Jump to content

Confirming Password Help

Tenaciousmug

By Tenaciousmug
in PHP Coding Help

 Share

Recommended Posts

Tenaciousmug Regular Member

Tenaciousmug

Posted
Posted

This is my whole code for the login/registration. The username, Dyl, exists in the database and it says that, but it says I am entering the wrong password when I'm entering the one I created the account with. Does anyone see any problems that could interfere with this?

 

<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in":
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fusername = $cxn->real_escape_string($_POST['fusername']);
$sql = "SELECT `username` FROM `Member` WHERE `username`='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
	$fpassword = $cxn->real_escape_string($_POST['fpassword']);
	$sql = "SELECT `username` FROM `Member` WHERE `username`='$fusername' AND `password`=md5('$fpassword')";
	$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
	$num = mysqli_num_rows($result2);
	if($num > 0) //password matches
	{
		$_SESSION['auth']="yes";
		$_SESSION['username'] = $fusername;
		$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
		$result = mysqli_query($cxn,$sql) or die("Query died: insert");
		header("Location: testing.php");
	}
	else
	{
		$message_1="The username, '$fusername' exists. However you have not entered the correct password! Please try again.";
		$fusername=strip_tags(trim($fusername));
		include("login_form2.php");
	}
}
else // username was not found
{
	$message_1 = "The username you entered does not exist! Please try again.";
	include("login_form2.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
	if(empty($value))
	{
		$blanks[] = $field;
	}
	else
	{
		$good_data[$field] = strip_tags(trim($value));
	}
}
if(isset($blanks))
{
	$message_2 = "The following fields are blank. Please enter the required information: ";
	foreach($blanks as $value)
	{
	$message_2 .="$value, ";
	}
	extract($good_data);
	include("login_form2.php");
	exit();
}
/* validate data */
foreach($_POST as $field => $value)
{
	if(!empty($value))
	{
		if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
		{
			if(!preg_match("/^[A-Za-z' -]{1,15}$/",$value))
			{
				$errors[] = "$value is not a valid name. ";
			}
		}
		if(preg_match("/email/i",$field))
		{
			if(!preg_match("/^.+@.+\\..+$/",$value))
			{
				$errors[]="$value is not a valid email address.";
			}
		}
	} // end if not empty
}
foreach($_POST as $field => $value)
{
	$$field = strip_tags(trim($value));
}
if(@is_array($errors))
{
	$message_2 = "";
	foreach($errors as $value)
	{
		$message_2 .= $value." Please try again";
	}
	include("login_form2.php");
	exit();
} //end if errors are found

/* check to see if username already exists */
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database) or die("Couldn't connect to server");
$username = $cxn->real_escape_string($username);
$sql = "SELECT `username` FROM `Member` WHERE `username`='$username'";
$result = mysqli_query($cxn,$sql) or die("Query died: username.");
$num = mysqli_num_rows($result);
if($num > 0)
{
	$message_2 = "$username already exists. Select another username.";
	include("login_form2.php");
	exit();
} // end if username already exists
else // add new member to database
{
	$sql = "INSERT INTO Member (username,createDate,password,firstName,email) VALUES ('$username',NOW(),md5('$password'),'$firstName','$email')";
	mysqli_query($cxn,$sql);
	$_SESSION['auth']="yes";
	$_SESSION['username'] = $username;
	header("Location: testing.php");
}
break;

default:
include("login_form2.php");
}
?>

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

I don't see anything obvious, but the obvious question is -- does the INSERT statement match the Member.password column definition, and does that definition use the same technique you're using in your comparison.  In particular, you're using the mysql md5() function which produces a 32 character string.  Is the password column a CHAR[32]?

 

I also don't see why you would want to do 2 queries (check for username, then password) when you could simply check for username AND password, which is more efficient and just as safe.

Link to comment
Share on other sites
Soldier Jane Newbie

Soldier Jane

Posted
Posted

Yeah, the most obvious thing to me is hashing the password inside the query. Try using the PHP MD5 function and putting the result into your query.

