Hi, Guys. This is a log-in script, with actually works but does not display " Incorrect Username/Password " - String. CODE: <?php include ('db-connect.php'); include ('core.php'); if (isset($_POST['username']) && isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; $password_hash = md5($password); } if (!empty($username)&& !empty($password)) { $query = "SELECT id FROM users WHERE username ='$username' AND password = '$password_hash'"; } if ($query_run = mysql_query($query)) { $query_num_rows = mysql_num_rows($query_run); if ($query_num_rows==0) { echo 'Invalid username and password combinations.'; } else if($query_num_rows==1) { $user_id = mysql_result ($query_run, 0, 'id'); $_SESSION['user_id'] = $user_id; header('Location: success.php'); } } ?> <form action="<?php echo $current_file; ?>" method="POST" > Username: <input type="text" name="username" ></br> Password: <input type="password" name="password"> <input type="submit" value="Log in"> </form> Code (markup): Thanks
I see many errors in your script. Not only that, but this is very hackable. You're not protecting the input forms at all. I would start over and take a look at protecting input forms with PHP. Good luck
I would avoid using the standard MySQL library and instead go with PDO or MySQLi where you can use prepared statements. It's much more secure. A comment like this can sometimes spur a debate, but I would also consider using a hash algorithm other than MD5 for password hashing. PHPass is a great library for password hashing. It uses the most secure hashing available on your server setup and takes care of all the salt/stretching for you.