x10Hosting Member
mysql login
this line of code is giving me this error :Code:$row = mysql_fetch_assoc(mysql_query("SELECT id,usr FROM tz_members WHERE usr='{$_POST['username']}' AND pass='".md5($_POST['password'])."'"));anyone knows what to change?Code:Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/tomx/public_html/demo/demo.php on line 58
Grim Squeaker
Replace the line with:
and see what you get.Code:$sql = "SELECT id,usr FROM tz_members WHERE usr='{$_POST['username']}' AND pass='".md5($_POST['password'])."'" ; echo $sql . "<br />\n" ; $res = mysql_query( $sql ) ; if( $res ){ // process the result } else { echo: 'ERROR: ' . mysql_error(); }
I'll let mission comment on using mysql_ instead of PDO or at least mysqli_ and also your vulnerability to SQL injection.
Nothing is always absolutely so.
x10 Spammer
You rang?
Time for the boilerplate:
The sample code is vulnerable to SQL injection via $_POST['username'], which is a very serious security risk. To fix this hole, switch from the outdated mysql extension to PDO and use prepared statements. If you need a PDO tutorial, try "Writing MySQL Scripts with PHP and PDO". The site you save may just be your own.
MD5 is considered broken by security professionals. Use a newer hashing function, such as whirlpool or something from the SHA2 family (SHA256, SHA512). No less than Bruce Schneier has written:
Your password scheme is also vulnerable to rainbow tables. Add salt to fix this. You could use the username + a system salt, or give each user a unique salt (a "nonce") and store that in a column in table `users`.But -- come on, people -- no one should be using MD5 anymore.
To update your code without impacting existing users:
- Add a new column to your users table indicating which hash function was used. It could be a BOOLEAN value indicating that the p/w needs updating, or a string naming the hash function:
The latter option allows you to easily support whatever hashing functions are available on the host.
- `md5` BOOLEAN NOT NULL DEFAULT TRUE,
- `hash` VARCHAR(16) NOT NULL DEFAULT 'md5',
- Register new users using the newer hashing function.
- When a user logs in, check whether their password is hashed using MD5 or not. If it is, expire their password. This is a good chance to have users enter new passwords.
- If using the 1st column option, drop the column when there are no more MD5 hashed passwords (SELECT COUNT(*) FROM users WHERE `md5`=TRUE is 0)
Be sure to read all pages linked in this post; they have further information that should prove useful. When asking for help, make sure you follow Eric Raymond's and Jon Skeet's guidelines for prompt, accurate responses. Please answer any questions I ask; they're not rhetorical (probably). Any posted code is intended as illustrative example, rather than a solution to your problem to be copied without alteration. Study it to learn how to write your own solution.Misson, not Mission.
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote