0

My database always returns that 1 row is found as a match for the condition that both, the username and password (here as passhash), are correct.

I can just type the correct username and no password or a random password and it will still return that it found 1 row which matches the condition. 

                    $user = $_POST['username'];
                    $pass = $_POST['password'];

                    $phash = md5(sha1($pass+"salt123")+"salt123");

                    $sql = "SELECT * FROM users WHERE username='$user' AND passhash='$phash'";

                    $result = $conn->query($sql);
                    $count = mysqli_num_rows($result);

                    if ($count == 1)
                    {
                        echo "Welcome $user, you have successfully logged in!<br />";
                    }
                    else
                    {
                    echo "username or password is incorrect!";
                    }
user3002135
  • 237
  • 1
  • 4
  • 15
  • 1
    `+"salt123"` Doing math with that string doesn't make much sense. Maybe concatenation? – Rizier123 Dec 05 '15 at 14:29
  • Please check your code, there might be something else running and returning the result – Gaurav Lad Dec 05 '15 at 14:30
  • @Rizier123 Ops, I didn't want to do math at that point. It's a `+` for string in C# so i accidently put it as `+` there. – user3002135 Dec 05 '15 at 14:32
  • See: http://php.net/manual/en/language.operators.string.php – Rizier123 Dec 05 '15 at 14:33
  • @GauravLad it is all the code i have besides the `$conn = new mysqli($servername, $username, $password, $database);` which i didn't put in this thread – user3002135 Dec 05 '15 at 14:33
  • Also I wouldn't recommend to mix OOP (`$conn->query($sql);`) and procedural (`mysqli_num_rows($result);`) style. Please don't use [md5](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) for password storage and use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/book.pdo.php). – Rizier123 Dec 05 '15 at 14:34
  • @Rizier123 With `.` it works how it is supposed to be. thanks! – user3002135 Dec 05 '15 at 14:36

0 Answers0