 

I am guessing that you used 2 queries to allow you to determine whether you typed the login or password incorrectly. There are probably better ways to do this, but I'm not sure which is the most efficient.

Link to comment
Share on other sites
Tenaciousmug Regular Member

Tenaciousmug

Posted
  • Author
Posted

EDIT::::

 

Okay, nevermind, I figured it out. The password to my connection was set as $password. Then I also had that variable for the users name input of their password.

 

Okay thank you for your help.

Now I see what is the problem since I undid the md5 to see what the password was really entering.

It's entering the password to my PHPAdmin for every single username joining...

Does anyone have any idea how to fix this?

Here is my code:

 

<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in":
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$username = $cxn->real_escape_string($_POST['username']);
$sql = "SELECT `username` FROM `Member` WHERE `username`='$username'";
$result = mysqli_query($cxn,$sql) or die("Query died: username");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
	$password = $cxn->real_escape_string($_POST['password']);
	$sql = "SELECT `username` FROM `Member` WHERE `username`='$username' AND `password`='$password'";
	$result2 = mysqli_query($cxn,$sql) or die("Query died: password");
	$num = mysqli_num_rows($result2);
	if($num > 0) //password matches
	{
		$_SESSION['auth']="yes";
		$_SESSION['username'] = $username;
		$sql = "INSERT INTO Login (username,loginTime) VALUES ('$username',NOW())";
		$result = mysqli_query($cxn,$sql) or die("Query died: insert");
		header("Location: testing.php");
	}
	else
	{
		$message_1="The username, '$username' exists. However you have not entered the correct password! Please try again.";
		$username=strip_tags(trim($username));
		include("login_form2.php");
	}
}
else // username was not found
{
	$message_1 = "The username you entered does not exist! Please try again.";
	include("login_form2.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
	if(empty($value))
	{
		$blanks[] = $field;
	}
	else
	{
		$good_data[$field] = strip_tags(trim($value));
	}
}
if(isset($blanks))
{
	$message_2 = "The following fields are blank. Please enter the required information: ";
	foreach($blanks as $value)
	{
	$message_2 .="$value, ";
	}
	extract($good_data);
	include("login_form2.php");
	exit();
}
/* validate data */
foreach($_POST as $field => $value)
{
	if(!empty($value))
	{
		if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
		{
			if(!preg_match("/^[A-Za-z' -]{1,15}$/",$value))
			{
				$errors[] = "$value is not a valid name. ";
			}
		}
		if(preg_match("/email/i",$field))
		{
			if(!preg_match("/^.+@.+\\..+$/",$value))
			{
				$errors[]="$value is not a valid email address.";
			}
		}
	} // end if not empty
}
foreach($_POST as $field => $value)
{
	$$field = strip_tags(trim($value));
}
if(@is_array($errors))
{
	$message_2 = "";
	foreach($errors as $value)
	{
		$message_2 .= $value." Please try again";
	}
	include("login_form2.php");
	exit();
} //end if errors are found

/* check to see if username already exists */
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database) or die("Couldn't connect to server");
$username = $cxn->real_escape_string($username);
$sql = "SELECT `username` FROM `Member` WHERE `username`='$username'";
$result = mysqli_query($cxn,$sql) or die("Query died: username.");
$num = mysqli_num_rows($result);
if($num > 0)
{
	$message_2 = "$username already exists. Select another username.";
	include("login_form2.php");
	exit();
} // end if username already exists
else // add new member to database
{
	$sql = "INSERT INTO Member (username,createDate,password,firstName,email) VALUES ('$username',NOW(),'$password','$firstName','$email')";
	mysqli_query($cxn,$sql);
	$_SESSION['auth']="yes";
	$_SESSION['username'] = $username;
	header("Location: testing.php");
}
break;

default:
include("login_form2.php");
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.