web_master Posted November 16, 2009 Share Posted November 16, 2009 Hi, I got some login problem, some users can login, some dont <?php // Connect to MySQL include ( '../MySQLconnect.php' ); error_reporting ( E_ERROR ); @ini_set ( 'display_errors', '1' ); // username and password sent from form $myusername = $_POST[ 'nick' ]; $mypassword = md5 ( $_POST[ 'password' ] ); // To protect MySQL injection $myusername = stripslashes ( $myusername ); $mypassword = stripslashes ( $mypassword ); $myusername = mysql_real_escape_string ( $myusername ); $mypassword = mysql_real_escape_string ( $mypassword ); $sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" '; $result = mysql_query( $sql ); $count = mysql_num_rows ( $result ); $UsrId = mysql_fetch_array ( $result ); if ( $count == '1' ) { session_register ( 'myusername' ); session_register ( 'mypassword' ); setcookie ( 'nick', $myusername, NULL ); setcookie ( 'pass', $mypassword, NULL ); setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL ); header ( 'location:IndexInput.php' ); } else { echo 'BAD login'; } ?> If the names (or password) contain numbers, than I can't login... Thanks in advanced! T Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 I found the "anotther" problem - if the nick and password is different, login dont work Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted November 16, 2009 Share Posted November 16, 2009 you should really be checking your SQL for errors. you have double-quotes around your variables instead of single-quotes: $sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" '; should be: $sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = 1 AND `user_delete` = 0 " Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 you should really be checking your SQL for errors. you have double-quotes around your variables instead of single-quotes: $sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" '; should be: $sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = 1 AND `user_delete` = 0 " Ill try it but still dont work ... ill check the loginf form too... <form action="<?php echo 'CheckLogin.php';?>" method="post"> <div class="LoginHead"> <p class="LinkHead">Login</p></div> <div class="LoginLeft"><p class="LoginLeft"><label for="NickName">Nick:</label></p></div> <div class="LoginRight"><input type="text" id="NickName" name="nick" class="Login" /></div> <div class="LoginLeft"><p class="LoginLeft"><label for="PassWord">Password:</label></p></div> <div class="LoginRight"><input type="password" id="PassWord" name="password" class="Login" /></div> <div class="LoginLeft1"><!-- --></div> <div class="LoginRight1"><input type="submit" id="UserSubmit" name="user_submit" value="LOGIN" class="RegSubmit" /></div> <div class="ClearBoth"><!-- --></div> </form> Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted November 16, 2009 Share Posted November 16, 2009 do the usernames and passwords in the db contain numbers? are you sure? Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 do the usernames and passwords in the db contain numbers? are you sure? here is the detail of the db id 2 and id 5 is working, because its a user and pass is a same Quote Link to comment Share on other sites More sharing options...
premiso Posted November 16, 2009 Share Posted November 16, 2009 Read below for solution to your issue also I put some pointers commented in the code: <?php // Connect to MySQL include ( '../MySQLconnect.php' ); // Shouldnt you do the error reporting before you include any files? error_reporting ( E_ERROR ); @ini_set ( 'display_errors', '1' ); // username and password sent from form $myusername = $_POST[ 'nick' ]; $mypassword = md5 ( $_POST[ 'password' ] ); // To protect MySQL injection // You should really check if magic_quotes are on before you stripslashes. // If they are not on, dont strip slashes. $myusername = stripslashes ( $myusername ); // You do not need to stripslashes on an md5 hash // $mypassword = stripslashes ( $mypassword ); $myusername = mysql_real_escape_string ( $myusername ); // You do not need to escape an md5 hash //$mypassword = mysql_real_escape_string ( $mypassword ); // The below statement is bad, because you are using double quotes to check data. // You should always use single quotes when testing SQL data. //$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" '; $sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = '1' AND `user_delete` = '0'"; $result = mysql_query( $sql ); $count = mysql_num_rows ( $result ); $UsrId = mysql_fetch_array ( $result ); if ( $count == '1' ) { /*session_register is depreciated session_register ( 'myusername' ); session_register ( 'mypassword' ); */ $_SESSION['myusername'] = $myusername; $_SESSION['mypassword'] = $mypassword setcookie ( 'nick', $myusername, NULL ); // It is not a good idea to store passwords in a cookie, keep them in session this is a security vunerability. // instead add a new column to the table call it "sessionid" and store that in a cookie // then you can check the cookies session id to the db and authenticate them with that, but this // needs to be a random hash and regenerated each time the user comes to the site. // setcookie ( 'pass', $mypassword, NULL ); setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL ); header ( 'location:IndexInput.php' ); } else { echo 'BAD login'; } ?> Fix the issues (with the exception of the passworded cookie) it should run smooth. The real problem was you were using double quotes ( " ) to test SQL data, when that is wrong. You need to use single quotes ( ' ) to test SQL data, as that is the proper syntax for it. Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 Read below for solution to your issue also I put some pointers commented in the code: <?php // Connect to MySQL include ( '../MySQLconnect.php' ); // Shouldnt you do the error reporting before you include any files? error_reporting ( E_ERROR ); @ini_set ( 'display_errors', '1' ); // username and password sent from form $myusername = $_POST[ 'nick' ]; $mypassword = md5 ( $_POST[ 'password' ] ); // To protect MySQL injection // You should really check if magic_quotes are on before you stripslashes. // If they are not on, dont strip slashes. $myusername = stripslashes ( $myusername ); // You do not need to stripslashes on an md5 hash // $mypassword = stripslashes ( $mypassword ); $myusername = mysql_real_escape_string ( $myusername ); // You do not need to escape an md5 hash //$mypassword = mysql_real_escape_string ( $mypassword ); // The below statement is bad, because you are using double quotes to check data. // You should always use single quotes when testing SQL data. //$sql = 'SELECT * FROM `user` WHERE `user_nick` = "' . $myusername . '" AND `user_password` = "' . $mypassword . '" AND `user_onoff` = "1" AND `user_delete` = "0" '; $sql = "SELECT * FROM `user` WHERE `user_nick` = '" . $myusername . "' AND `user_password` = '" . $mypassword . "' AND `user_onoff` = '1' AND `user_delete` = '0'"; $result = mysql_query( $sql ); $count = mysql_num_rows ( $result ); $UsrId = mysql_fetch_array ( $result ); if ( $count == '1' ) { /*session_register is depreciated session_register ( 'myusername' ); session_register ( 'mypassword' ); */ $_SESSION['myusername'] = $myusername; $_SESSION['mypassword'] = $mypassword setcookie ( 'nick', $myusername, NULL ); // It is not a good idea to store passwords in a cookie, keep them in session this is a security vunerability. // instead add a new column to the table call it "sessionid" and store that in a cookie // then you can check the cookies session id to the db and authenticate them with that, but this // needs to be a random hash and regenerated each time the user comes to the site. // setcookie ( 'pass', $mypassword, NULL ); setcookie ( 'user_id', $UsrId[ 'user_id' ], NULL ); header ( 'location:IndexInput.php' ); } else { echo 'BAD login'; } ?> Fix the issues (with the exception of the passworded cookie) it should run smooth. The real problem was you were using double quotes ( " ) to test SQL data, when that is wrong. You need to use single quotes ( ' ) to test SQL data, as that is the proper syntax for it. OK, the problem is still same, when I use for example ID 5, it's working, but when I use ID 3, where is username and password different, than don't work... maybe its some problem in my php.ini on local server? ... Quote Link to comment Share on other sites More sharing options...
premiso Posted November 16, 2009 Share Posted November 16, 2009 It sounds like the session/cookie data is carrying over, are you clearing that out before re-logging in? I would add a check to your script, if there is already a user session/cookie data, such as the id in cookies, then do not log them in. Inform them they are already logged in and offer them a logout button. Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 It sounds like the session/cookie data is carrying over, are you clearing that out before re-logging in? I would add a check to your script, if there is already a user session/cookie data, such as the id in cookies, then do not log them in. Inform them they are already logged in and offer them a logout button. I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK Quote Link to comment Share on other sites More sharing options...
