Not Login In --- Password

[dean7]

Hi all, I have coded a login script which im thinking all works but just one thing isnt.

 

<html>
<head>
<title>Login || ***-********</title>
</head>
<body>
<style type="text/css">
.login{
    border: 1px;
    background-color: #676767;
    font-size: small;
    font-family: sans-serif;
    border: black;
    border: double;
}
.main {
    background-color: silver;
    border: black;
    border: double;
}
</style>
<div class="main">
<table class="login" align="center">
<form action="" method="POST" name="login">
<tr>
<td>
Username : <input type="text" name="user" id="user" maxlength="25" />
</td>
</tr>
<tr>
<td>
Password : <input type="password" name="pass" id="pass" />
</td>
</tr>
<tr>
<td>
<input type="submit" name="submit" id="submit" value="Login" />
</td>
</tr>
</form>
</table>
</div>
</body>
</html>

<?php

include ("config.php");

if (isset($_POST['submit'])){
    
    if(empty($_POST['user'])) {
die('Username field was blank.');
}

    if(empty($_POST['pass'])) {
die('Password field was blank.');
}
    
            $user = mysql_escape_string($_POST['user']);
            $pass = mysql_escape_String(md5($_POST['pass']));
            
          // Info they posted
          
        $find = mysql_query("SELECT * FROM users WHERE username = '$user' AND password = '$pass'");  
        $nums = mysql_fetch_array($find);
        
        // get the users information
        
if ($nums['password'] != $pass) {
    echo ("Password Is Incorrect!");
    
    // check the passwords.
}  
else {
        
$query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die("MySQL Error " . mysql_error());
$user = mysql_fetch_array($query);
echo ("<meta http-equiv=\"Refresh\" content=\"0; URL=http://***********.com/index2.php\"/>Thank You! You will be redirected");
}

}          



/**
* @********
* @copyright Of ******* 2009
*/



?>

 

When a user put's the correct username with the correct password it say's the password is wrong although they are actually right...

 

Anyone know why?

Thanks.

[mrMarcus]

it's mysql_real_escape_string(), not mysql_escape_string();

 

mysql_escape_string() has been deprecated as of v5.3, and removed as of 6.0

 

change this:

 

$pass = mysql_escape_String(md5($_POST['pass']));

 

to this:

 

$pass = md5($_POST['pass']);

 

and fix your $user to adhere to the first line of this post.

 

EDIT: and use header() instead of a meta refresh.

 

header ('Location: http://***********.com/index2.php'); exit (0);

[dean7]

When you say "$user to adhere" What do you mean?

[mrMarcus]

change:

 

$user = mysql_real_escape_string($_POST['user']);

 

to:

 

$user = mysql_real_escape_string($_POST['user']);

[dean7]

Thanks for pointing out that the mysql_real_escape_strings , but its still saying incorrect password's when there right. :S

[mrMarcus]

do the passwords in the database have md5() hashing on them?

 

EDIT:  you are getting this error: "Password Is Incorrect!"  ?

[PFMaBiSmAd]

When any kind of comparison fails, in this case it is a WHERE clause in a query, you must troubleshoot why it is failing.

 

Look directly in your database table using your favorite database management tool and confirm that the username you are entering is correct and that value from md5($_POST['pass']) matches exactly, down to the last character, what is stored in the table.

[dean7]

do the passwords in the database have md5() hashing on them?

 

EDIT:  you are getting this error: "Password Is Incorrect!"  ?

Erm, not sure, i think so.. But what ive done is just made a new table with the user's info on then when a password from the register page gets inserted it goes to md5.

[mrMarcus]

when you look at the password field(s) in the db, do the password(s) look like this: 1edb8f16abbe8c984ab6e417a587b342 ?

 

or are they normal text unhashed passwords?

[dean7]

Sorted it... Where i put

 

$pass = md5($POST['password'];

 

I just had to remove the md5

 

 

Now letting me login, with password being hashed.

 

[PFMaBiSmAd]

not sure, i think so..

 

Please take this in a humorous way, but neither of those statements are 'programming' terms. Computers only do exactly what their code and data tells them to do, so "I'm not sure" and "I think so" don't work in programming. You must be sure and you must know what your code is doing with your data.

[mrMarcus]

Sorted it... Where i put

 

$pass = md5($POST['password'];

 

I just had to remove the md5

 

 

Now letting me login, with password being hashed.

 

i'm not following.  you removed the hashing, but it's lettin you login with hashing?

 

if you remove the md5() hashing from your post variable, the value going to the db will not be hashed.

 

it's a very simple process.  when a user registers, hash their password going into the db.  the, when they are logging in, hash the password coming in from the form submission, and check the two hashed passwords against each other.

 

do not remove the hashing.

[dean7]

Sorted it... Where i put

 

$pass = md5($POST['password'];

 

I just had to remove the md5

 

 

Now letting me login, with password being hashed.

 

i'm not following.  you removed the hashing, but it's lettin you login with hashing?

 

if you remove the md5() hashing from your post variable, the value going to the db will not be hashed.

 

it's a very simple process.  when a user registers, hash their password going into the db.  the, when they are logging in, hash the password coming in from the form submission, and check the two hashed passwords against each other.

 

do not remove the hashing.

 

It did work then it didnt lol, but now its working with the md5 in place.