[SOLVED] login script

[brandon99919]

everytime I try to login it always says that the password is incorrect. I've checked the code and I can't find anything wrong with it. And yes I did type the exact password <.<  :-\

 

here's the code:

<div align='center'>
<b>login</b>
<hr size='1px' width='70%' color='#000000' />
<?php
//If the user is logged in
if (isset($_COOKIE['userid'])) {
echo "You are already logged in...";
} else {
?>
<?php
//If the form has been submitted
if (isset($_POST['Login'])) {

//Makes sure the form fields have been filled
if (!$_POST['username'] | !$_POST['pass']) {
$message = "You did not fill in the required field(s).<br />";
}
$check = mysql_query("SELECT * FROM users WHERE username = '" . $_POST['username'] . "'") or die(mysql_error());

//Gives an error if the user doesn't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
$message .= "The specified username you entered doesn't exist in our database.<br />";
}

while ($info = mysql_fetch_array($check)) {
if (empty($_POST['pass'])) {
$_POST['pass'] = 0;
}
else {
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
}

//Gives an error if the password was wrong
if (($_POST['pass'] != $info['password']) && ($_POST['pass'] != 0)) {
$message .= "The password you entered was incorrect.<br />";
break;
}
else {
if (empty($message)) {
$username = $_POST['username'];
//Add the cookie
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(userid, $_POST['username'], $hour); 
setcookie(pass, $_POST['pass'], $hour);

//Echoes out the success message
echo "
<table align='center' width='275px' style='border: 1px solid Black; background-color: AliceBlue; font-family: Verdana; font-size: 10px; 					border-top: none;'>
<tr><td>
Welcome back <b>$username</b>!<br />
You have successfully logged in.<br />
<a href='index.php'>Click here</a> to continue to the rpg.
</td></tr>
</table>
";
}
}
}
if (!empty($message)) {
echo $message;
}
}
else {
?>

<form method="post" action="index.php?page=login">
<table frame="void" align="center" style="font-family: Verdana; font-size: 10px;">
<tr><td>
<b>Username:</b> <center><input type="text" name="username" maxlength="25" /></center>
</td></tr>
<tr><td> 
<b>Password:</b> <center><input type="password" name="pass" maxlength="25" /></center>
</td></tr>
<tr><td>
<center><input type="submit" name="Login" value="Login" /></center>
</td></tr>
</table>
</form>

<?php
}
?>

<?php 
}
?>
</div>

[redarrow]

is the password in the database md5 properly.

[Stephen]

Besides the script being unsafe, make sure that the column name in the table is "password", the name of the input for the password is "pass", and they're encrypted the same way.

[brandon99919]

yea it is

[xtopolis]

I doubt this is part of the problem, but why are you using stripslashes on a password when you're just going to md5 it?

[brandon99919]

so get rid of the stipslashes?

[xtopolis]

md5 returns an alpha numeric string.  Only letters and numbers.  stripslashes is unnecessary here.

 

Your other inputs, however, could use some sanitizing.  $_POST['username'] should later be: mysql_escape_real_string($_POST['username']);

 

First, try outputting the results of the form to your screen.  (print out the username and the md5 version of the password as it is when you submit the form).  Then copy that directly into mysql / phpmyadmin and test the query.  This way you can help determine where your problem is.

 

Secondly, you may want to restructure your code.  You have several points where it continues processing even though the result will be a failed login.  The first occurrence is when you check if the fields have been entered (!$_POST['username'] | !$_POST['password']).  I reccommend changing ! => empty to read as: if(empty($_POST['username']) | empty($_POST['password'])) ...  and if they are, don't even both doing anything else because it's a waste of processing.

 

This is seen again when you check how many rows matched ($check2).  Obviously if the username doesn't exist, a password won't match... so don't even bother processing further.

 

Lastly, you may want to keep the error message ($message) separate from "is allowed" (you check if empty($message) to determine if the login is successful)  Perhaps have a separate boolean to check if login was successful, set after the database result.

 

Overall a good start, but I think you're limiting yourself by sending HTML output and then doing processing.

[brandon99919]

thanks for the help  I found the error while printing out the username and pass when I submited the form. At first, it displayed the alpha numeric representation of the real pass (md5 encryption). So I tried getting rid of the md5 and now it works fine. 

[xtopolis]

FYI, you should never store the true password, store the hashed version instead.  But whatever works for you.  Mark this solved if you're satisfied.

[brandon99919]

I only got rid of the md5 in the login script, not the register script which stores the encrypted pass instead of the real pass. Thanks again for the help 

 

solved