premiso Posted November 16, 2009 Share Posted November 16, 2009 I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK Ok so what is the issue? I guess I am not clear on what we are trying to solve here... As a shot, from your original statement you said that if you login with a username that has a number in it, it does not log you in properly...correct? So the userid 6 and 4 are the ones causing you problems...correct? Have you tried printing out data on the login form to make sure that correct data is being passed through and not getting garbbled up? If you are using sessions, do you have session_start set somewhere in your script (preferably near the top)? Are you sure you are getting the correct return results from the SQL Query (print that out to test as well)? Check those items and let me know, because as far as I can tell it "should" work unless we are not seeing something that you have left out or there is a new problem that needs to be explained/described... Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 I clear all the cookies, when I try to login, as You see, when I login with same name and password, the cookie is OK Ok so what is the issue? I guess I am not clear on what we are trying to solve here... As a shot, from your original statement you said that if you login with a username that has a number in it, it does not log you in properly...correct? So the userid 6 and 4 are the ones causing you problems...correct? Have you tried printing out data on the login form to make sure that correct data is being passed through and not getting garbbled up? If you are using sessions, do you have session_start set somewhere in your script (preferably near the top)? Are you sure you are getting the correct return results from the SQL Query (print that out to test as well)? Check those items and let me know, because as far as I can tell it "should" work unless we are not seeing something that you have left out or there is a new problem that needs to be explained/described... In login file (form file) I got this on begining of script: <? session_start(); session_destroy();?> After, when I send a post, (in "check-file") the username and password is (this is the id 3): user: web_master password: b4abde772d56a9d5fc743bb08e641dfb oh... this is a problem!!!! Why the "md5" is not a same in the database and when post it, and print it in "check-file"??? password in database: e2363bd3387f2c2c0bf0833ea043e4fe Quote Link to comment Share on other sites More sharing options...
premiso Posted November 16, 2009 Share Posted November 16, 2009 I do not think you need to call session_destroy in the way you are doing it. I would only call it on a logout. As far the md5 not being the same, chances are you have Magic_Quotes turned on. If that is the case you will either need to strip the slashes from the password first, or just disable magic quotes in your php.ini file since it is depreciated and this will cause you problems once you upgrade. A quick fix, strip_slashes on the password before hashing it. Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 Look, what a mistake: <?php // Insert into dBase $Query = mysql_query ( ' INSERT INTO `user` ( `user_nick`, `user_password`, `user_email`, `user_firstname`, `user_name`, `user_gender`, `user_city`, `user_country`, `user_datetime`, `user_ip`, `user_host` ) VALUES ( "' . $_POST[ 'user_nick' ] . '", "' . md5 ( $_POST[ 'user_nick' ] ) . '", // HERE IS A PROBLEM "' . $_POST[ 'user_email' ] . '", "' . $_POST[ 'user_firstname' ] . '", "' . $_POST[ 'user_name' ] . '", "' . $_POST[ 'user_gender' ] . '", "' . $_POST[ 'user_city' ] . '", "' . $_POST[ 'user_country' ] . '", "' . date( 'Y-m-d H:i:s' ) . '", "' . getenv( 'REMOTE_ADDR' ) . '", "' . gethostbyaddr( getenv( 'REMOTE_ADDR' ) ) . '" ) ' ); ?> Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 Oooh, what an amateur mistake... sorry guys, I see now what is a problem!!!! puting the nick into password row... ... Its a problem, when You work day and nights... Quote Link to comment Share on other sites More sharing options...
premiso Posted November 16, 2009 Share Posted November 16, 2009 lol, yea that would do it Hashing the nick over the password. Well at least you got it figured out and learned some new tips along the way Quote Link to comment Share on other sites More sharing options...
web_master Posted November 16, 2009 Author Share Posted November 16, 2009 lol, yea that would do it Hashing the nick over the password. Well at least you got it figured out and learned some new tips along the way Yes, I do, I learn - but sometimes, when You work long, mistakes like this is possible... Thanks for Youre wasted times! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.