Alexander, I'm sorry if this sounds like I'm picking on you, but there are a couple of things you might consider. If someone can somehow get hold of your table they've got all the passwords for all your users. A second item is if your use of positional references when linking to columns in the table. If other developers are likely to come along behind you just might be tempted to reorganize the columns in this table for some reason or another, possibly even a valid reason, and it potentially breaks your code. The order of data in the row array is determined by the order of the column names in your select statement, but if you have not specified the column names in your select (as in select * ) the order is usually determined by the order that they are defined in the table. I even understand this is handled differently by different DB's, especially when columns are added to a definition via the alter statement, in that some will return the columns with all the new ones at the end, while others will return them with the use the positioning options in the alter statements to determine where the colums go. I tend to use mysql_fetch_assoc, just to make sure that the columns don't get rearranged on me, by other well intentioned developers. To the first point, what I usually do is store the encrypted password in the DB, then when the user logs on, I encrypt their input, then pass the encrypted version in my query; $query = "Select 1 from user_table where username = \"".$formuser."\" and password = \"".MD5($formpswd)."\" "; This means that even you don't know the password unless you go to a lot of trouble, or you typed it in for the user during setup. I use MD5 encryption in most cases for several reasons; 1. there is no easy way to decrypt the value. 2. even though I haven't used it, I believe it may be available as a javascript or html function, so that if you setup your logon form as http: reference, that piece of data always travels across the internet encrypted, never unencrypted. Good luck, Warren Vail Vail Systems Technology -----Original Message----- From: Alexander Schunk [mailto:aschunk@xxxxxxxxx] Sent: Friday, April 23, 2010 8:39 AM To: php-windows@xxxxxxxxxxxxx Subject: proofing login success using sessions Hello, i have certain fields in a database including username and passwort. The username and passwort are in the first two fields of the database. Now, on the login page, i want to check the username and passwort provided by the user with the values in the database. I have the following code: while($row = mysql_fetch_row($ergebnis)){ if(($benutzername == $row[0]) && ($pass == $row[1])){ echo '<p>Sie haben sich erfolgreich angemeldet.</p>'; echo '<a href="willkommen.html">Willkommen</a>'; } else if($benutzername != $row[0]){ echo '<p>Fehler bei Anmeldung. Sie haben einen falschen Benutzernamen eingegeben.</p>'; die("Fehler bei Anmeldung"); } else if($pass != $row[1]){ echo '<p>Fehler bei Anmeldung. Sie haben ein falsches Passwort eingegeben.</p>'; die("Fehler bei Anmeldung"); } else if(($benutzername != $row[0]) && ($pass != $row[1])){ echo '<p>Fehler bei Anmeldung.</p>'; die("Fehler bei Anmeldung"); } else{ echo '<p>Sie müssen sich mit Benutzernamen und Passwort anmelden.</p>'; } } The thing is that i use a loop to go through all rows in the database and then compare the values provided in the HTML form the ones standing in the database. Since the user may provide wrong data i have these four scenarios. The problem now is that i it dont gets into the first case - that is username and passwort match. I only get into cases two and three. thank you. Alexander -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
