I'm trying to do a log in and registration script. I've managed to finish most of it; however, after I register a user I am unable to log in as that user. That is, registered users are unable to log in. Any help would be massively appreciated! :)
This is the code that relates to the specific problem:
$login = login ($username, $password);
if ($login === false) {
$errors [] = 'That username/password combination is incorrect';
} else {
$_SESSION ['user_id'] = $login;
header ('Location: index.php');
exit ();
}
function login ($username, $password) {
$user_id = user_id_from_username ($username);
$username = sanitize ($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(user_id) FROM users WHERE username = '$username' AND password = '$password'"), 0) == 1) ? $user_id : false;
}
I wrote the query above like this (BELOW), earlier. Writing it this way allowed me to log in but with "literally" any password.
function login ($username, $password){
$user_id = user_id_from_username ($username);
$username = sanitize ($username);
$password = sanitize ($password);
$query1 = mysql_query("SELECT COUNT(user_id) FROM users WHERE username = '$username'");
$query2 = mysql_query("SELECT COUNT(user_id) FROM users WHERE password = '$password'");
return (mysql_result($query1, 0) == 1) ? $user_id : false;
return (mysql_result($query2, 0) == 1) ? $user_id : false;
That is to say, I broke the query down into two parts, but noticed the password query was completely irrelevant (even if I "commented" it out).
PS. I know I should be using PDO or Mysqli instead of mysql queries, and that md5 isn’t that secure. Just ignore these things for the sake of this riddle.