Jump to content

Please HELP!!!! Password rejections


JustinPhP

Recommended Posts

I know i left out the connect that works fine but when i run this it tell me wrong password even if i copy and paste the user name and password from my database....

Can anyone help me please

 


{ 
        $username = $_COOKIE['ID_my_site']; 

        $pass = $_COOKIE['Key_my_site'];

                $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

        while($info = mysql_fetch_array( $check ))      

                {

                if ($pass != $info['password']) 

                        {

                                                }

                else

                        {

                        header("Location: members.php");



                        }

                }

}


if (isset($_POST['submit'])) { // if form has been submitted



        if(!$_POST['username'] | !$_POST['pass']) {

                die('You did not fill in a required field.');

        }




        if (!get_magic_quotes_gpc()) {

                $_POST['email'] = addslashes($_POST['email']);

        }

        $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());




$check2 = mysql_num_rows($check);

if ($check2 == 0) {

                die('That user does not exist in our database.');

                                }

while($info = mysql_fetch_array( $check ))     

{

$_POST['pass'] = stripslashes($_POST['pass']);

        $info['password'] = stripslashes($info['password']);

        $_POST['pass'] = md5($_POST['pass']);



        if ($_POST['pass'] != $info['password']) {

                die('Incorrect password, please try again.');

        }
else 

{ 



         $_POST['username'] = stripslashes($_POST['username']); 

         $hour = time() + 3600; 

setcookie(ID_my_site, $_POST['username'], $hour); 

setcookie(Key_my_site, $_POST['pass'], $hour);  

  

header("Location: members.php"); 

} 

} 

} 

else 

{        



?> 

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td> 

<input type="password" name="pass" maxlength="50"> 

</td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"> 

</td></tr> 

</table> 

</form> 

<?php 

} 



?>     
        

Link to comment
Share on other sites

Im really new to this so im not sure what u guys are talking about as far as the password stored as has my code to input and store the passwords is

 



if (isset($_POST['submit'])) { 


if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {

		die('You did not complete all of the required fields');

	}



	if (!get_magic_quotes_gpc()) {

		$_POST['username'] = addslashes($_POST['username']);

	}

$usercheck = $_POST['username'];

$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 

or die(mysql_error());

$check2 = mysql_num_rows($check);



if ($check2 != 0) {

		die('Sorry, the username '.$_POST['username'].' is already in use.');

				}


	if ($_POST['pass'] != $_POST['pass2']) {

		die('Your passwords did not match. ');

	}



	// here we encrypt the password and add slashes if needed

	$_POST['pass'] = md5($_POST['pass']);

	if (!get_magic_quotes_gpc()) {

		$_POST['pass'] = addslashes($_POST['pass']);

		$_POST['username'] = addslashes($_POST['username']);

			}



	$insert = "INSERT INTO users (username, password)

			VALUES ('".$_POST['username']."', '".$_POST['pass']."')";

	$add_member = mysql_query($insert);

	?>




<h1>Registered</h1>

<p>Thank you, you have registered - you may now login</a>.</p>
</br><p><a href="login.php">Log In Page</a></p></br>




<?php 
} 

else 
{	
?>



<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<table border="0">

<tr><td>Username:</td><td>

<input type="text" name="username" maxlength="60">

</td></tr>

<tr><td>Password:</td><td>

<input type="password" name="pass" maxlength="10">

</td></tr>

<tr><td>Confirm Password:</td><td>

<input type="password" name="pass2" maxlength="10">

</td></tr>

<tr><th colspan=2><input type="submit" name="submit" 
value="Register"></th></tr> </table>

</form>


<?php

}
?> 











</body>
</html>

Link to comment
Share on other sites

A couple of notes to start with:

1 - Don't use addslashes when a database specific escaping function exists, in this case mysql_real_escape_string

2 - In your second if() conditional, the OR operator is double-pipe || , not single-pipe |

3 - Don't use any escaping on a value that has been/will be hashed by md5(), etc.

4 - Right now, you're using addslashes() twice on the same data. Data only needs to be escaped once.

5 - Checking for magic_quotes_gpc() is a good thing, but if TRUE, apply stripslashes

6 - Don't use action="<?php echo $_SERVER['PHP_SELF']; ?>" as a form action as it is a known XSS vulnerability. Use action="" to submit a form to itself.

 

I commented your code; take look through it and ask any questions you might have.

<?php
if (isset($_POST['submit'])) {
if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) { // note 2
	die('You did not complete all of the required fields');
}
if (!get_magic_quotes_gpc()) { //note 5
	$_POST['username'] = addslashes($_POST['username']); // note 1
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
	die('Sorry, the username '.$_POST['username'].' is already in use.');
}
if ($_POST['pass'] != $_POST['pass2']) {
	die('Your passwords did not match. ');
}
// here we encrypt the password and add slashes if needed
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) { // note 5
	$_POST['pass'] = addslashes($_POST['pass']); // note 1, note 3, note 4
	$_POST['username'] = addslashes($_POST['username']); //note 1, note 4
}
$insert = "INSERT INTO users (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);
?>
<h1>Registered</h1>
<p>Thank you, you have registered - you may now login</a>.</p>
</br><p><a href="login.php">Log In Page</a></p></br>
<?php
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; /* note 6*/ ?>" method="post">
<table border="0">
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="60">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="10">
</td></tr>
<tr><td>Confirm Password:</td><td>
<input type="password" name="pass2" maxlength="10">
</td></tr>
<tr><th colspan=2><input type="submit" name="submit"
value="Register"></th></tr> </table>
</form>
<?php
}
?>
</body>
</html>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.