Jump to content

Login Script and MD5 password


bravo14

Recommended Posts

Hi all

 

I have a login form and script using md5 encryption, I know I have entered the correct password but I get a message saying the password I have entered is incorrect the code is below

<?php 
session_start();
include_once('includes/connector.php'); //Just include the connector at the top
if($_POST['submit']) //Added quotes around submit and removed = 1 
{
  foreach ($_POST as $key => $val) {
    $$key = mysql_real_escape_string($val); //This is a huge security hole, as it allows people to inject variables into your code
  } //This was one missing brace

  //is the email already registered?
  $user = mysql_query("SELECT username FROM `tbl_admin_users` WHERE username='$username'"); //Added single quotes around $email
  if(mysql_num_rows($user) > 0) //login name was found
  { 
    //is the password correct
    $password = mysql_query("SELECT username FROM `tbl_admin_users` WHERE username='$username' and password=md5('$password')"); //Again added single quotes
    if(mysql_num_rows($password) > 0)//password is correct
    {
      $_SESSION['auth']="yes";                    
      $_SESSION['logname'] = $email; //Just use $email here            
      header("Location: index.php");
      exit; //You should have an exit after a header('Location')
    }
    else //password is incorrect
    {

      $message="The email, '$email' 
                exists, but you have not entered the 
                correct password! Please try again.<br>";
    }
  }
  else  // username not found 
  {   
    $message = "The Login Name you entered does not 
                exist! Please try again.<br>";
  }
} //Another brace was missing here
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<link href="../style/2008.css" rel="stylesheet" type="text/css" />
</head>

<body>
<form name="login" method="post" action="login.php" onsubmit="return checkform()">
  <table>
<?php                                                  
if (isset($message))
{
  echo "<tr><td style='color: red' 
       colspan='2' align='center'>$message <br /></td></tr>";
}
?>
    <tr>
      <td>Username:</td><td><input name="username" type="text" size="30" /></td></tr>
  <tr><td>Password:</td><td><input name="password" type="password" size="30" /></td></tr>
  <tr><td><input type="hidden" name="submit" id="hiddenField" value="1"/></td>
  <td><input name="login2" type="submit" value="Login" class="button" /></td>
  </tr>
  </table>
</form>
    </body>
</html>

 

Any ideas where I have gone wrong?

 

Mark

Link to comment
Share on other sites

$password = mysql_query("SELECT username FROM `tbl_admin_users` WHERE username='$username' and password=md5('$password')");

 

You are defining your variable password here as a mysql function. But then you are telling the mysql function to use the variable password as the user's input. Does that make sense? Because it shouldn't.

Link to comment
Share on other sites

Many thanks for that, however I am still getting the same message.

<?php 
session_start();
include_once('includes/connector.php');
if($_POST['submit']) 
{
  foreach ($_POST as $key => $val) {
    $$key = mysql_real_escape_string($val); 
  } 

  //is the email already registered?
  $user = mysql_query("SELECT username FROM `tbl_admin_users` WHERE username='$username'"); //Added single quotes around $email
  if(mysql_num_rows($user) > 0) //login name was found
  { 
    //is the password correct
    $checkpassword = mysql_query("SELECT username FROM `tbl_admin_users` WHERE username='$username' and password=md5('$password')"); //Again added single quotes
    if(mysql_num_rows($checkpassword) > 0)//password is correct
    {
      $_SESSION['auth']="yes";                    
      $_SESSION['logname'] = $username; //Just use $email here            
      header("Location: index.php");
      exit; //You should have an exit after a header('Location')
    }
    else //password is incorrect
    {

      $message="The email, '$email' 
                exists, but you have not entered the 
                correct password! Please try again.<br>";
    }
  }
  else  // username not found 
  {   
    $message = "The Login Name you entered does not 
                exist! Please try again.<br>";
  }
} //Another brace was missing here
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<link href="../style/2008.css" rel="stylesheet" type="text/css" />
</head>

<body>
<form name="login" method="post" action="login.php" onsubmit="return checkform()">
  <table>
<?php                                                  
if (isset($message))
{
  echo "<tr><td style='color: red' 
       colspan='2' align='center'>$message <br /></td></tr>";
}
?>
    <tr>
      <td>Username:</td><td><input name="username" type="text" size="30" /></td></tr>
  <tr><td>Password:</td><td><input name="password" type="password" size="30" /></td></tr>
  <tr><td><input type="hidden" name="submit" id="hiddenField" value="1"/></td>
  <td><input name="login2" type="submit" value="Login" class="button" /></td>
  </tr>
  </table>
</form>
    </body>
</html>

Link to comment
Share on other sites

Your query is syntactically correct (tested) and is probably being executed. That means that the md5() of your password does not match what is in your table.

 

Echo the md5() of the password you are entering and then check directly in your database that the md5 values stored there is exactly the same.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.