Why the incorrect password?

[3raser]

Why is it everytime I login, it gives me the incorrect password error? I KNOW FOR A FACT I'm typing it in right, whats wrong with my code?...

 

<?php 
session_start(); /*no whitespace before opening php tag...*/ 
?>
<link rel="stylesheet" type="text/css" href="style.css" /> 
<div align="center"><div class="box"><div align="left"><img src="Banner.png" border="0"><?php require("navi.php"); ?></div></div><br><br>
<?php

require("settings.php");
$username = $_POST['username'];
$password = $_POST['password'];
$secret_password = md5($password);

if ($_SESSION['username'])
   die("You're currently logged in already! <a href='index.php'>Return home</a>");

if (!$username)
die("
<font face='arial' size='2'>
<html><center><br /><br /><h3>Login</h3>
      <form action='login.php' method='POST'>
      <div class='box2'>Username: <input type='text' name='username'></div>
      <div class='box2'>Password: <input type='password' name='password'></div>
      <div class='box2'><input type='submit' value='Login'></div>
      </form></center>
");

//protection
$before = array('(', ')', '^', '<', '>', '`', '*', '<script>', '</script>', ';DROP TABLE users;', 'users', 'DROP', 'TABLE');
$after   = array('', '', '', '', '', '', '', '', '', '', '', '', '');
$output  = str_replace($before, $after, $username);


if ($username&&$password)
{

$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

$query = mysql_query("SELECT * FROM users WHERE username='$output'");

$numrows = mysql_num_rows($query);

if ($numrows!=0)
{

  while ($row = mysql_fetch_assoc($query))
  {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];     
  }
  
  if ($output==$dbusername&&$secret_password==$dbpassword)
  {
     echo "<div class='box'>Successfully logged in! <a href='index.php'>Return home</a></div>";
     $_SESSION['username']=$output;
     
  }
  else 
      echo "<div class='box'><span style='color:red'>Incorrect password!</span></div>";

}
else
    die("<div class='box'><span style='color:red'>That user doesn't exist!</span></div>");
}
else
    die("<div class='box'><span style='color:red'>Please enter a username and password</span></div>");

?><?php require("footer.php"); ?>

[meltingpoint]

.....what is your if statement testing?

 

if ($username&&$password)
{

 

I do not believe that it is testing anything.  Empty?  Null?  If exists?  How about........

 

if (!empty($username or $password))
{

or

if ($username == "") or ($password == "")
{

Give that a try and see what happens.

 

[kavisiegel]

To the guy above me, the username and password variables are defined on lines 9 and 10 of the second time php

 

To the original poster, it would be cleaner to deal with the post variables themselves and use isset() instead. Here's a couple other errors that I see as well:

 

It may be a bad idea to specify if you have the incorrect password or if the user doesn't exist, for security's sake, it's probably a good idea to stay vague there.

 

Using die() as an output method could give you unexpected results in the end, and probably isn't the cleanest way to do it.

 

You shouldn't put quotes around your variables on lines 36 and 37 in your mysql connection functions, that just slows down PHP.

 

Your SQL sanitization isn't too dependable as well, try mysql_real_escape string.

 

 

 

Anyways, the problem you're describing, try to add in curly braces with your if/else statements. It's cleaner and more dependable than just saying else and throwing some code in. If you're not a fan of them, at least use endif... but you seem to be using the curly braces on and off.

I suspect that php's just executing your echo line when it's not intended to echo.