Browser MMO Video #5

Jony · Post by **Jony** » Wed May 12, 2010 5:32 pm

Hi. I have one question regarding to this video.

In this code:

$query="select name,password from players where name= '$player' and '$password'";

you used $query=".... and '$password'";

Shouldn't it be: $query="... and password='$password'";
like in this code:

Code: Select all

$query="select name,password from players where name= '$player' and password='$password'";

I'd like to why you wrote the code like that and what is the difference in effect between the 2 codes.

Regards.

EDITED:
I just looked a few pages back and found out the correct code.
I was wondering about this because when I wrote this .php file i used the 2nd CODE and it worked. In your video, it seemed to have worked with the first code too.

PPS. So far so good. All the tuts worked for me. I learned practically a lot of things that i only knew theoretically before. Great site!

Post by **hallsofvallhalla** » Wed May 12, 2010 6:47 pm

thanks and yes the second code is the correct way, it was a mistake on my part

Post by **Jackolantern** » Wed May 12, 2010 11:19 pm

hallsofvallhalla wrote:thanks and yes the second code is the correct way, it was a mistake on my part

Although I have never tried it the original way myself, I have seen plenty of people post that in their code samples and it is not causing errors. Is that query only logging people in based on their username, instead of username and password?

Post by **hallsofvallhalla** » Wed May 12, 2010 11:38 pm

it is different on different hosts and browsers, like so many other issues I run into....

Post by **Jackolantern** » Thu May 13, 2010 3:19 am

What I was thinking, is that the "and '$password'" would be interpreted as a concatenated statement. In which case, it would have no meaning, and it would evaluate to no effect, leaving just "SELECT * FROM players WHERE name='$name'"....scary... lol

jpoisson · Post by **jpoisson** » Sun May 16, 2010 7:17 am

While testing it out the issue i ran into is that any user can log into any account. All they need is the right user name then enter what ever for a password. Since it is only checking against the user name and not validating for a password.

PaxBritannia · Post by **PaxBritannia** » Sun May 16, 2010 8:44 am

Here is my login script which works:

From straight from Impedimenta:

Code: Select all

#Set Variables
		$name = $_POST['name'];
		$password = $_POST['password'];
	  
		#Prevent XSS Attacks
		$name=htmlentities($name);
		$name=strip_tags($name);
	  
		#Encrypt Password
		$passwordencrypted=hash('!!!Not Telling What Hash I used - Insert Hash Here!!!', $password);
		
		#Search Database for name
		$userselect="SELECT * from player where name='$name'";
		$userraw=mysql_query($userselect) or die('Your internet connection expired.  Please refresh the page. ');
		$user=mysql_fetch_array($userraw);	
		
		#DEGUGING SCRIPT!!! DO NOT DE-QUOTE!!!
		#echo "user:" .$name;
		#echo "password:" .$password;
		#echo "password encrypted:" .$passwordencrypted;
		#echo "password in db:" .$user['password'];
		#DEGUGING SCRIPT!!! DO NOT DE-QUOTE!!!
		
		if ($user['password']==$passwordencrypted){
		goto pass1;
		} else {
		goto fail1;
		}

You can probably read through it and understand: I have a tendency to comment everything I do even if no-one is going to read it - helps a lot with debugging and team-projects.

If you used MD5 hashing, the hash part will be slightly different. There are other ways to authenticate which include counting lines, etc. But this is the most robust.

Pax.

hardtime81 · Post by **hardtime81** » Sun May 16, 2010 2:33 pm

1 <?php
2 include_once 'connect.php';
3 session_start();
4
5 if (isset($_POST['submit']))
6 (
7 $player=$_POST['player']; <<<<<<<Phare Error>>>>>><<<<what is it asking us?>>>>>>>
8 $password=$_POST['password'];
9 $player=strip_tags($player);
10 $password=strip_tags($password);
11 $password=md5($password);
12
13 $query = "select name, password from players where name='$player' and 'password'";
14 $result = mysql_query($query) or die("Could not query players");
15 $reslt2 = mysql_fetch_array($result);
16 if ($result2)
17 (
18 $_SESSION['player']=$player;
19
20 echo "<big>Logged in successfully<br>";
21 echo "<a href='battle.php>Continue</a></big>";
22 )
23 else
24 (
25 echo "<big>Wrong username or password.<a herf='login.php'>Try Again</a></big>";
26 )
27 )
28 ?>

Note: {Parse error: parse error in C:\wamp\www\tutorial\authenicate.php on line 7}
Regards,
Hardtime81

Post by **hallsofvallhalla** » Sun May 16, 2010 3:03 pm

you have ( instead of { at line 6

same with ) needs to be }

your if statements are fin if(blah blah) but then it should be
{

}

hardtime81 · Post by **hardtime81** » Fri May 21, 2010 5:06 am

Halls whats the differenace between the two?
( {
) }
I thought it would read the script either way.
Regards,

Hardtime81

Browser MMO Video #5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5

Re: Video#5