Connecting to a MySQL database....?

[pinacoladaxb]

I DID IT! If you're curious as to what the code is.....

Code:

<?php

$name = $_GET['name'];
$userpassword = $_GET['userpassword'];

$service = "localhost";
$username = "pauliuko";
$password = "sdfsfsf";
$database = "pauliuko_games";

mysql_connect($service, $username, $password);
@mysql_select_db($database) or die( "Unable to select database");

$result = mysql_query("SELECT * FROM users WHERE name='$name' and password='$userpassword'") or die(mysql_error());
$row = mysql_fetch_array( $result );

if($row=='') echo "0";
else echo "1";

?>

[Dynasoft]

You shouldn't store passwords directly in the database, you should store a hash of the password, eg md5
I believe php has an md5() function for this.

You're also trusting user input without escaping it. What happens if someone uses a ' in their password in your code? How about "' or '1'='1" as the password?
Answer: You end up with this query:
"SELECT * FROM users WHERE name='hacker' and password='' or '1'='1'"
and the "or '1'='1'" is always true, so it will allow login, with whatever username they want, even an admin account (or even if that username's not in the database at all!)

EDIT: Also make sure that the username you're using to connect to the database from php only has permission to do what it needs to (Add records and read records, maybe modify records). Whatever you do don't log in to your database from php with an account that has "drop database" permissions, or a hacker will be able to destroy your entire database with ease.

[DJFuego]

Can you post the revised code with the MD5 hashing of the password.

[Dynasoft]

$userpassword = md5($_GET['userpassword']);

[DavidN]

Good to know you got the query worked out - PHP has many ways to do the same thing, and mysql_fetch_array() and mysql_query() both do roughly the same job.

The original problem when you were using mysql_query() as in my tutorial, as far as I can see, was that you were calling the query string "$get" when you were setting it up, and then running a query called "$query", which didn't exist.

[pinacoladaxb]

Dynasoft, the reason that I didn't add the code in to check that the username and password are alphanumeric is because I want to do the least amount of php coding as possible. I literally just learned what I had to in order to do what I did and I don't want to have to learn any more. I have a perfectly working alphanumeric check in MMF2 that I programmed instead.

Are you saying that I should submit the password as a MD5 hash and then store it as the real password, or store it as a MD5 hash as well? I really don't think it's necessary. I don't expect my users to be saving anything really important.

[ryguy]

Why not use

PHP Code:

mysql_num_rows() 


?

For example:

PHP Code:

$myQuery = mysql_query("SELECT * FROM $table WHERE userName = '$userName' AND userPassword = '$userPassword'");
return mysql_num_rows($myQuery); 


[Dynasoft]

Dynasoft, the reason that I didn't add the code in to check that the username and password are alphanumeric is because I want to do the least amount of php coding as possible. I literally just learned what I had to in order to do what I did and I don't want to have to learn any more. I have a perfectly working alphanumeric check in MMF2 that I programmed instead.

It's not hard, just call mysql_escape_string() on the variables to prevent the injection attack. It's one function

Are you saying that I should submit the password as a MD5 hash and then store it as the real password, or store it as a MD5 hash as well? I really don't think it's necessary. I don't expect my users to be saving anything really important.

Store it as md5. It's bad security to store actual passwords, because users tend to use the same password for everything, and they don't take too kindly to someone knowing it. Again, it's not hard to do, php has an md5() function you can use

EDIT: Like this, I think:

Code:

<?php

$name = $_GET['name'];
$userpassword = md5($_GET['userpassword']);

$service = "localhost";
$username = "pauliuko";
$password = "sdfsfsf";
$database = "pauliuko_games";

mysql_connect($service, $username, $password);
@mysql_select_db($database) or die( "Unable to select database");

$result = mysql_query("SELECT * FROM users WHERE name='".mysql_escape_string($name)."' and password='".mysql_escape_string($userpassword)."'") or die(mysql_error());
$row = mysql_fetch_array( $result );

if($row=='') echo "0";
else echo "1";

?>

[pinacoladaxb]

OK. I'll take your advice.

[pinacoladaxb]

I did it! It was easier than I thought. I'll use your advice for the injection attack thing as well. Thanks for your help!

EDIT: Oops. I didn't see that you gave me the code. I did it on my own. :blush: