Login Help

Tenaciousmug · May 6, 2011

Here is my code for the login script. Everything works perfectly, but everytime I enter everything CORRECTLY into the forum, it says "The username, ____, and password do not match!". When they do match.

If I leave the areas blank, they say "You must enter a username!" or "You must enter a password!".

All the error messages work good, but whenever I fill the form in correctly, it displays my first error message "The username, ____, and password do not match!".

Does anyone see what's wrong with it?

<?php
session_start();
include("config.php");

$username = $_POST['username'];
$usernamefinal = ucfirst(strtolower($username));
$password = $_POST['password'];

if (isset($_POST['submit']))
{
if(!empty($username))
{
	if (!empty($password))
	{
		$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

				$_SESSION['auth'] = "yes";
				$_SESSION['username'] = $usernamefinal;
				$_SESSION['userid'] = $userid;
				$ipadd = $_SERVER['REMOTE_ADDR'];
				$sql2 = "INSERT INTO login (userid, username, logintime, ipadd) VALUES ('$userid', '$usernamefinal', NOW(), inet_aton('$ipadd'))";
				mysqli_query($cxn, $sql2) or die("Query died: login session");
				header("Location: news.php");
			}
			else
			{
				$error = "The username, $usernamefinal, and password do not match!";
			}
		}
		else
		{
			$error = "That username doesn't exist!";
		}
	}
	else
	{
		$error = "You must enter a password!";
	}
}
else
{
	$error = "You must enter a username!";
}
}
?>

<?php include("header.php"); ?>

<h1>Login Form</h1>
<?php echo $error; ?>
<form action="<?php echo $_SERVER['SCRIPT_NAME'] ?>" method="post">
	Username: <input type="text" name="username"><br>
	Password: <input type="password" name="password"><br>
	<input type="submit" name="submit" value="Login">
</form>

<?php include("footer.php"); ?>

fugix · May 6, 2011

what i would do, is set up some debugging. I would set up a var_dump on the variables $usernamefinal and md5($password), then I would compare the results after you form has passed to what you have in your db fields

Tenaciousmug · May 6, 2011

Ah.

It's catching the username just fine, but it's adding 7 extra characters onto my password.

It's suppose to be this:

7da293f88d6e3bffc85a5e86e

And it's coming out like this:

7da293f88d6e3bffc85a5e86ee836fca

Do you have any clue why it is doing that?

xyph · May 6, 2011

It's possible you're not allowing enough characters to be stored in your varchar SQL column.

A varchar(5) column will crop 'abcedfghi' to 'abcde'

Tenaciousmug · May 6, 2011

I have it set as VARCHAR(25).

But it's posting 32 characters. I have no clue why.

I got this login thing to work a long time ago when I was first coding PHP.

xyph · May 6, 2011

You realize you have the problem in your post?

You're storing only the first 25 characters of a 32 character hash, and wondering why it won't match up when you try to compare it later

Change your varchar(25) to varchar(32)

Or if you've already got a whackload of passwords stored, and you want the quick, dirty, wrong-but-work solution, simply check

if ( substr($post_hash,0,25) == $mysql_stored_pass )

wildteen88 · May 6, 2011

The problem is with your column. VARCHAR(25) is too small for an md5 hash. An md5 hash returns a 32 character random string. So you need to setup your password column to store at least 32 characters. Otherwise your code will always fail even if you do use the correct username/password combination.

Also I do not recommend you do this

			$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

You should only have one query which checks the username/password. The first and last queries are not needed at all.

Tenaciousmug · May 6, 2011

Oh I had no clue when you used md5, 25 characters was too short.

Thank you so much guys. <3

Sign In

Login Help

Recommended Posts

Tenaciousmug

Link to comment

Share on other sites

fugix

Link to comment

Share on other sites

Tenaciousmug

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

Tenaciousmug

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

Tenaciousmug

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information