CODEWITHSUNDEEP
phphtmlmysql
Lochlan Kennedy
Lochlan Kennedy

Reputation: 57

My MySQL session won't start

My MySQL session will start if $count is equal to 1 but its not equal to 1 and I have no idea how to fix it, I'm fairly new to php, and I prefer to use sha1 rather than BCrypt

  <?php
     //login form
     mysql_connect("xxxxx","xxxxxx","xxxxxx") or die( mysql_error() );
     mysql_select_db("u940004575_chat");

     $myusername = stripslashes( $myusername );
     $mypassword = stripslashes( $mypassword );
     $sha1mypassword = sha1( $mypassword );
     $myusername = mysql_real_escape_string( $myusername );
     $mypassword = mysql_real_escape_string( $mypassword );
     $sha1mypassword = mysql_real_escape_string( $sha1mypassword );
     $sql = mysql_query("SELECT id FROM users WHERE username='$myusername' and         password='$sha1mypassword'")or die( mysql_error() );
     $result = mysql_query( $sql );

     if ( $sql ) {
         $count = mysql_num_rows( $sql );
     }

     if ( $count == 1 ) {
        session_register("myusername");
        session_register("mypassword"); 
        header("location:home.php");
     } else {
        echo "Wrong Username or Password";
     }
?>

If anyone can help me that would be great, any fix will be greatly appreciated.

Upvotes: 2

Views: 125

Answers (4)

Leetbulb
Leetbulb

Reputation: 416

You should really be using PHP's PDO or MySQLi instead of the deprecated mysql_* functions.

note: using PHP PDO your parameters are being escaped automagically.

see: this notice on PHP doc

Unless you absolutely need SHA1, you'll want to first seek the user and then challenging the stored password hash. This is far more portable as some hashing algorithms such as Bcrypt will not work with a simple string comparison.

That brings me to my next point: do not use FAST hashing algorithms (SHA, MD5, etc) for password hashing. These hashing algorithms are meant for hashing large amounts of data quickly which means that an attacker could generate a reverse lookup table quickly for small data such as passwords. Algorithms such as Bcrypt, Scrypt, pbkdf2, etc are good examples of specialized hashing algorithms designed to be slower or harder to generate lookup tables for.

<?php
    session_start()
    $myusername = 'foo';
    $mypassword = '123';

    try {
       $pdo = new PDO('mysql:host=' . DB_HOSTNAME . ';dbname=' . DB_DATABASE, DB_USERNAME, DB_PASSWORD);
       $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch ( PDOException $e ) {
       die ('ERROR: ' . $e->getMessage() );
    }

    $query = 'SELECT id, password FROM users WHERE username = :username';
    $params = array('username' => $myusername);

    $stmt = $pdo->prepare( $query );
    $stmt->execute( $params );

    // user not found?
    if ( ! $stmt->rowCount() ) {
       die ('unknown user');
    }

    $row = $stmt->fetch( PDO::FETCH_OBJ );

    // challenge password hash
    if ( $row->password == sha1( $mypassword ) ) {
       // success!
       header("location:home.php");
    } else {
       die ('wrong password');
    }

EDIT:

Also make sure you're starting a session with session_start(). This will allow you to store session variables on the PHP backend with the $_SESSION superglobal.

// run login script

$_SESSION['user_id'] = $row->id;

// redirect to an authenticated page

then on all your authenticated pages you can query/cache the user by ID and get the user object containing all of the current user data

    session_start()
    // make sure logged in

    if ( ! $_SESSION['user_id'] ) {
       // not logged in
       // redirect to login
       die ('not logged in');
    }       
    $query = 'SELECT * FROM users WHERE id = :id';
    $stmt = $pdo->prepare( $query );
    $stmt->execute( array('id' => $_SESSION['user_id'] ) );

    $user = $stmt->fetch( PDO::FETCH_OBJ );
    print 'Hello, ' . $user->username;

Upvotes: 1

Darren
Darren

Reputation: 13128

Give this a shot

if ( !$result ) {
   die( mysqli_error() );
} else {
    // check if $result row == 1
    if ( mysqli_num_rows( $result ) == 1 ) {
        // do stuff here
    }
}

As mentioned before, use mysqli_ because development for mysql_ has stopped. Read More

Upvotes: 0

btlr.com
btlr.com

Reputation: 139

Look, it must be this way:

 $sql = "SELECT id FROM users WHERE username = '$myusername' and password = '$sha1mypassword'";
 // you defined the sql query

 $result = mysql_query( $sql );
 // now you executed it and have the result

 // and you can go on with this result
 if ( $result ) {
     $count = mysql_num_rows( $result );
 }

and by the way, move to mysqli_query(), because mysql_query() will soon be deprecated. See the official docs.

Upvotes: 0

S&#233;bastien
S&#233;bastien

Reputation: 12139

Try:

if ( $result ) {
    $count = mysql_num_rows( $result );
}

instead of:

if ( $sql ) {
    $count = mysql_num_rows( $sql );
}

Upvotes: 0

Related Questions