Jump to content
Join Sheffield Forum for FREE and join in the discussion! ×
Join Sheffield Forum for FREE and join in the discussion!

My Online Game (Database Help)

By gamer dude in Computer & Tech Chat

Recommended Posts

anywebsite    10

anywebsite
Posted
we dont need the structure, we need to know whats IN the database now...

 

looking at this (`password` varchar(75)) the password isn't encrypted @ the database side, so i'm assuming it will be in the script... i'll take a look at your RAR now...

 

The script fails when it's checking the username, not the password, that gives a different error.

 

Personally, I wouldn't touch this script, it's pretty badly written & I wouldn't doubt that it's very insecure.

Share this post

Link to post
Share on other sites

Ghozer    112

Ghozer
Posted

ok, looking at these files I cannot see why its not working but just as a test remove the ' ' around $username in the $result

 

Its failing at username, and not password... and to be honest, it could be doing all sorts, could be checking case sensitive too..

 

Change
mysql_query("SELECT * FROM `grpgusers` WHERE `username`='$username'")
To
mysql_query("SELECT * FROM `grpgusers` WHERE `username`= $username ")

 

and try that

 

Also, your passwords arent encrypted, I would encrypt them (its easy to do)

 

and your only selecting where the USERNAME matches in the database, then checking the password later, you should select where username AND password match, especially sicne your return message is "name and password not found" - that would save you checking the password with the IF( further down

Share this post

Link to post
Share on other sites

anywebsite    10

anywebsite
Posted (edited) 

$result = mysql_query("SELECT * FROM `grpgusers` WHERE `username`='$username'") or die ("Name and password not found or not matched");

 

It fails on this line, which only checks the username.

 

For some mad reason there's a separate check for the password & if that fails, it gives a different error, but it isn't getting that far.

 

Never mind the passwords not being encrypted, there's the bigger problem of it passing unescaped, unchecked user input straight to the database. It shouldn't be on the internet, especially if it shares a database with anything else. It looks like a total failure of a script, it needs to be scrapped before somebody exploits it.

Edited by anywebsite

Share this post

Link to post
Share on other sites

Ghozer    112

Ghozer
Posted 
$result = mysql_query("SELECT * FROM `grpgusers` WHERE `username`='$username'") or die ("Name and password not found or not matched");

 

It fails on this line, which only checks the username.

 

For some mad reason there's a separate check for the password & if that fails, it gives a different error, but it isn't getting that far.

 

Yup, thats what I saw, and suggested something to try

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Close   I accept