Hello everyone! I've been having issues with a script me and a co-worker created for a system that I'm developing so that people can register and manage their shifts for a convention:

<?php
	// starts a session, this must be before ANY output is sent to the browser, including whitespace and stuff from other includes. each page where you want to access session data, use this.
	session_start();

		//db connect
	$con = mysql_connect('localhost', 'houkoco_voluntee', '3598') or die('I cannot connect to the database because: ' . mysql_error());
 mysql_select_db("houkoco_volunteer") or die( "Unable to select database.");
 
    $nickname = $_POST['nickname']; // convert post vars to local vars
	$pw = $_POST['pw'];

	$query = "SELECT * FROM users WHERE nickname='$nickname'"; // check db for users w/ the entered nickname
	$result = mysql_query($query); // this runs our query and gives us a 'result set'
	

  
	// the function below checks to see how many rows were returned, if its more than 0, then the user entered exists in the database, so we want to check the pw.
	if (mysql_num_rows($result) > 0) { 
		
		// this puts our information that was returned from the database into an array
		$userinfo = mysql_fetch_assoc($result);

		// this is the pw for the entered user that is in the database, see how you can access this from the result set by using the array name $userinfo, and then the column name as the index
		$actual_pw = $userinfo['pw'];

		if ($pw == "$actual_pw") { // if what they entered matches whats in the database
			$_SESSION['loggedin'] = true; // set them as being logged in
		} else {
			$_SESSION['loggedin'] = false; // this should default to false, but just in case we'll set to false if the pws dont match
			$error = 'WRONG PASSWORD. Please try again.'; // realistically you'd wanna tell the user their pw sucks, so this is what we'd do for now
			
					}
	} else { // if there were no rows returned, which means that user doesn't exist
		$error = 'That nickname does not exist, try again';
	}


	if ($_SESSION['loggedin']) {

?>
	This is some spiffy secret logged in only data.
	
	<a href="index.php">Log out!</a>
	
<?php
	}
?>

That's the code, for some reason its totally ignoring the security aspect. What I mean is that the code logs anyone in. I can make up a bogus name and password and it still logs me in as if it was a valid password or name. Can someone help point out the error in this code so I can move on? I've been trying to figure it out for nearly two days now.:confused:

The first thing I think of is checking your IF statement for the login status. Why is $actual_pw in quotes? Unless I'm missing something, it will check the string in $pw vs the literal "$actual_pw".

Second, are you sure your SQL is returning what you think it's returning?

Let's talk security now.

Where's your database? I'd like to run some unauthorized SQL on it. I have your password. As a general rule, you should always sensor the mysql_connect() line. Just simply taking the text between quotes out is enough.

Second, never ever submit a query to a database without escaping it first! For mysql databases use mysql_real_escape_string($stringname) I could do a SQL query injection to gain access to your spiffy stuff.

This article has been dead for over six months. Start a new discussion instead.