Login Script giving incorrect password and it is correct

[beginPHP]

I want to apologize ahead of time for the length of this post...  to many questions

 

 

I'm still new to PHP, infact I've never had a class with anything to do with it.  This is more of a hobby I have picked up in the last year or so.  I've played around with HTML enough to have built a collaboration site for my friends and I's fantasy football leagues.  We don't run the leagues from the site, simply a place where all players within the 4 leagues can talk trash, see how they match up with other players in another league, and there is a tournament between the four.  I've made a registration page that works great although it is supposed to verify all info was entered and it doesn't, but I can deal with that for now.  The login script I wrote is failing though.  It is supposed to verify the username and password and remember the user if the checkbox for it has been checked.  When I try to login with the test account I created I get an invalid password error and I know its the correct one.  I've verified it in my database a few times.  This is the INSERT portion of my registration page:

 

 

$insert = mysql_query("insert into users values

('" .$_POST['firstname']."',

  '" .$_POST['lastname']."',

    '" .$_POST['email']."',

  '" .$_POST['username']."',

  '" .$_POST['password']."')");

 

 

echo "Your user account has been created!";

echo "Now you can <a href=index.htm>log in</a>" ;

 

 

LOGIN SCRIPT

 

I've highlighted the area I think the issue is in but I'm not sure.  It is using the md5 encryption on the login script but its not on the registration page.  I'm not sure how I would go about using this encryption.  I have no idea if the issue is somewhere else in the script.  If anyone can tell me off the top of your head I've been wanting to add an authentication for the email account within the registration script to.  I got the idea from a different site the other day but I don't know how to go about doing it.  After the user registers I wanted it to send an email to the account they used to signup with and provide a link to verify the email address.  Just a thought if anyone knows how I can do that off the top of their head.  I thank everyone in advance that can helpout with this.

 

 

function confirmUser($username, $password){

  global $conn;

 

  if(!get_magic_quotes_gpc()) {

$username = addslashes($username);

  }

 

 

  $q = "select password from users where username = '$username'";

  $result = mysql_query($q);

  if(!$result || (mysql_numrows($result) < 1)){

      return 1; //Indicates username failure

  }

 

 

  $dbarray = mysql_fetch_array($result);

  $dbarray['password']  = stripslashes($dbarray['password']);

  $password = stripslashes($password);

 

 

  if($password == $_POST['password']){

      return 0; //Success! Username and password confirmed

  }

  else{

      return 2; //Indicates password failure

  }

}

 

 

function checkLogin(){

 

  if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){

      $_SESSION['username'] = $_COOKIE['cookname'];

      $_SESSION['password'] = $_COOKIE['cookpass'];

  }

 

 

  if(isset($_SESSION['username']) && isset($_SESSION['password'])){

      /* Confirm that username and password are valid */

      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){

       

        unset($_SESSION['username']);

        unset($_SESSION['password']);

        return false;

      }

      return true;

  }

 

  else{

      return false;

  }

}

 

 

function displayLogin(){

  global $logged_in;

  if($logged_in){

      echo "<h1>Logged In!</h1>";

      echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"members.php\">Members Site</a>";

  }

  else{

?>

 

 

 

<?

  }

}

 

 

if(isset($_POST['sublogin'])){

  /* Check that all fields were typed in */

  if(!$_POST['user'] || !$_POST['password']){

      die('You didn\'t fill in a required field.  Please <a href="index.htm">try again.</a>');

  }

 

 

 

  $md5pass = md5($_POST['pass']);

  $result = confirmUser($_POST['user'], $md5pass);  

 

  if($result == 0){

    echo ('Welcome <b>$_SESSION[username]</b>, you are logged in.  Please continue to the

  <a href="members.php">Members Site</a>');

  }

    if($result == 1){

      die('That username doesn\'t exist in our database, please <a href="index.htm">try again.</a>');

  }

  else if($result == 2){

      die('Incorrect password, please <a href="index.htm">try again.</a>');

  }

 

 

  $_POST['user'] = stripslashes($_POST['user']);

  $_SESSION['username'] = $_POST['user'];

  $_SESSION['password'] = $md5pass;

 

 

  if(isset($_POST['remember'])){

      setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");

      setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");

  }

 

 

  echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[php_SELF]\">";

  return;

}

 

 

$logged_in = checkLogin();

 

?>

[marcus]

Please use the code tags on your script.

 

For the insert query, try defining the field names as you then define the input value for each

 

INSERT INTO `table` (`username`,`password`) VALUES('".$username."','".$password."')

 

get it?