3raser Posted January 6, 2011 Share Posted January 6, 2011 The password ARE correct. My code keeps saying that the password is INCORRECT. The password is MD5'ed once a user registers, and when they type in a password at the login (as shown), the password is also MD5'ed. Why is it that it's output is incorrect password? <?php session_start(); include("includes/mysql.php"); include("includes/config.php"); ?> <title><?php echo $title; ?></title> <?php if(!$_SESSION['user']) { $username = $_POST['username']; $password = $_POST['password']; $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); if(!$password || !$username) { echo ' <h1>Login</h1> <center><p><form action="login.php" method="POST"> <table border="0"> <tr><th>Username:</th> <td><input type="text" name="username" maxlength="20"><br/></td></tr> <tr><th>Password:</th> <td><input type="password" name="password" maxlength="30"><br/></td></tr> <tr><th></th><td><input type="submit" value="Login"></td></tr> </table></form></p></center> </div> '; } else { $query = mysql_query("SELECT COUNT(username),password,username FROM users WHERE username='$username'"); $check = mysql_fetch_assoc($query); $db_username = $check['username']; $password = md5($password); if($check['COUNT(username)'] < 1) { echo ' <p>No account exists with this username. Please go back.</p> '; } elseif($check['password']==$password && $db_username==$username) { echo ' <h1>Login Successful</h1> <p>You have successfully logged in! Return home.</p> '; $_SESSION['user']=$username; } else { echo ' <p>The password you have enetered in is incorrect. Please go back.</p> '; } } } else { echo ' <p>Your already logged in!</p> '; } ?> Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 6, 2011 Share Posted January 6, 2011 problem: you use mysql_real_escape_string($password) before using md5($password). Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 6, 2011 Share Posted January 6, 2011 You should actually not use any escaping on a value that will be, or has already been hashed. Quote Link to comment Share on other sites More sharing options...
3raser Posted January 7, 2011 Author Share Posted January 7, 2011 Did all of the above. Still didn't work. Is it something wrong with my extraction query? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 7, 2011 Share Posted January 7, 2011 Have you echoed $username to be sure it has a value? Quote Link to comment Share on other sites More sharing options...
trq Posted January 7, 2011 Share Posted January 7, 2011 Your entire authentication logic is flawed as well IMO. if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) { if (mysql_num_rows($result)) { // valid, log user in } else { // invalid. show error } } else { // query failed, handle error } Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea. Quote Link to comment Share on other sites More sharing options...
3raser Posted January 7, 2011 Author Share Posted January 7, 2011 Have you echoed $username to be sure it has a value? Yes, and the value comes out correctly. The password you have entered in for Admin is incorrect. Please go back. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 7, 2011 Share Posted January 7, 2011 I agree with thorpe, that is something that needs to be changed. Have you manually compared the password value in the database to the hash generated in the login script? Quote Link to comment Share on other sites More sharing options...
3raser Posted January 8, 2011 Author Share Posted January 8, 2011 Your entire authentication logic is flawed as well IMO. if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) { if (mysql_num_rows($result)) { // valid, log user in } else { // invalid. show error } } else { // query failed, handle error } Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea. No worries, I just had that in there to make sure the username variable was working correctly. And this code of yours, is it a fix or just a better code organization? Can you please point out what was wrong with my previous code? It's just the way I code, and I'd love to get a few pointers on how I could improve it. Quote Link to comment Share on other sites More sharing options...
jcbones Posted January 8, 2011 Share Posted January 8, 2011 Does your database column have enough space for a MD5 hash? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 8, 2011 Share Posted January 8, 2011 . . . Have you manually compared the password value in the database to the hash generated in the login script? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.