JustinPhP Posted January 21, 2011 Share Posted January 21, 2011 I know i left out the connect that works fine but when i run this it tell me wrong password even if i copy and paste the user name and password from my database.... Can anyone help me please { $username = $_COOKIE['ID_my_site']; $pass = $_COOKIE['Key_my_site']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { } else { header("Location: members.php"); } } } if (isset($_POST['submit'])) { // if form has been submitted if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } if (!get_magic_quotes_gpc()) { $_POST['email'] = addslashes($_POST['email']); } $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database.'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } else { $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(ID_my_site, $_POST['username'], $hour); setcookie(Key_my_site, $_POST['pass'], $hour); header("Location: members.php"); } } } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table border="0"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> Quote Link to comment Share on other sites More sharing options...
Maq Posted January 21, 2011 Share Posted January 21, 2011 It seems your passwords are stored as a has in the DB, so you shouldn't be copying and pasting it. Echo out, your POST values before/after the md5 and info['password'] Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 21, 2011 Share Posted January 21, 2011 What is the data type of the database field that the password is stored in, and have you echoed md5($_POST['pass']) and compared it manually to what's stored in the database field? Quote Link to comment Share on other sites More sharing options...
JustinPhP Posted January 21, 2011 Author Share Posted January 21, 2011 Im really new to this so im not sure what u guys are talking about as far as the password stored as has my code to input and store the passwords is if (isset($_POST['submit'])) { if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) { die('You did not complete all of the required fields'); } if (!get_magic_quotes_gpc()) { $_POST['username'] = addslashes($_POST['username']); } $usercheck = $_POST['username']; $check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 != 0) { die('Sorry, the username '.$_POST['username'].' is already in use.'); } if ($_POST['pass'] != $_POST['pass2']) { die('Your passwords did not match. '); } // here we encrypt the password and add slashes if needed $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); $_POST['username'] = addslashes($_POST['username']); } $insert = "INSERT INTO users (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')"; $add_member = mysql_query($insert); ?> <h1>Registered</h1> <p>Thank you, you have registered - you may now login</a>.</p> </br><p><a href="login.php">Log In Page</a></p></br> <?php } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0"> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="60"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="10"> </td></tr> <tr><td>Confirm Password:</td><td> <input type="password" name="pass2" maxlength="10"> </td></tr> <tr><th colspan=2><input type="submit" name="submit" value="Register"></th></tr> </table> </form> <?php } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
JustinPhP Posted January 21, 2011 Author Share Posted January 21, 2011 Can anyone Help explain? Quote Link to comment Share on other sites More sharing options...
Maq Posted January 21, 2011 Share Posted January 21, 2011 Can anyone Help explain? Echo out the values like I mentioned in my first post. That way you can see if you even make it to that point and what the exact values are. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 21, 2011 Share Posted January 21, 2011 A couple of notes to start with: 1 - Don't use addslashes when a database specific escaping function exists, in this case mysql_real_escape_string 2 - In your second if() conditional, the OR operator is double-pipe || , not single-pipe | 3 - Don't use any escaping on a value that has been/will be hashed by md5(), etc. 4 - Right now, you're using addslashes() twice on the same data. Data only needs to be escaped once. 5 - Checking for magic_quotes_gpc() is a good thing, but if TRUE, apply stripslashes 6 - Don't use action="<?php echo $_SERVER['PHP_SELF']; ?>" as a form action as it is a known XSS vulnerability. Use action="" to submit a form to itself. I commented your code; take look through it and ask any questions you might have. <?php if (isset($_POST['submit'])) { if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) { // note 2 die('You did not complete all of the required fields'); } if (!get_magic_quotes_gpc()) { //note 5 $_POST['username'] = addslashes($_POST['username']); // note 1 } $usercheck = $_POST['username']; $check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 != 0) { die('Sorry, the username '.$_POST['username'].' is already in use.'); } if ($_POST['pass'] != $_POST['pass2']) { die('Your passwords did not match. '); } // here we encrypt the password and add slashes if needed $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { // note 5 $_POST['pass'] = addslashes($_POST['pass']); // note 1, note 3, note 4 $_POST['username'] = addslashes($_POST['username']); //note 1, note 4 } $insert = "INSERT INTO users (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')"; $add_member = mysql_query($insert); ?> <h1>Registered</h1> <p>Thank you, you have registered - you may now login</a>.</p> </br><p><a href="login.php">Log In Page</a></p></br> <?php } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']; /* note 6*/ ?>" method="post"> <table border="0"> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="60"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="10"> </td></tr> <tr><td>Confirm Password:</td><td> <input type="password" name="pass2" maxlength="10"> </td></tr> <tr><th colspan=2><input type="submit" name="submit" value="Register"></th></tr> </table> </form> <?php } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.