Insecure coding will grant anyone access as input is not escaped. On Wed, Apr 24, 2013 at 3:00 PM, Zack Githinji <zachgithinji@gmail.com>wrote:
try this -----------------------------------------------------------------
<?php $portal=$_POST['portal']; $u_id=$_POST['uname']; $pwd=$_POST['upass']; //my sql part $host="localhost"; $dbuser="root"; $dbpass=""; //connect to the database $conn= mysql_connect($host,$dbuser,$dbpass) or exit("Connection Error".mysql_error()); mysql_select_db('cars') or exit("Database not found"); //The Query $strSQL= "SELECT `u_name` from `users` where `u_name` = '.$u_id.' and `pass` = '.$pwd.' and `type` = '.$portal.'"; $result=mysql_query($strSQL, $conn) or exit("sql Error:".mysql_error()); //logic test $numrows=mysql_num_rows($result); //error below here if($numrows=1) { /*echo "success"; echo "Name:".$u_id."</br>";*/ //user access if ($portal="user") { header("Location:upload.html"); } //dealer access even with wrong credentials this is opened elseif ($portal="dealer")
{ header ("Location:select.html"); } //administrator access elseif ($portal="admin") { header ("Location : login.html"); } else { echo "login error"; return false;
} } else { echo" Login Failed"; echo "</br><a href='#' onclick='window.history.back();'>Click Here</a>"; } ?> -------------------------------------------------------
On Wed, Apr 24, 2013 at 2:59 PM, Kennedy Kairu Kariuki <kkairu@gmail.com>wrote:
True Peter. Also the other parts where you are doing comparison and not assignment.
On Wed, Apr 24, 2013 at 2:56 PM, Peter Karunyu <pkarunyu@gmail.com>wrote:
I suspect it's line 18 where you state thus:
*if($numrows=1){* * * I reckon you wanted to say:
*if($numrows == 1){*
On Wed, Apr 24, 2013 at 2:46 PM, Victor Yegon <viktayeg@gmail.com>wrote:
How do you assign username an id??
On Wed, Apr 24, 2013 at 2:40 PM, Andrew Nduati <nduatiandrew@gmail.com>wrote:
Afternoon people, I urgently need someone to look at my code below and tell my why: 1. The wrong credentials allow one access. 2. Only the dealers page is opening even after selecting user or admin portals. Looking forward to helpful feedback thanks. *THE CODE:* <?php $portal=$_POST['portal']; $u_id=$_POST['uname']; $pwd=$_POST['upass']; //my sql part $host="localhost"; $dbuser="root"; $dbpass=""; //connect to the database $conn= mysql_connect($host,$dbuser,$dbpass) or exit("Connection Error".mysql_error()); mysql_select_db('cars') or exit("Database not found"); //The Query $strSQL= "SELECT `u_name` from `users` where `u_name` = '.$u_id.' and `pass` = '.$pwd.' and `type` = '.$portal.'"; $result=mysql_query($strSQL, $conn) or exit("sql Error:".mysql_error()); //logic test $numrows=mysql_num_rows($result); //error below here if($numrows=1){ /*echo "success"; echo "Name:".$u_id."</br>";*/ //user access if ($portal="user"){ header("Location:upload.html"); } else{ echo "login error"; return false; } //dealer access even with wrong credentials this is opened if ($portal="dealer"){ header ("Location:select.html"); } //administrator access elseif ($portal="admin"){ header ("Location : login.html"); } } else{ echo" Login Failed"; echo "</br><a href='#' onclick='window.history.back();'>Click Here</a>"; } ?>
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards,
Yegon Victor | Web Specialist/Internet Consultant |
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards, Peter Karunyu -------------------
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards, Zack K. Githinji Technical Officer,
Cell:+254 722 649199 E-mail:zachgithinji@gmail.com
"God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference."
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards, _ _ ____ __ _ __ _ _ _ Y [__] | \| | \| Y Email: yonnym@gmail.com Skype: yonny4103PGP Public Key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC31163AE5A98C30A DISCLAIMER: The information contained in or accompanying this e-mail is intended for the use of the stated recipient only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission.If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender.You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.