0

Im having trouble with a php login script (below). I want to redirect to nouser.php if someone enters a username that does not exist and to wrongpass.php if the wrong password (but a valid username) is entered. The below code almost works. If I comment out the entire wrong password section then the nouser section works as expected displaying the nouser page , but if I leave the wrong password section in I get the wrongpass.php page for both nouser and wrong password situations. If I put a valid user in but with wrong password then I get wrong password (correct behavior). Simply put , how can i make sure that I get redirect to nouser.php if there is nouser of this name and not the wrongpass.php page..

<?php
            $username = $_POST['username'];
$password = $_POST['password'];
//connect to the database here

require_once 'includes/login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());

mysql_select_db($db_database, $db_server)
    or die("Unable to select database: " . mysql_error());


$username = mysql_real_escape_string($username);
$query = "SELECT password, salt
        FROM users
        WHERE username = '$username';";
$result = mysql_query($query);
//wrong user section
if(mysql_num_rows($result) < 1) //no such user exists
{
    header('Location: nouser.php');
}
//wrong password section
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
    header('Location: wrongpass.php');
}
//login successful


?>
Improve this question
4
  • It's worth noting that mqsql_ is deprecated. You should instead use mysqli. I recently made the switch and actually the OO nature (you can but don't have to use) of mysqli is much nicer Commented May 15, 2013 at 16:28
  • 1
    it is also worth noting that you are giving information away by having 2 destination scripts for nouser and wrong password. catch my meaning ? Commented May 15, 2013 at 16:28
  • You should only advise that the username and password combination given is not valid, otherwise you are telling people that they have guessed a valid username now they just have to guess the password. Commented May 15, 2013 at 16:29
  • yeah , i understand about not giving away what the user is doing incorrectly (username or password) , this is just an initial setup for testing and I will change things. Also , it is for an internal app that i dont need too secure either but i take you point and it would be good practice to change it anyway. thanks guys Commented May 15, 2013 at 16:35

1 Answer 1

Reset to default
1

I think you should add die() to stop the script

if(mysql_num_rows($result) < 1) {
    header('location:nouser.php');
    die();
}

Has not yet test the code.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

that seems to works thanks. I thought about that but thought it might break something else. Should have tried it really.
yeah break die exit bailout
@user2332903 but I don't think you should create your own login.php many authentication plugin will help you and more safer.
you can also use exit() :)
@gilbertxenodike - im doing this for two reasons. One an application for my own business that will be accessed internally only so safety isnt a huge issue and secondly , im doing it to learn so doing it myself will have much more value than using a plugin. If it was something i was building for a customer / client etc id agree

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.