password not being recognized on login script

[Obadiah]

Hi guys, I need assistance with some code for my login script. I had to redo it because of several changes made to my database. for some reason when I run my login script it doesnot pick up that the password is there(or that it is correct) since my error displays when i submit the user and password. many thanks for your help in advance!

 

the username field in sql is user_id

the password field in sql is user_pass

 

here is the array

$fields_1 =   array("fusername" => "User Name",
                            "fpassword"  => "Password"
                   );
$length_1 =   array("fusername" => "10",
                             "fpassword" => "10"
                   );

 

here is my login script

 

 

<?php
/* Program: Login.php
*/
  session_start();
  include("functions_main.inc");
  $table_name = "users";
  $next_program = "home.php";
  
  switch (@$_POST['Button'])
  {
    case "Login":
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='$_POST[fusername]'";
      $result = mysqli_query($cxn,$sql)
                  or die("Couldn't execute query 1");
      $num = mysqli_num_rows($result);
      if($num == 1)
      {
         $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='".mysqli_real_escape_string($cxn,$_POST['fusername'])."'
              AND user_pass=md5('$_POST[fpassword]')";
         $result2 = mysqli_query($cxn,$sql)
                   or die("Couldn't execute query 2.");  
         $row = mysqli_fetch_assoc($result2);
         if($row)
         {
           $_SESSION['auth']="yes";
           $_SESSION['logname'] = mysqli_real_escape_string($cxn,$_POST['fusername']);
           header("Location: $next_program");
         }
         else
         {
/*this is the message that keeps displaying even though the password is correct*/

           $message_1="The Login Name, '$_POST[fusername]' 
                   exists, but you have not entered the 
                   correct password! Please try again.<br>";
           extract($_POST);
           include("fields_login.inc");
           include("double_form.inc");
         }

      }
      elseif ($num == 0)  // login name not found
      {
         $message_1 = "The User Name you entered does not 
                       exist! Please try again.<br>";
         include("fields_login.inc");
         include("double_form.inc");
      }
    break;
    case "Register":
      /* Check for blanks */
      foreach($_POST as $field => $value)
      {
        if ($field != "fax")
        {
          if ($value == "")
          {
               $blanks[] = $field;
          }
        }
      }
      if(isset($blanks))
      {
          $message_2 = "The following fields are blank. 
                Please enter the required information:  ";
          foreach($blanks as $value)
          {
            $message_2 .="$value, ";
          }
          extract($_POST);
          include("fields_login.inc");
          include("double_form.inc");
          exit();
      }
      /* validate data */
      foreach($_POST as $field => $value)
      {
        if(!empty($value))
        {
          if(eregi("name",$field) and
             !eregi("user",$field) and !eregi("log",$field))
          {
             if (!ereg("^[A-Za-z' -]{1,50}$",$value)) 
             {
                $errors[] = "$value is not a valid name."; 
             }
          }
          if(eregi("street",$field)or eregi("addr",$field) or
             eregi("city",$field))
          {
             if(!ereg("^[A-Za-z0-9.,' -]{1,50}$",$value))
             {
                $errors[] = "$value is not a valid address
                              or city.";
             }
          }
          if(eregi("state",$field))
          {
             if(!ereg("[A-Za-z]",$value))
             {
                $errors[] = "$value is not a valid state.";
             }
          }
          if(eregi("email",$field))
          {
             if(!ereg("^.+@.+\\..+$",$value))
             {
                $errors[] = "$value is not a valid email
                             address.";
             }
          }
          if(eregi("zip",$field))
          {
             if(!ereg("^[0-9]{5,5}(\-[0-9]{4,4})?$",$value))
             {
                $errors[] = "$value is not a valid zipcode.";
             }
          }
          if(eregi("phone",$field) or eregi("fax",$field))
          {
             if(!ereg("^[0-9)(xX -]{7,20}$",$value))
             {
                $errors[] = "$value is not a valid phone 
                             number. ";
             }
          }
        }
      }
      foreach($_POST as $field => $value)
      {
        if($field != "Button")
        {
           if($field == "password")
           {
              $password = strip_tags(trim($value));
           }
           else
           {
              $fields[]=$field;
              $value = strip_tags(trim($value));
              $values[] = addslashes($value);
              $$field = $value;                 
           }
        }
      }
      if(@is_array($errors))
      {
        $message_2 = "";
        foreach($errors as $value)
        {
           $message_2 .= $value." Please try again<br />";
        }
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      } 
      $user_name = $_POST['user_name'];

      /* check to see if user name already exists */
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
                WHERE user_id='$user_name'";
      $result = mysqli_query($cxn,$sql)
                or die("Couldn't execute query.");
      $num = mysqli_num_rows($result);
      if ($num > 0)
      {
        $message_2 = "$user_name already used. Select another
                         User Name.";
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      }
      else
      {   
        $today = date("Y-m-d");
        $fields_str = implode(",",$fields);
        $values_str = implode('","',$values);
        $fields_str .=",create_date";
        $values_str .='"'.",".'"'.$today;
        $fields_str .=",password";
        $values_str .= '"'.","."md5"."('".$password."')";
        $sql = "INSERT INTO $table_name ";
        $sql .= "(".$fields_str.")";
        $sql .= " VALUES ";
        $sql .= "(".'"'.$values_str.")";
        mysqli_query($cxn,$sql) or die(mysqli_error($cxn));
        $_SESSION['auth']="yes";
        $_SESSION['logname'] = $user_name;
        /* send email to new Customer */
        $emess = "You have successfully registered. ";
        $emess .= "Your new user name and password are: ";
        $emess .= "\n\n\t$user_name\n\t";
        $emess .= "password\n\n";
        $emess .= "We appreciate your interest. \n\n";
        $emess .= "If you have any questions or problems,";
        $emess .= " email [email protected]";
        $subj = "Your new customer registration";
        #$mailsend=mail("$email","$subj","$emess");
       header("Location: $next_program?user='.$user_name");
      }
    break;

    default:
           include("fields_login.inc");
           include("double_form.inc");
  }
?>

[rameshfaj]

why not to try all the core things with a simple mysql query on mysql console:

 

mysql>select *from users_table where username='abcd';

if this returns non-zero entries then there is the entry for the user.

 

mysql>select *from users_table where username="abcd" and password=md5('passwd');

 

if this returns non-zero rows then the provided username and pwd is eligible for login.

 

Please let me know if need further help.