I'm new to php for about a month and I decide to create my own website. Situation: My mysql server store user as md5 and password as md5. And a captcha on the login page
Let's have a look at my code
<?php
session_destroy();
$usermod=md5($_POST["user"]);
$passmod= md5($_POST["pass"]);
if(file_get_contents("http://www.opencaptcha.com/validate.php?ans=".$_POST['code']."&img=".$_POST['img'])=='pass')
{
$con=mysqli_connect("hidden","hidden","hidden","hidden");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result2 = mysqli_query($con,"SELECT * FROM Users
WHERE Username_login='$usermod'");
if($row2 = mysqli_fetch_array($result2))
{
$result = mysqli_query($con,"SELECT * FROM Users
WHERE Username_login='$usermod' AND Password='$passmod'");
if($row = mysqli_fetch_array($result))
{
echo "Thank you for logging in: ".$row['FirstName']." as ".$row['Username'];
session_start();
$_SESSION['user'] = $row['Username'];
$_SESSION['email'] = $row['Email_start']."@".$row['Email_domain'];
$_SESSION['name'] = $row['FirstName']." ".$row['LastName'];
header("Location: http://mspb.tk/login/welcome.php");
}
else
{
header("Location: http://mspb.tk/login/login.php?login=failed");
}}
else
{
header("Location: http://mspb.tk/login/login.php?username=failed");
}
}
else {
header("LOCATION:http://www.mspb.tk/login/login.php?opencaptcha=failed");
}
?>
That's it if anyone spot an sql injection and tell me I would be very happy :) Thank you very much Poom
