brandon99919 Posted June 9, 2009 Share Posted June 9, 2009 everytime I try to login it always says that the password is incorrect. I've checked the code and I can't find anything wrong with it. And yes I did type the exact password <.< :-\ here's the code: <div align='center'> <b>login</b> <hr size='1px' width='70%' color='#000000' /> <?php //If the user is logged in if (isset($_COOKIE['userid'])) { echo "You are already logged in..."; } else { ?> <?php //If the form has been submitted if (isset($_POST['Login'])) { //Makes sure the form fields have been filled if (!$_POST['username'] | !$_POST['pass']) { $message = "You did not fill in the required field(s).<br />"; } $check = mysql_query("SELECT * FROM users WHERE username = '" . $_POST['username'] . "'") or die(mysql_error()); //Gives an error if the user doesn't exist $check2 = mysql_num_rows($check); if ($check2 == 0) { $message .= "The specified username you entered doesn't exist in our database.<br />"; } while ($info = mysql_fetch_array($check)) { if (empty($_POST['pass'])) { $_POST['pass'] = 0; } else { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); } //Gives an error if the password was wrong if (($_POST['pass'] != $info['password']) && ($_POST['pass'] != 0)) { $message .= "The password you entered was incorrect.<br />"; break; } else { if (empty($message)) { $username = $_POST['username']; //Add the cookie $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(userid, $_POST['username'], $hour); setcookie(pass, $_POST['pass'], $hour); //Echoes out the success message echo " <table align='center' width='275px' style='border: 1px solid Black; background-color: AliceBlue; font-family: Verdana; font-size: 10px; border-top: none;'> <tr><td> Welcome back <b>$username</b>!<br /> You have successfully logged in.<br /> <a href='index.php'>Click here</a> to continue to the rpg. </td></tr> </table> "; } } } if (!empty($message)) { echo $message; } } else { ?> <form method="post" action="index.php?page=login"> <table frame="void" align="center" style="font-family: Verdana; font-size: 10px;"> <tr><td> <b>Username:</b> <center><input type="text" name="username" maxlength="25" /></center> </td></tr> <tr><td> <b>Password:</b> <center><input type="password" name="pass" maxlength="25" /></center> </td></tr> <tr><td> <center><input type="submit" name="Login" value="Login" /></center> </td></tr> </table> </form> <?php } ?> <?php } ?> </div> Quote Link to comment Share on other sites More sharing options...
redarrow Posted June 9, 2009 Share Posted June 9, 2009 is the password in the database md5 properly. Quote Link to comment Share on other sites More sharing options...
Stephen Posted June 9, 2009 Share Posted June 9, 2009 Besides the script being unsafe, make sure that the column name in the table is "password", the name of the input for the password is "pass", and they're encrypted the same way. Quote Link to comment Share on other sites More sharing options...
brandon99919 Posted June 9, 2009 Author Share Posted June 9, 2009 yea it is Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 9, 2009 Share Posted June 9, 2009 I doubt this is part of the problem, but why are you using stripslashes on a password when you're just going to md5 it? Quote Link to comment Share on other sites More sharing options...
brandon99919 Posted June 9, 2009 Author Share Posted June 9, 2009 so get rid of the stipslashes? Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 9, 2009 Share Posted June 9, 2009 md5 returns an alpha numeric string. Only letters and numbers. stripslashes is unnecessary here. Your other inputs, however, could use some sanitizing. $_POST['username'] should later be: mysql_escape_real_string($_POST['username']); First, try outputting the results of the form to your screen. (print out the username and the md5 version of the password as it is when you submit the form). Then copy that directly into mysql / phpmyadmin and test the query. This way you can help determine where your problem is. Secondly, you may want to restructure your code. You have several points where it continues processing even though the result will be a failed login. The first occurrence is when you check if the fields have been entered (!$_POST['username'] | !$_POST['password']). I reccommend changing ! => empty to read as: if(empty($_POST['username']) | empty($_POST['password'])) ... and if they are, don't even both doing anything else because it's a waste of processing. This is seen again when you check how many rows matched ($check2). Obviously if the username doesn't exist, a password won't match... so don't even bother processing further. Lastly, you may want to keep the error message ($message) separate from "is allowed" (you check if empty($message) to determine if the login is successful) Perhaps have a separate boolean to check if login was successful, set after the database result. Overall a good start, but I think you're limiting yourself by sending HTML output and then doing processing. Quote Link to comment Share on other sites More sharing options...
brandon99919 Posted June 9, 2009 Author Share Posted June 9, 2009 thanks for the help I found the error while printing out the username and pass when I submited the form. At first, it displayed the alpha numeric representation of the real pass (md5 encryption). So I tried getting rid of the md5 and now it works fine. Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 9, 2009 Share Posted June 9, 2009 FYI, you should never store the true password, store the hashed version instead. But whatever works for you. Mark this solved if you're satisfied. Quote Link to comment Share on other sites More sharing options...
brandon99919 Posted June 9, 2009 Author Share Posted June 9, 2009 I only got rid of the md5 in the login script, not the register script which stores the encrypted pass instead of the real pass. Thanks again for the help solved Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.