote:
Quote:
Quote:
>How would I validate and reply with an error message if 'the right
>username with wrong password' came up? Thanks...
>>
>You shouldn't have a different error message for the cases:
> right username with the wrong password
>vs.
> wrong username with any password at all
>>
>If you do, you're giving away which usernames are correct.
>

Schmidty
Guest
  
Posts: n/a
#8: Jan 15 '07

re: Problem with Code

Your right, that would not be good for my users!!

Gordon Burditt wrote:
Quote:
Quote:
Okay I answered my own question "How would I validate and reply with an
error message if the right username with wrong password came up?" It
was pretty simple fix. At the end of the function 'auth()' I put the
line 'echo "ERROR";'. I might even add a function at this point to send
an email to the actual user indicating that someone tried to log-on
using their username with an invalid password!
>
In other words, you're going to allow your site to be used as a weapon
to mail-bomb your users? This is NOT a good idea unless you've got strict
limits on how often you can send that email (e.g. once every 24 hours max,
and even that's very annoying).
>
Quote:

Gordon Burditt wrote:
Quote:
How would I validate and reply with an error message if 'the right
username with wrong password' came up? Thanks...
>
You shouldn't have a different error message for the cases:
right username with the wrong password
vs.
wrong username with any password at all
>
If you do, you're giving away which usernames are correct.
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,384 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved