Jump to content

Recommended Posts

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

md5 is a way to encrypt the string so if someone gains access to your db they cant necessarily steal all your account details...

 

double md5 would only occur if you have done something like this md5(md5($password))

 

your problem appears to be in the register.php

 

because it doesnt seem to be encrypting correctly.

 

also the db field needs to be 32 length

seany,

Would this though ultimately cause the page to continually redisplay the login regardless of correct / incorrect credentials?

-SB

 

 

actually no,

 

if (mysql_num_rows($result) != 1) {
$error = "Bad Login";
    include "login.html";

}

 

should actually pick this up, however you still need to sort your md5($password) problem

 

you could try

 

if (mysql_num_rows($result) < 1) {
$error = "Bad Login";
    include "login.html";

}

 

however its essentially doing the same thing..

 

 

just out of curiousity, whats $error doing?

seany,

how do i user $error? im assuming i insert it into the script but where?

-SB

 

you already have it in your script:

 

$error = "Bad Login";

and i was just wondering what your doing with it...

 

try echoing

echo $_POST['password'];

if that comes out correct (without the md5 encryption.), you need to post the script that registers users into the db.

it is echoing what i type into the form...

-SB

 

okay well, echo out the $password again and go into phpmyadmin and copy that as your password...

 

then try again and see if it works...

 

however there isnt anything we can do for you to fix this from happening again, until you can provide us with the register.php etc file.

here is the register script.....

registration.html

<form name="login" method="post" action="registration.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="282" align="center">
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Name:</span></td>
                        <td width="156"><input type="text" name="name" maxlength="100"></td>
                    </tr>
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Email:</span></td>
                        <td width="156"><input type="text" name="email" maxlength="100"></td>
                    </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Username:</span></td>
                    <td width="156"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Password:</span></td>
                    <td width="156"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="116"> </td>
                        <td width="156">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999"> </td>
    </tr>
</table>
</form>

 

registration.php

 

<?PHP

//Database Information

$dbhost = "localhost";
$dbname = "dbname";
$dbuser = "mysqluname";
$dbpass = "mysqlpassword";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

    
$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);

// lets check to see if the username already exists

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); 

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include '../register.html';
    exit();
} 

// lf no errors present with the username
// use a query to insert the data into the database.

$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";
    
// mail user their information

$yoursite = 'www.abcdefg.com';
$webmaster = 'Sdot';
$youremail = 'emailaddress@yahoo.ca';
    
$subject = "You have successfully registered at $yoursite...";
$message = "Dear $name, you are now registered at our web site.  
    To login, simply go to our web page and enter in the following details in the login form:
    Username: $username
    Password: $password
    
    Please print this information out and store it for future reference.
    
    Thanks,
    $webmaster";
    
mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());
    
echo "Your information has been mailed to your email address.";

?>

 

-SB

There's nothing in there that stands out as an obvious cause of this problem. One theory is that there was possibly leading or trailing whitespace in the field with the password when you registered the particular user, and now when you enter the password as you think it should be, the hash values are different because the whitespace isn't present. If you want help testing that theory say so, or you can create another user, making sure you enter the password correctly and see if the login script works with the freshly created user.

 

In any case, in the future you may consider using trim() on the values coming in from the form, both when registering and when logging in.

This code:

$username_exist = mysql_num_rows($checkuser);
if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include '../register.html';
    exit();
}

should be:

if(mysql_num_rows($checkuser) > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    header('Location: register.html');
    exit();
}

Edwin, thank you for your input surrounding the security issues that arise from sqlinection but at this point i just want to get the login script to run. I will ramp up the security afterward as I presume i can do.

That block of code that you posted...is that to fix the security issue or the refresh issue ? I just dont want to add anything at this point that may further cokmplicate the trouble shooting process.

-SB

PS. Anyone feel free to chime in should you be so inclined. lol

The code he posted has nothing to do with how your script works and in fact the second code doesn't work because you cannot echo anything before a header() statement (well you can, but either it will cause a header error or it will not be seen because it gets discarded when the output buffer gets discarded, assuming that output buffering is on.)

I suggest that you review the replies in this thread. You are apparently missing seeing some of them. The last post by Pikachu2000 (reply #37) sums up the current problem as I understand it (the md5() value you echoed of the password you entered to log in doesn't match the md5() value stored in the database table from the registration process?)

 

All indications are that the md5 value stored in the table is incorrect and needs to be re-done (for all I know it is from a different password that you used in earlier testing.)

As it's written, no it would not. The following code is what executes when there are no matching records found, and there is nothing in there to echo the $error variable. All that happens is the login form is displayed again, which matches what you say happens; the page "refreshes". Aside from that, you already told us the password in the DB doesn't match what echoes from the script.

 

if (mysql_num_rows($result) != 1) {
$error = "Bad Login";
    include "login.html";

} else {

Edit: Basically says the same as above (I even had, but removed, mentioning that the information about the db md5 value vs the echoed md5 log in value, that we are basing this discussion on, is information from the OP.)

 

would it not echo that such an error has occurred...?

 

What is this IT that would be automatically doing that? Computers only do exactly what their code tells them to do and your log in script only redisplays the login form when the username/password combination is not found in the database table. Except for the "Bad Login" message, which your log in form apparently doesn't use, there is no code in your script to echo anything when the log in is not successful.

Right, theres nothing wrong with this at all. It works how you ask it to.

 

I've just copied your files and tested them, and it works 100%.

 

Check your 'memberspage.php' for any redirection to 'login.html'/'login.php'.

Hey Andy, thank you for taking the time to test the script yourself.

I dont know why but for some reason I thought that the "Bad Login" was a message that would display should the inccorrect credentials be entered. OK ! SO! Now how do I rectify the issue of the password not being matched. I have posted the registration pages above. I read the one post about blank white space. Would this have been blank space in the form in the browser or blamnk white space inserted somewhere into the script.

-SB

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.