[SOLVED] Problems with login page

[Kudosarian]

ok, I have tried both blmg911 an d presimo codes and both have different results, but neither work correctly.

 

blmg911 - yours kicks back the invalid username and password message after the login button is pressed. I know that the username and password are right as they are hard to get wrong, so I think it must be the coding.

 

Presimo - your code doesn't redirect on login, just echoes the login page again, but no invalid username or password message.

 

Sorry if this is taking up your time, but it is much appreciated.

 

Thanks

 

Kudosarian

[premiso]

Presimo - your code doesn't redirect on login, just echoes the login page again, but no invalid username or password message.

 

Is your login page the index.php?

 

If so that is why it does it, you can set an if $_SESSION['username'] isset display this message "You are already loggedin" to test to see if that is the case.

[Kudosarian]

No, my login page is called "login.php". On login, I want the visiter to be redirected to "index.php" which will allow them access to restricted sections of the site.

 

Kudosarian

[premiso]

<?php
session_start();

if (isset($_POST['Login'])) {
   $server = "*****";
   $db_username = "*****";
   $db_password = "*****";
   $db_name = "*****";

   $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
   mysql_select_db($db_name,$db) or die("Database name not available !!");

   // lets filter the post data:
   array_walk_recursive($_POST, 'mysql_real_escape_string');

  $username=$_POST['username'];
  $md5_password=md5($_POST['password']); // Encrypt password with md5() function.
   // Construct and run query.
   $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");
   $result=mysql_num_rows($result);
   if($result > 0){ 
      $_SESSION['username'] = $_POST['userame']; // session_register is depreciated
      header("location: index.php"); // Re-direct to main.php
   }else { // else is just fine here
      $message="--- Incorrect Username or Password ---";
      echo"$message";
   }
}
?>

 

Forgot the capitol "L" in login. Try that and see if it passes the username test.

[Kudosarian]

ok, I changed the capital L and also noticed a typo in one of the "username" words. Sorry to say that I am now getting the Invalid Username and password message after login is pressed.

 

As I said in an earlier post, with the username and password that I have set up for testing purposes, I cannot get them wrong. I have tried creating another table with the same data but still no joy.

 

This really has me stumped!!!

 

Kudosarian

[premiso]

How are you entering the username/password into the db?

 

Are you md5 the password you enter into the DB?

[Kudosarian]

THAT's IT!!!

 

Presimo, your are a genius. I thought that I had md5() the password for the DB, but when I changed the coding on the login to reflect that I hadn't, it worked.

 

So, now I will try making the password field in my DB md5(). I will report back.

 

Kudosarian

[Kudosarian]

I wish I has better news. The login worked, for all of 5 mins. I tried updating the DB, and then nothing. Back to the Invalid username and password screen.

 

As I said in my last post, it worked by removing the md5() for the password. See code below (don't think I have deleted anything else!!)

 

Kudosarian

 

<?php

session_start();

 

if (isset($_POST['Login'])) {

  $server = "*****";

  $db_username = "*****";

  $db_password = "*****";

  $db_name = "*****";

 

  $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");

  mysql_select_db($db_name,$db) or die("Database name not available !!");

 

  // lets filter the post data:

  array_walk_recursive($_POST, 'mysql_real_escape_string');

 

  $username=$_POST['username'];

  $md5_password=$_POST['password']; // Encrypt password with md5() function.

  // Construct and run query.

  $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");

  $result=mysql_num_rows($result);

  if($result > 0){

      $_SESSION['username'] = $_POST['username']; // session_register is depreciated

      header("location: index.php"); // Re-direct to main.php

  }else { // else is just fine here

      $message="--- Incorrect Username or Password ---";

      echo"$message";

  }

}

?>

 

 

 

[premiso]

That code is correct. No errors with it. Anything from here on is mis-match between the DB and the form. We cannot help you with that part.

[Kudosarian]

Ok, I checked the table and got it working. The problem seemed to occur with my settings for the password field in my DB. I had set the function to password which encrypts the password so no-one can see it. The login works as long as I do not have that function selected.

 

My question now would be, is it safe? Is there anyway to help the security of it?

 

Thanks

 

Kudos

[premiso]

MySQL does have a built in MD5() function you can use. You may have been using the PASSWORD( ) function instead.

 

I would go with the MD5() then MD5 your password in the code again and see if that works.

 

When you create your login script, you can have either mysql do that or php either does not mat matter.

[Kudosarian]

wow - I added MD5 to the DB and re-added it to my login page caode and it seems to be working fine. It take it that helps keep it safe or is there anything else I need to check?

[premiso]

wow - I added MD5 to the DB and re-added it to my login page caode and it seems to be working fine. It take it that helps keep it safe or is there anything else I need to check?

 

Nope, MD5 is a 1-way hash. It "can" be broken using different algorithms, but for the most part is safer than just leaving as plain text.

[Kudosarian]

ok, 1 more thing and then I can leave a happy man.

 

I would like to ensure that no-one can access restricted pages on the site. I have used the following script for that:

 

<?

session_start();

if(!session_is_registered("username")){

header("location: login.php");

}

?>

 

But I have noticed that If I go straight to a restricted page, say from google, I am still "logged" in as the last username I tested. Is there an easy way of clearing the session variable??

 

Thanks for all your help so far Presimo

 

Kudosarian

[redarrow]

All you need to do now is validate the username and password so the user has enter the correct info.

 

i am also very sure this is safer then just md5

 

example

<?php echo md5(sha1('redarrow')); ?>

 

little examlple

<?php
$username="redarrow";

$password="redarrow12345678redarrow";

if(preg_match("/^[a-zA-Z]{8}$/",$username)){

echo "Username has 8 letters! <br />";

if(preg_match("/^[a-zA-Z]{8}[0-9]{8}[a-zA-Z]{8}$/",$password)){

echo "Password has 8 letters and 8 numbers and 8 letters! <br />";

}
}

if($username=" "){

	echo "username has no value! <br />";

if($password=" "){

	echo"password has no value!";
}
  }
	?>

[redarrow]

If a user not online then you can kill the session's that are not being used.

 

<?php session_start();

$result=mysql_query("SELECT username FROM users where usernmae=".$_SESSION['username']."");

if(mysql_num_rows($result)>0){

}else{
	unset($_SESSION['username']);
	session_destroy();	
}

?>

 

[premiso]

<?php
session_start();
if(!isset($_SESSION["username"])){
    header("location: login.php");
}
?>

 

Should do the trick.

[Kudosarian]

Done!!

 

Thanks for your help redarrow.

 

But my hat is off to presimo. Thanks bud for all your time and effort in helping me. I have found this forum extremly usful and hope that I can return the favour someday.

 

I will develop my script further one day by adding a change password option and other such things, but for now, I am more than happy with what I have got.

 

Thanks again to all that chipped in, but big thanks to presimo.

 

Kudosarian

 

 

[haku]

md5() is quite insecure and has been cracked. You are much better off using sha1().