login form can you find my error?

[chris_s_22]

registrationform.php seems fine send data to registration.php

registration.php seems fine checks all data then send it to function.php

connection.php does its job and connects to database also calls function.php

function.php puts data into database and send confirmation email

link in email if pressed sends data to database

 

ok so far so good everything doing what i wanted it to do

 

loginform.php seems fine sends data to login.php

 

heres the code of login.php

<?php
include 'Connect.php';

if(!isset($_POST[submit]))
{
     include 'index.php';
     exit;
}
else
{
if (empty($_POST['username']) || empty($_POST['password']))// Check if any of the fields are missing
{
    	$loginempty_error = 'One or more fields missing';
    	include 'index.php';
    	exit;
}
//CHECKS USERNAME
if(!preg_match("/^[a-z\d]{5,12}$/i", $_POST[username]))
{
    	$userlogin_error = "Invalid username please check and type carefully!<br />";
	include 'index.php';
    	exit;  
}
//CHECKS PASSWORD
if(!preg_match("/^[a-z\d]{5,12}$/i", $_POST[password]))
{
    	$passlogin_error = "Invalid password please check and type carefully!<br />";
	include 'index.php';
    	exit;  
}

// Try and login with the given username & pass
     $result = user_login($_POST['username'], $_POST['password']);

     if ($result != 'Correct')
     {
          // Reshow the form with the error
          $login_error = $result;
          include 'index.php';
     }
     else
     {
         // direct to homepage
          include 'index.php';
	  exit;
     } 
}

?>

 

heres my function.php

<?php
// Salt Generator
function user_login($username, $password)
{
     // Try and get the salt from the database using the username
     $query = "select salt from members where username='$username' limit 1";
     $result = mysql_query($query);
     $user = mysql_fetch_array($result);

     // Using the salt, encrypt the given password to see if it 
     // matches the one in the database
     $encrypted_pass = md5(md5($password).$user['salt']);

     // Try and get the user using the username & encrypted pass
     $query = "select id, username from members where username='$username' and password='$encrypted_pass'";
     $result = mysql_query($query);
     $user = mysql_fetch_array($result);
     $numrows = mysql_num_rows($result);

     // Now encrypt the data to be stored in the session
     $encrypted_id = md5($user['id']);
     $encrypted_name = md5($user['username']);

     // Store the data in the session
     $_SESSION['id'] = $id;
     $_SESSION['username'] = $username;
     $_SESSION['encrypted_id'] = $encrypted_id;
     $_SESSION['encrypted_name'] = $encrypted_name;

    if ($numrows == 1)
    {
        return 'Correct';
    }
    else
    {
        return false;
    }
}

function user_logout()
{
     // End the session and unset all vars
     session_unset ();
     session_destroy ();
}

function is_authed()
{
     // Check if the encrypted username is the same
     // as the unencrypted one, if it is, it hasn't been changed
     if (isset($_SESSION['username']) && (md5($_SESSION['username']) == $_SESSION['encrypted_name']))
     {
          return true;
     }
     else
     {
          return false;
     }
}

?>

 

when i type a username and password that i know is in database and is correct

it shows index.php with $login_error

why is this?

[PFMaBiSmAd]

it shows index.php with $login_error

 

Does it literally display the string $login_error, or does it display a zero (which is what the FALSE value you return and assign to $login_error should display as.)

 

Best guess is that index.php contains a error in the code and we would need to see the code responsible for displaying the value that is in index.php.

[chris_s_22]

is this what you want to check this is whats with the form to display the error

<?php if (isset($login_error )) {    ?>There was an error: <?php echo $login_error ;     ?> please try again.<?php } ?>

 

so when i try log in with correct details it outputs this

 

There was an error: please try again.

 

i want it to take me to the home.php if correct details are entered

 

home.php contains

<?php
include 'Connect.php';
if (!is_authed()) 
{
     die ('You are not permitted to view this page, <a href="index.php">click here</a> to go back.');
}
else
{
// Restricted articles code here
echo "welcome";
}
?>

 

 

[PFMaBiSmAd]

According to the symptoms, user_login() is taking a path that causes the following line of code to be executed, implying that $numrows is not equal to 1 -

       return false;

 

You would need to troubleshoot why your code is causing $numrows to have a value different than what you expect.

[chris_s_22]

yes i totally understand that

 

I just cant not figure out why. i have read my code a few times everything seems fine.

 

i need fresh eyes looking over it knowing me its something so simple

[PFMaBiSmAd]

It's not a matter of reading your code. It is a matter of investigating what your code is doing when it executes on your server and with the data values you are putting into it and what data is in your database. No one but you can do that because it requires access to your server and your code on your server.

 

Does the $query variable have values in it that match what is in your database?

 

Is the query being executed with no mysql errors? What value does $result have after the query is executed? A FALSE or a result resource? What does echoing mysql_error() show?