Menu
▾
▴
[Postfixadmin-devel] Why it need mysql_query() two times while auth admin user?
|
From: Zhang H. <zhb...@gm...> - 2008-10-27 12:14:34
|
Hi, all.
I read login.php file, and found something confused.
----<-- login.php ----
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
// Skip some lines here.
$result = db_query ("SELECT password FROM $table_admin WHERE
username='$fUsername' AND active='1'");
if ($result['rows'] == 1)
{
$row = db_array ($result['result']);
$password = pacrypt ($fPassword, $row['password']);
$result = db_query ("SELECT * FROM $table_admin WHERE
username='$fUsername' AND password='$password' AND active='1'");
if ($result['rows'] != 1)
----<----
Why it use sql query two times? Can we implement this just via compare
string like below (patch generated with PostfixAdmin-2.2.1.1)?
----<-- login.php ----
|--- login.php 2007-12-29 20:32:33.000000000 -0500
+++ login.php.bak 2008-10-27 14:46:22.000000000 -0400
@@ -67,18 +67,23 @@
{
$row = db_array ($result['result']);
$password = pacrypt ($fPassword, $row['password']);
- $result = db_query ("SELECT * FROM $table_admin WHERE
username='$fUsername' AND password='$password' AND active='1'");
- if ($result['rows'] != 1)
+
+ //$result = db_query ("SELECT * FROM $table_admin WHERE
username='$fUsername' AND password='$password' AND active='1'");
+ //if ($result['rows'] != 1)
+ if ($password != $row['password'])
{
$error = 1;
- $tMessage = $PALANG['pLogin_password_incorrect'];
+ //$tMessage = $PALANG['pLogin_password_incorrect'];
+ $tMessage = $PALANG['pLogin_incorrect'];
$tUsername = $fUsername;
}
}
else
{
$error = 1;
+ //$tMessage = $PALANG['pLogin_username_incorrect'];
$tMessage = $PALANG['pLogin_username_incorrect'];
+ $tMessage = $PALANG['pLogin_incorrect'];
}
if ($error != 1)|
----<----
I'm new to PHP. Thanks for your reply. :)
--
Best regards.
- Open Source Mail Server Solution for RHEL/CentOS 5.x:
http://code.google.com/p/iredmail/
|
