Jump to content

[SOLVED] Login problem


web_master

Recommended Posts

Hi,

 

I got some login problem, some users can login, some dont

 

<?php 

// Connect to MySQL
include ( '../MySQLconnect.php' );
error_reporting ( E_ERROR );
@ini_set ( 'display_errors', '1' );

// username and password sent from form
$myusername = $_POST[ 'nick' ];
$mypassword = md5 ( $_POST[ 'password' ] );



// To protect MySQL injection
$myusername = stripslashes ( $myusername );
$mypassword = stripslashes ( $mypassword );
$myusername = mysql_real_escape_string ( $myusername );
$mypassword = mysql_real_escape_string ( $mypassword );

$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" ';
$result = mysql_query( $sql );



$count = mysql_num_rows ( $result );
$UsrId = mysql_fetch_array ( $result );



if ( $count == '1' ) {



	session_register ( 'myusername' );
	session_register ( 'mypassword' );



	setcookie ( 'nick', $myusername, NULL );
	setcookie ( 'pass', $mypassword, NULL );
	setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL );

	header ( 'location:IndexInput.php' );

} else {
	echo 'BAD login';
}
?>

 

If the names (or password) contain numbers, than I can't login... :(

 

Thanks in advanced!

 

T

Link to comment
Share on other sites

you should really be checking your SQL for errors.

 

you have double-quotes around your variables instead of single-quotes:

 

$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" ';

 

should be:

 

$sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = 1 AND `user_delete` = 0 "

Link to comment
Share on other sites

you should really be checking your SQL for errors.

 

you have double-quotes around your variables instead of single-quotes:

 

$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" ';

 

should be:

 

$sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = 1 AND `user_delete` = 0 "

 

Ill try it but still dont work ... :(

 

ill check the loginf form too...

 

<form action="<?php echo 'CheckLogin.php';?>" method="post">
	<div class="LoginHead">
		<p class="LinkHead">Login</p></div>
	<div class="LoginLeft"><p class="LoginLeft"><label for="NickName">Nick:</label></p></div>
	<div class="LoginRight"><input type="text" id="NickName" name="nick" class="Login" /></div>

	<div class="LoginLeft"><p class="LoginLeft"><label for="PassWord">Password:</label></p></div>
	<div class="LoginRight"><input type="password" id="PassWord" name="password" class="Login" /></div>

	<div class="LoginLeft1"><!-- --></div>
	<div class="LoginRight1"><input type="submit" id="UserSubmit" name="user_submit" value="LOGIN" class="RegSubmit" /></div>
	<div class="ClearBoth"><!-- --></div>
</form>

Link to comment
Share on other sites

Read below for solution to your issue also I put some pointers commented in the code:

 

<?php 

// Connect to MySQL
include ( '../MySQLconnect.php' );

// Shouldnt you do the error reporting before you include any files?
error_reporting ( E_ERROR );
@ini_set ( 'display_errors', '1' );

// username and password sent from form
$myusername = $_POST[ 'nick' ];
$mypassword = md5 ( $_POST[ 'password' ] );



// To protect MySQL injection
// You should really check if magic_quotes are on before you stripslashes. 
// If they are not on, dont strip slashes.
$myusername = stripslashes ( $myusername );
// You do not need to stripslashes on an md5 hash
// $mypassword = stripslashes ( $mypassword );
$myusername = mysql_real_escape_string ( $myusername );
// You do not need to escape an md5 hash 
//$mypassword = mysql_real_escape_string ( $mypassword );

// The below statement is bad, because you are using double quotes to check data. 
// You should always use single quotes when testing SQL data.
//$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" ';
$sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = '1' AND `user_delete` = '0'";
$result = mysql_query( $sql );



$count = mysql_num_rows ( $result );
$UsrId = mysql_fetch_array ( $result );



if ( $count == '1' ) {

	/*session_register is depreciated
	session_register ( 'myusername' );
	session_register ( 'mypassword' );
	*/
	$_SESSION['myusername'] = $myusername;
	$_SESSION['mypassword'] = $mypassword

	setcookie ( 'nick', $myusername, NULL );
	// It is not a good idea to store passwords in a cookie, keep them in session this is a security vunerability.
	// instead add a new column to the table call it "sessionid" and store that in a cookie
	// then you can check the cookies session id to the db and authenticate them with that, but this
	// needs to be a random hash and regenerated each time the user comes to the site.
	// setcookie ( 'pass', $mypassword, NULL );

	setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL );

	header ( 'location:IndexInput.php' );

} else {
	echo 'BAD login';
}
?>

 

Fix the issues (with the exception of the passworded cookie) it should run smooth. The real problem was you were using double quotes ( " ) to test SQL data, when that is wrong. You need to use single quotes ( ' ) to test SQL data, as that is the proper syntax for it.

Link to comment
Share on other sites

Read below for solution to your issue also I put some pointers commented in the code:

 

<?php 

// Connect to MySQL
include ( '../MySQLconnect.php' );

// Shouldnt you do the error reporting before you include any files?
error_reporting ( E_ERROR );
@ini_set ( 'display_errors', '1' );

// username and password sent from form
$myusername = $_POST[ 'nick' ];
$mypassword = md5 ( $_POST[ 'password' ] );



// To protect MySQL injection
// You should really check if magic_quotes are on before you stripslashes. 
// If they are not on, dont strip slashes.
$myusername = stripslashes ( $myusername );
// You do not need to stripslashes on an md5 hash
// $mypassword = stripslashes ( $mypassword );
$myusername = mysql_real_escape_string ( $myusername );
// You do not need to escape an md5 hash 
//$mypassword = mysql_real_escape_string ( $mypassword );

