Jump to content

Recommended Posts

Here is my code for the login script. Everything works perfectly, but everytime I enter everything CORRECTLY into the forum, it says "The username, ____, and password do not match!". When they do match.

If I leave the areas blank, they say "You must enter a username!" or "You must enter a password!".

All the error messages work good, but whenever I fill the form in correctly, it displays my first error message "The username, ____, and password do not match!".

Does anyone see what's wrong with it?

 

<?php
session_start();
include("config.php");

$username = $_POST['username'];
$usernamefinal = ucfirst(strtolower($username));
$password = $_POST['password'];

if (isset($_POST['submit']))
{
if(!empty($username))
{
	if (!empty($password))
	{
		$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

				$_SESSION['auth'] = "yes";
				$_SESSION['username'] = $usernamefinal;
				$_SESSION['userid'] = $userid;
				$ipadd = $_SERVER['REMOTE_ADDR'];
				$sql2 = "INSERT INTO login (userid, username, logintime, ipadd) VALUES ('$userid', '$usernamefinal', NOW(), inet_aton('$ipadd'))";
				mysqli_query($cxn, $sql2) or die("Query died: login session");
				header("Location: news.php");
			}
			else
			{
				$error = "The username, $usernamefinal, and password do not match!";
			}
		}
		else
		{
			$error = "That username doesn't exist!";
		}
	}
	else
	{
		$error = "You must enter a password!";
	}
}
else
{
	$error = "You must enter a username!";
}
}
?>

<?php include("header.php"); ?>

<h1>Login Form</h1>
<?php echo $error; ?>
<form action="<?php echo $_SERVER['SCRIPT_NAME'] ?>" method="post">
	Username: <input type="text" name="username"><br>
	Password: <input type="password" name="password"><br>
	<input type="submit" name="submit" value="Login">
</form>

<?php include("footer.php"); ?>

Link to comment
https://forums.phpfreaks.com/topic/235717-login-help/
Share on other sites

You realize you have the problem in your post?

 

You're storing only the first 25 characters of a 32 character hash, and wondering why it won't match up when you try to compare it later

 

Change your varchar(25) to varchar(32)

 

Or if you've already got a whackload of passwords stored, and you want the quick, dirty, wrong-but-work solution, simply check

 

if ( substr($post_hash,0,25) == $mysql_stored_pass )

Link to comment
https://forums.phpfreaks.com/topic/235717-login-help/#findComment-1211632
Share on other sites

The problem is with your column. VARCHAR(25) is too small for an md5 hash. An md5 hash returns a 32 character random string. So you need to setup your password column to store at least 32 characters. Otherwise your code will always fail even if you do use the correct username/password combination.

 

Also I do not recommend you do this

			$sql = "SELECT username FROM members WHERE username='$usernamefinal'";
		$result = mysqli_query($cxn, $sql) or die("Query died: username");
		$num = mysqli_num_rows($result);
		if ($num > 0)
		{
			$sql = "SELECT username, password FROM members WHERE username='$usernamefinal' AND password=md5('$password')";
			$result = mysqli_query($cxn, $sql) or die("Query died: username and password");
			$num = mysqli_num_rows($result);
			if ($num > 0)
			{
				$sql = "SELECT userid FROM members WHERE username='$usernamefinal'";
				$result = mysqli_query($cxn, $sql) or die("Query died: userid");
				$row = mysqli_fetch_array($result);
				$userid = $row['userid'];

You should only have one query which checks the username/password. The first and last queries are not needed at all.

Link to comment
https://forums.phpfreaks.com/topic/235717-login-help/#findComment-1211636
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.