Jump to content

Login Help

Tenaciousmug

By Tenaciousmug
in PHP Coding Help

 Share

Recommended Posts

Tenaciousmug Regular Member

Tenaciousmug

Posted
Posted

Here is my code for the login script. Everything works perfectly, but everytime I enter everything CORRECTLY into the forum, it says "The username, ____, and password do not match!". When they do match.

If I leave the areas blank, they say "You must enter a username!" or "You must enter a password!".

All the error messages work good, but whenever I fill the form in correctly, it displays my first error message "The username, ____, and password do not match!".

Does anyone see what's wrong with it?

 

<?php
session_start();
include("config.php");

$username = $_POST['username'];
$usernamefinal = ucfirst(strtolower($username));
$password = $_POST['password'];

if (isset($_POST['submit']))
{
if(!empty($username))
{
	if (!empty($password))
	{
		$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

				$_SESSION['auth'] = "yes";
				$_SESSION['username'] = $usernamefinal;
				$_SESSION['userid'] = $userid;
				$ipadd = $_SERVER['REMOTE_ADDR'];
				$sql2 = "INSERT INTO login (userid, username, logintime, ipadd) VALUES ('$userid', '$usernamefinal', NOW(), inet_aton('$ipadd'))";
				mysqli_query($cxn, $sql2) or die("Query died: login session");
				header("Location: news.php");
			}
			else
			{
				$error = "The username, $usernamefinal, and password do not match!";
			}
		}
		else
		{
			$error = "That username doesn't exist!";
		}
	}
	else
	{
		$error = "You must enter a password!";
	}
}
else
{
	$error = "You must enter a username!";
}
}
?>

<?php include("header.php"); ?>

<h1>Login Form</h1>
<?php echo $error; ?>
<form action="<?php echo $_SERVER['SCRIPT_NAME'] ?>" method="post">
	Username: <input type="text" name="username"><br>
	Password: <input type="password" name="password"><br>
	<input type="submit" name="submit" value="Login">
</form>

<?php include("footer.php"); ?>

Link to comment
Share on other sites
fugix Member

fugix

Posted
Posted

what i would do, is set up some debugging. I would set up a var_dump on the variables $usernamefinal and md5($password), then I would compare the results after you form has passed to what you have in your db fields

Link to comment
Share on other sites
Tenaciousmug Regular Member

Tenaciousmug

Posted
  • Author
Posted

Ah.

It's catching the username just fine, but it's adding 7 extra characters onto my password.

 

It's suppose to be this:

7da293f88d6e3bffc85a5e86e

 

And it's coming out like this:

7da293f88d6e3bffc85a5e86ee836fca

 

Do you have any clue why it is doing that?

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

You realize you have the problem in your post?

 

You're storing only the first 25 characters of a 32 character hash, and wondering why it won't match up when you try to compare it later

 

Change your varchar(25) to varchar(32)

 

Or if you've already got a whackload of passwords stored, and you want the quick, dirty, wrong-but-work solution, simply check

 

if ( substr($post_hash,0,25) == $mysql_stored_pass )

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

The problem is with your column. VARCHAR(25) is too small for an md5 hash. An md5 hash returns a 32 character random string. So you need to setup your password column to store at least 32 characters. Otherwise your code will always fail even if you do use the correct username/password combination.

 

Also I do not recommend you do this

			$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

You should only have one query which checks the username/password. The first and last queries are not needed at all.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.