// The below statement is bad, because you are using double quotes to check data. 
// You should always use single quotes when testing SQL data.
//$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" ';
$sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = '1' AND `user_delete` = '0'";
$result = mysql_query( $sql );



$count = mysql_num_rows ( $result );
$UsrId = mysql_fetch_array ( $result );



if ( $count == '1' ) {

	/*session_register is depreciated
	session_register ( 'myusername' );
	session_register ( 'mypassword' );
	*/
	$_SESSION['myusername'] = $myusername;
	$_SESSION['mypassword'] = $mypassword

	setcookie ( 'nick', $myusername, NULL );
	// It is not a good idea to store passwords in a cookie, keep them in session this is a security vunerability.
	// instead add a new column to the table call it "sessionid" and store that in a cookie
	// then you can check the cookies session id to the db and authenticate them with that, but this
	// needs to be a random hash and regenerated each time the user comes to the site.
	// setcookie ( 'pass', $mypassword, NULL );

	setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL );

	header ( 'location:IndexInput.php' );

} else {
	echo 'BAD login';
}
?>

 

Fix the issues (with the exception of the passworded cookie) it should run smooth. The real problem was you were using double quotes ( " ) to test SQL data, when that is wrong. You need to use single quotes ( ' ) to test SQL data, as that is the proper syntax for it.

 

 

OK, the problem is still same, when I use for example ID 5, it's working, but when I use ID 3, where is username and password different, than don't work... maybe its some problem in my php.ini on local server? ... :(

Link to comment
Share on other sites

It sounds like the session/cookie data is carrying over, are you clearing that out before re-logging in?

 

I would add a check to your script, if there is already a user session/cookie data, such as the id in cookies, then do not log them in. Inform them they are already logged in and offer them a logout button.

Link to comment
Share on other sites

It sounds like the session/cookie data is carrying over, are you clearing that out before re-logging in?

 

I would add a check to your script, if there is already a user session/cookie data, such as the id in cookies, then do not log them in. Inform them they are already logged in and offer them a logout button.

 

I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK

 

db1.jpg

Link to comment
Share on other sites

I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK

 

db1.jpg

 

Ok so what is the issue? I guess I am not clear on what we are trying to solve here...

 

As a shot, from your original statement you said that if you login with a username that has a number in it, it does not log you in properly...correct? So the userid 6 and 4 are the ones causing you problems...correct?

 

Have you tried printing out data on the login form to make sure that correct data is being passed through and not getting garbbled up?

If you are using sessions, do you have session_start set somewhere in your script (preferably near the top)?

Are you sure you are getting the correct return results from the SQL Query (print that out to test as well)?

 

Check those items and let me know, because as far as I can tell it "should" work unless we are not seeing something that you have left out or there is a new problem that needs to be explained/described...

Link to comment
Share on other sites

I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK

 

db1.jpg

 

Ok so what is the issue? I guess I am not clear on what we are trying to solve here...

 

As a shot, from your original statement you said that if you login with a username that has a number in it, it does not log you in properly...correct? So the userid 6 and 4 are the ones causing you problems...correct?

 

Have you tried printing out data on the login form to make sure that correct data is being passed through and not getting garbbled up?

If you are using sessions, do you have session_start set somewhere in your script (preferably near the top)?

Are you sure you are getting the correct return results from the SQL Query (print that out to test as well)?

 

Check those items and let me know, because as far as I can tell it "should" work unless we are not seeing something that you have left out or there is a new problem that needs to be explained/described...

 

In login file (form file) I got this on begining of script: <? session_start(); session_destroy();?>

 

After, when I send a post, (in "check-file") the username and password is (this is the id 3):

user: web_master

password: b4abde772d56a9d5fc743bb08e641dfb

 

oh... this is  a problem!!!!

Why the "md5" is not a same in the database and when post it, and print it in "check-file"???

password in database: e2363bd3387f2c2c0bf0833ea043e4fe

Link to comment
Share on other sites

I do not think you need to call session_destroy in the way you are doing it. I would only call it on a logout.

 

As far the md5 not being the same, chances are you have Magic_Quotes turned on. If that is the case you will either need to strip the slashes from the password first, or just disable magic quotes in your php.ini file since it is depreciated and this will cause you problems once you upgrade. A quick fix, strip_slashes on the password before hashing it.

Link to comment
Share on other sites

Look, what a mistake:

 

<?php 
// Insert into dBase
		$Query = mysql_query ( ' INSERT INTO `user` (
			`user_nick`,
			`user_password`,
			`user_email`,
			`user_firstname`,
			`user_name`,
			`user_gender`,
			`user_city`,
			`user_country`,
			`user_datetime`,
			`user_ip`,
			`user_host`
		) VALUES (
			"' . $_POST[ 'user_nick' ] . '",
			"' . md5 ( $_POST[ 'user_nick' ] ) . '", // HERE IS A PROBLEM
			"' . $_POST[ 'user_email' ] . '",
			"' . $_POST[ 'user_firstname' ] . '",
			"' . $_POST[ 'user_name' ] . '",
			"' . $_POST[ 'user_gender' ] . '",
			"' . $_POST[ 'user_city' ] . '",
			"' . $_POST[ 'user_country' ] . '",
			"' . date( 'Y-m-d H:i:s' ) . '",
			"' . getenv( 'REMOTE_ADDR' ) . '",
			"' . gethostbyaddr( getenv( 'REMOTE_ADDR' ) ) . '"
		) ' );
?>

Link to comment
Share on other sites

lol, yea that would do it :) Hashing the nick over the password.

 

Well at least you got it figured out and learned some new tips along the way :)

 

Yes, I do, I learn - but sometimes, when You work long, mistakes like this is possible... :(

 

 

Thanks for Youre wasted times!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.