Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Post in response to a Yahoo Answer's Question
- session_start();
- $username = $_POST['username'];
- $password = $_POST['password'];
- if ($username && $password){
- // Good job on the informative error messages.
- $connect = mysql_connect("127.0.0.1","root","") or die ("Couldnt Connect to Database");
- mysql_select_db("login", $connect) or die ("Couldnt find database");
- // Prevent MySQL Injection Attacks, Google it.
- $username = mysql_real_escape_string( $username );
- $password = mysql_real_escape_string( $password );
- $query = mysql_query("SELECT username FROM users WHERE username='$username' AND password='$password' LIMIT 1");
- // The query only needs to return the username, because that is the only information you need. Returning additional information uses
- // additional resources. Also, the query can check for the password combination, saving you time and effort. LIMIT 1 simply tells MySQL to
- // stop looking once it finds the one result it needs. Speed and resources.
- if($query && mysql_num_rows($query) === 1){ // Checks for a successful query and that the number of rows returned is equal to 1.
- $_SESSION['username'] = mysql_fetch_object($query)->username;
- echo "Login successful. <a href='membersarea.php'>Click here to enter the member area</a>";
- } else {
- // Never tell the user that the username is correct but the password is incorrect. People can then brute force attack a particular username.
- // A simple combination error will usually let people know that there is a problem with their password.
- echo 'Incorrect Username/Password Combination. <a href="' . $_SERVER['HTTP_REFERER'] . '">Click Here To Return</a>.';
- }
- mysql_close( $connect ); // Good Idea to close the connections.
- }else{
- die('Please enter a username and password. <a href="' . $_SERVER['HTTP_REFERER'] . '">Click Here To Return</a>.');
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement