There's a few (I'd say pretty significant) issues with your code, but your actual issue is looking to be simple.
As you didn't include the code for where you check, I'm going to build off the fact you're using something like if ($equal) { execute your code }
:
strcmp
returns 0 for being equal. >1 if string1 is greater than string2, and <0 if string2 is greater than string1
See the PHP docs for reference
You can stop reading past this if you're not interested in developing yourself, but I figured I might as well explain a few things you could learn from:
That said however, there are a few issues I would like to raise awareness of, even if this never makes production level. It's a wise experience.
First of all, let me emphasise that what I am about to explain is difficult, and few people get it right - I myself am probably not the most proficient person on this skill either. Later versions of PHP have this covered for us though. But I'll give you the general gist.
In all cases, you will want to hash your passwords. Hashing is a one-way transformation of text that is not humanly readable. Because it is not readable by humans, if your database gets compromised, the passwords are not all publically visible to the intruder, and he will have a harder time getting any data out of it at all.
There is also this thing called salting your passwords, salting is just a way of saying that we add our own string to their password, so it's never completely their password. There's a few ways to do this, but I won't go into detail, because php offers a library that does this for us. Which means we won't have to do anything difficult at all, and can just use their methods. password_hash()
and password_verify()
- it is only since PHP 5.5, but there are backports to php 5.3.7
You'll have to look up the methods yourself from PHP's official website, as I'm limited to posting only two links. They're found at php.net/password_verify and php.net/password_hash
There is another issue, you're using MySQL, mysql is incredibly old and even deprecated at this point, it is advised you move over to mysqli
or even pdo
.
Security Issue 2:
Your code ($result = mysql_query("SELECT passwd FROM usrs where usrname = '".$posted_username."'");
) is vulnerable to MySQL Injection.
MySQL injection is where someone tries to cut off your query, and uses his own. Because you do not properly sanitise user input (never trust the user), The code you're actually executing is not what you may expect it to look like, and may even consist of multiple queries (that could, for example, drop your tables, or even attempt to look up some of those clear-text passwords).
PDO has this covered for us, if you properly make use of the PDO wrapper (located at php.net/pdo), you won't have to worry about this at all. (Well, you do, but it's a whole lot easier to do it right after you get the hang of it).
There also is MySQLi, which is just MySQL_* improved. It allows for OOP programming and is faster. It doesn't sanitise user input for you, you'll have to make use of mysqli_real_escape_string($str)
, $mysqli->real_escape_string($str)
, or if you insist on using MySQL_* functions, mysql_real_escape_string($str)
.
I'll cut off for now, this is a lot of difficult information to process. But I hope someone learnt something from it. And if not, well that's a shame really. As you're really using a few very unsafe ways. Given you may test locally, it's still a good thing to learn good practises.
G'day!