User signup is inserting to MySQL but the passwords coming up wrong, any advice?

[j.smith1981]

Hi there I have a problem here, I think I may know what it is but just wanted some guidance on this issue.

 

I took the logic from a previous help from the people on this forum and here is my landing page:

 

<?php
// ini_set("display_errors", 1);

// randomly starts a session!

session_name("jeremyBasicLogin");
session_start();

if(isset($_SESSION['username']))  {

// display whatever when the user is logged in:

echo <<<ADDENTRY

	<html>
		<head>
			<title>User is now signed in:<title>
		</head>

		<body>
			<h1>You are now signed in!</h1>
				<p>You can do now what you want to do!</p>
			</body>
		</html>
ADDENTRY;

} else {
// If anything else dont allow access and send back to original page!

	header("location: signin.php");

}
?>

 

This is where the user goes to when they go to this system (not a functional system, ie it doesnt actually do anything its more for my own theory.

 

As you wont have a session on the first turn to this page it goes to:

 

signin.php which contains:

<?php
// ini_set("display_errors", 1);

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// Do a procedure to log the user in:

// Santize User Inputs
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // cleans up with PHP first!

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);

if(mysql_num_rows($result) == 1) {

	session_name("jeremyBasicLogin");
	session_start();
	$_SESSION['is_logged_in'] = true;
	$_SESSION['username'] = $username;
	//print_r($_SESSION);  // debug purposes only!
	$_SESSION['time_loggedin'] = time(); // this is adding to the array (have seen the output in the SESSION vars!

	// call function to update the time stamp in MySQL?


	header("location: index.php");

} else if(mysql_num_rows($result) != 1) {
	$message = "You typed the wrong password or Username Please retry!";
}
} else {
$message = "";
}
// displays the login page:
echo <<<LOGIN
<html>
<body>
	<h1>Example Login</h1>

	<form id="login" name="login" action="{$_SERVER['PHP_SELF']}" method="post">
		<label for="username">Username: </label><input type="text" id="username" name="username" value="" /><br>
		<label for="password">Password: </label><input type="text" id="password" name="password" value="" /><br>
		<input type="submit" id="submit" name="submit" value="Login" />
	</form>
LOGIN;
	echo "<p>" . $message . "</p>";
echo <<<LOGIN

	<p>Please Login to View and Edit Your Entries</p>
	<p><a href="register.php">Click Here To Signup</a><p>
</body>
</html>
LOGIN;
?>

 

This checks through user inputs and hopefully logs them in, when Ive inserted the data into the database itself it works, if I try and login but if a user fills in this form:

 

signup.php:

 

<?php
//ini_set("display_errors", 1);

$message ='';

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// do some safe protecting of the users variables, apply it to all details!
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$email = trim(stripslashes(mysql_real_escape_string($_POST['email']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // does as above but also encrypts it using the md5 function!
$password2 = trim(stripslashes(mysql_real_escape_string(md5($_POST['password2'])))); // does as above but also encrypts it using the md5 function!

if($username != '' && $email != '' && $password != '' && $password2 != '') {
	// do whatever when not = to nothing/empty fields!

	if($password === $password2) {
		// do database stuff to enter users details

		$sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));";
		$result = mysql_query($sql);
		if($result) {
			$message = 'You may now login by clicking <a href="index.php">here</a>';
		}

	} else {
		// echo out a user message says they got their 2 passwords incorrectly typed:
		$message = 'Pleae re enter your password';
	}

} else {
	// they where obviously where empty
	$message = 'You missed out some required fields, please try again';
}

}

echo <<<REGISTER

<html>
<body>
<h1>Register Form</h1>
<p>Please fill in this form to register</p>
<form id="register" name="register" action="{$_SERVER['PHP_SELF']}" method="post">

<table>
	<tr>
		<td><label for="username">Username: </label></td>
		<td><input type="text" id="username" name="username" value="" /></td>
	</tr>

	<tr>
		<td><label for="email">Email: </label></td>
		<td><input type="text" id="email" name="email" value="" /></td>
	</tr>

	<tr>
		<td><label for="password">Password: </label></td>
		<td><input type="text" id="password" name="password" value="" /></td>
	</tr>

	<tr>
		<td><label for="password">Confirm Password: </label></td>
		<td><input type="text" id="password2" name="password2" value="" /></td>
	</tr>

	<tr>
		<td><input type="submit" id="submit" name="submit" value="Register" /></td>
	</tr>

<table>

REGISTER;
echo "<p>" . $message . "</p>";
echo <<<REGISTER

</form>
</body>
</html>
REGISTER;
?>

 

As I said when the user signs up when submitting the above form, it doesnt work, keeps coming up with a different value for the password, so I am about 99% certain its the password, but I have been maticulous about copying in the sanitize function for SQL injections and it just doesnt still work, really puzzled now.

 

Any helps appreciated,

Jeremy.

[ManiacDan]

$sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));";

Ahem...

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";

See the problem?

 

-Dan

[micah1701]

might not solve your problem but you should change:

trim(stripslashes(mysql_real_escape_string(md5($_POST['password']))))

to

md5(trim(stripslashes($_POST['password'])))

 

the functions work from the inside out.  so once you've md5()'d the word its not going to need to be real_escaped_string()'d anyway and it won't need to be trim'd or striped of slashes because you'll just have your md5 hash which doesn't have those things.

 

[j.smith1981]

might not solve your problem but you should change:

trim(stripslashes(mysql_real_escape_string(md5($_POST['password']))))

to

md5(trim(stripslashes($_POST['password'])))

 

the functions work from the inside out.  so once you've md5()'d the word its not going to need to be real_escaped_string()'d anyway and it won't need to be trim'd or striped of slashes because you'll just have your md5 hash which doesn't have those things.

 

That didnt work, hmm didnt think it would, I'm baffled now, even increased the password attribute in the database to 100 just to see if it was that but that hasnt worked either.

 

Any other suggestions?

 

Thanks in advance,

Jeremy.

[ManiacDan]

Already solved this, scroll up.

[j.smith1981]

Already solved this, scroll up.

 

You know what I need to do today? Bang my head against a wall, I am soo embarrased.

 

The things you dont see when your tired lol.

 

Your a star thanks for spotting that!