Quote:
Originally Posted by k0nr4d
and then you just go
$result = mysqli_query($dblink, "SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = MD5(CONCAT('".$_POST['password']."',salt))");
(naturally, youd' protect against sql injection but just writing like that to illustrate what goes where).
If there's a result, the user is valid. If it's empty, it's wrong login details.
|
So I have it inserting a salt value into the SQL table, but where do I put that part above? Does that replace the original line of code I have bolded below or is that a completely new line of code?
Quote:
<?php
session_start();
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'user';
$DATABASE_PASS = 'pass';
$DATABASE_NAME = 'db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
exit('Failed to connect to MySQL: ' . mysqli_connect_error());
}
if ($stmt = $con->prepare('SELECT id, password FROM Register WHERE username = ?')) {
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
if ($stmt->num_rows > 0) {
$stmt->bind_result($id, $password);
$stmt->fetch();
if ($_POST['password'] === $password) {
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username'];
$_SESSION['id'] = $id;
echo 'Welcome ' . $_SESSION['name'] . '!';
} else {
// Wrong password
echo 'Incorrect Password!';
}
} else {
// Wrong username
echo 'Incorrect Username!';
}
$stmt->store_result();
$stmt->close();
}
?>
|
Sorry this whole password hashing stuff has me confused af
