• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

difficulty in login in one attempt

 
Ranch Hand
Posts: 1143
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Everyone, i created a login page, but i am facing some difficulties into that.
my login page is working but in two attempts. i mean when i m trying to login using, it's not logged in and giving me again the login page, but when i am trying to login second time with the same username an password, it's logged in/working.
can anyone tell me the problem, here is my code:

index.php




Page which appear after login:





core.inc.php



connect.inc.php

 
Sheriff
Posts: 7134
1360
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Where is your login form located? Is it in index.php or in some other file?

Side note: Your code looks vulnerable for SQL Injection.
 
Punit Jain
Ranch Hand
Posts: 1143
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes it's index.php. and why it is vulnerable for sql injections can you explain please...
 
Sheriff
Posts: 22783
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I post username ' OR '1'='1, your query becomes SELECT `id` FROM `users` WHERE `username`= '' OR '1' = '1' AND `password`= 'whatever here'. As a result (the OR taking precedence if I recall correctly), all records will be returned and I will definitely be able to login. That's just a "harmless" use. With the right input you can delete records, or even drop entire tables. Use mysql_real_escape_string or casting to numbers on every single value you use in any query.
 
Punit Jain
Ranch Hand
Posts: 1143
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thank you for this explanation, as you said i replace code like this:


<?php
include("connect.inc.php");
if(isset($_POST['username'])&& isset($_POST['password']))
{

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);


if(!empty($username)&& !empty($password))
{

$query = "SELECT `id` FROM `users` WHERE `username`= '$username' AND `password`= '$password'";
if($query_run = mysql_query($query))
{
$num_row = mysql_num_rows($query_run);
if($num_row == 0)
{
echo 'Invalid username and password.';
}
else
{
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
$_SESSION['username']=$username;
header("Location: loggedin.php");
}
}
else
{

}
}
else
{
echo 'fill username and password.';
}
}
?>



is it ok..?
and please let me know if i should do any other updation to make my login page more secure...
Thank you...
 
Our first order of business must be this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic