I wrote some php that checks my DB for password and username. First, it requests the username and password from the user form and checks if both variables are not NULL, if they are, the script dies. Then, because the passwords in the database are md5 encrypted, it encrypts the password and stores it in the same variable. FFinally it opens up the database, and searches each row for the username and password, if it's found, it stores a ID, username and the name associated with the account in a session var, if not it simply says wrong username/password. Here is the source:
<?php
session_start();
$username=$_REQUEST['username']; //Gets username from html form
$password=$_REQUEST['password']; //Gets password form html form
if ($username&&$password) { //Makes sure the user entered a value for username and password
}
else {
die("You left a field blank!");
}
$password=md5($password); //Turns the password into md5 hash
$connect=mysql_connect('localhost', 'username', 'password');
mysql_select_db('data', $connect); //connects to db
$result=mysql_query("SELECT * FROM user");
//fetches each row and checks for username and password
while($row=mysql_fetch_array($result)) {
//split these two lines of code because yahoo wouldnt show entire line
if ($row['username']==$username&&
$row['password']==$password) {
$a='1';
$dbuser=$row['username'];
$dbid=$row['uid'];
$dbname=$row['name'];
}
else {
}
}
if ($a=='1') {
echo "Login Sucessfull! ";
$_SESSION['user']=$dbuser;
$_SESSION['name']=$dbname;
$_SESSION['uid']=$dbid;
echo "Click <a href='index.php'>here</a> to go to member's page!";
}
else {
echo "Login unsucessfull";
}
?>
Is this code secure from sql injection? What can i do to improve the code? Thanks for the help!
<?php
session_start();
$username=$_REQUEST['username']; //Gets username from html form
$password=$_REQUEST['password']; //Gets password form html form
if ($username&&$password) { //Makes sure the user entered a value for username and password
}
else {
die("You left a field blank!");
}
$password=md5($password); //Turns the password into md5 hash
$connect=mysql_connect('localhost', 'username', 'password');
mysql_select_db('data', $connect); //connects to db
$result=mysql_query("SELECT * FROM user");
//fetches each row and checks for username and password
while($row=mysql_fetch_array($result)) {
//split these two lines of code because yahoo wouldnt show entire line
if ($row['username']==$username&&
$row['password']==$password) {
$a='1';
$dbuser=$row['username'];
$dbid=$row['uid'];
$dbname=$row['name'];
}
else {
}
}
if ($a=='1') {
echo "Login Sucessfull! ";
$_SESSION['user']=$dbuser;
$_SESSION['name']=$dbname;
$_SESSION['uid']=$dbid;
echo "Click <a href='index.php'>here</a> to go to member's page!";
}
else {
echo "Login unsucessfull";
}
?>
Is this code secure from sql injection? What can i do to improve the code? Thanks for the help!