aspose file tools*
The moose likes PHP and the fly likes difficulty in login in one attempt Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Languages » PHP
Bookmark "difficulty in login in one attempt" Watch "difficulty in login in one attempt" New topic
Author

difficulty in login in one attempt

Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 1000
    
    2
Hello Everyone, i created a login page, but i am facing some difficulties into that.
my login page is working but in two attempts. i mean when i m trying to login using, it's not logged in and giving me again the login page, but when i am trying to login second time with the same username an password, it's logged in/working.
can anyone tell me the problem, here is my code:

index.php




Page which appear after login:





core.inc.php



connect.inc.php

Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3166
    
  47

Where is your login form located? Is it in index.php or in some other file?

Side note: Your code looks vulnerable for SQL Injection.


Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 1000
    
    2
yes it's index.php. and why it is vulnerable for sql injections can you explain please...
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19720
    
  20

If I post username ' OR '1'='1, your query becomes SELECT `id` FROM `users` WHERE `username`= '' OR '1' = '1' AND `password`= 'whatever here'. As a result (the OR taking precedence if I recall correctly), all records will be returned and I will definitely be able to login. That's just a "harmless" use. With the right input you can delete records, or even drop entire tables. Use mysql_real_escape_string or casting to numbers on every single value you use in any query.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 1000
    
    2
thank you for this explanation, as you said i replace code like this:


<?php
include("connect.inc.php");
if(isset($_POST['username'])&& isset($_POST['password']))
{

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);


if(!empty($username)&& !empty($password))
{

$query = "SELECT `id` FROM `users` WHERE `username`= '$username' AND `password`= '$password'";
if($query_run = mysql_query($query))
{
$num_row = mysql_num_rows($query_run);
if($num_row == 0)
{
echo 'Invalid username and password.';
}
else
{
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
$_SESSION['username']=$username;
header("Location: loggedin.php");
}
}
else
{

}
}
else
{
echo 'fill username and password.';
}
}
?>



is it ok..?
and please let me know if i should do any other updation to make my login page more secure...
Thank you...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: difficulty in login in one attempt