Hi everyone,

I am giving a shot at a typical login script, which plucks usernames,
passwords, and access levels from 2 databases. The passwords database uses
md5 encryption, I havn't much of a clue what I am doing with that though.

My real problem, if thats not it, lies with the verification. I try to log
in using a real account/password, and a fake account/password, and it
simply reloads the form without displaying any of the 'else' statements.
Any help would be appreciated.

Script is 'supposed' to function like this;
-> Collect form information.
-> Connects to database.
-> Sets $db_user as ID(TINYINT(6)) from database Users.
-> Sets $db_pass as Password(MD5(32)) from database Passwords.
-> Converts the $db_pass(Password from FORM) to MD5 hash.
-> Checks if password(MD5) from FORM matches password(MD5) from database.
-> -> If match get access level from Users & set some cookies.
-> -> If failed kick their asses ;)
-> Checks if access level matches either 1, 2, or 3 and displays relative
info.

Areas of concern for me are MD5, $GLOBALS, and PHP_SELF. (Are those
correct?)

<? if ($submit) {
        $db = mysql_connect("localhost", "dbname", "dbpassword");
        mysql_select_db("mydb", $db);

        $db_user = "
        SELECT ID FROM dbusers
        WHERE UserName = '$username'";

        $db_pass = "
        SELECT Password FROM dbpasswords
        WHERE ID = '$db_user'";

        $db_pass_temp = MD5('$db_pass');

        if ($password == $db_pass_temp) {
                $db_access = "
                SELECT Access FROM dbusers
                WHERE ID = '$db_user'";

                setcookie('user', $_POST['$db_user'], (time()
+2592000), '/', '', 0);
                setcookie('access', $_POST['$db_access'], (time()
+2592000), '/', '', 0);
                }
        else {
                echo "Password specified was incorrect.";
                }

        if ($db_access == "1") {
                echo "You are logged in as an Administrator.<BR>
                <A href='next.php'>Click here for options.</A>";
                }
        elseif ($db_access == "2") {
                echo "You are logged in as a Power User.<BR>
                <A href='next.php'>Click here for options.</A>";
                }
        elseif ($db_access == "3") {
                echo "Welcome to this place, you are logged in.<BR>
                <A href='next.php'>Click here for options.</A>";
                }
        }
?>
<FORM method="POST" action="<? echo $GLOBALS ['PHP_SELF'];?>">
        Name:<INPUT type="text" name="username" selected><BR>
        Password:<INPUT type="password" name="password"><BR>
        <INPUT type="submit" name="submit" value="Login">
</FORM>



Hartleigh Burton
www.channel-x.org



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to