Advanced login validation help

[enlighten]

Hi Guys, just been writing this script up but for some reason the validation is messing up creating account, apparently nothing is valid that i put in

 

Any ideas?

 

the .phps are below and the .inc ar all below.

 

Also when i try to log in with an existing user it says i cant because the username or password is incorrect which is isn't.

 

Any help will be much appreciated.

 

Enlighten

 

 

 

 

<?php
/* File: login_reg_form.inc
* Desc: Contains the code for a web page that displays two html forms, side by side. One is a login form, and the second is a registration form.
*/

include("functions.inc");
?>

<head><title>Customer Login page</title>
    <style type='text/css'>
        <!--
        label {
            font-weight: bold;
            float: left;
            width: 27%;
            margin-right: .5em;
            text-align: right;
        }
        legend {
            font-weight: bold;
            font-size: 1.2em;
            margin-bottom: .5em;
        }
        #wrapper {
            margin: 0;
            padding: 0;
        }
        #login {
            position: absolute;
            left: 0;
            width: 40%;
            padding: 1em 0;
        }
        #reg {
            position: absolute;
            left: 40%;
            width: 60%;
            padding: 1em 0;
        }
        #field {
            padding-bottom: .5em;
        }
        .errors {
            font-weight: bold;
            font-style: italic;
            font-size: 90%
            color: red;
            margin-top: 0;
        }
        -->
    </style>
</head>
<body style="margin: 0">
    <?php
    $fields_1 =     array("fusername" => "User Name",
                          "fpassword" => "Password");
    $fields_2 =     array("user_name"   => "User Name",
                          "password"   => "Password",
                          "email"   => "Email",
                          "first_name"   => "First Name",
                          "last_name"   => "Last Name",
                          "street"   => "Street",
                          "city"   => "City",
                          "county"   => "County",
                          "post_code"   => "Post Code",
                          "phone"   => "Phone",
                          "fax"   => "Fax");
    ?>
    
    <div id="wrapper">
        <div id="login">
            <form action=<?php echo $_SERVER['PHP_SELF']?> method="POST">
                <fieldset style='border: 2px solid #000000'>
                    <legend>Login Form</legend>
    <?php
            if (isset($message_1))
            {
                echo "<p class='errors'>$message_1</p>\n";
            }
            foreach ($fields_1 as $field => $value)
            {
                if(preg_match("/pass/i", $field))
                    $type = "password";
                else
                    $type = "text";
                echo "<div id ='field'>
                    <label for='$field'>$value</label>
                    <input id='$field' name='$field' type= '$type' value='".@$$field."' size='20' maxlength='50' />
                    </div>\n";
            }
        ?>
        
                <input type="submit" name="Button"
                    style='margin-left: 45%; margin-bottom: .5em' value="Login" />
                </fieldset>
            </form>
            <p style='text-align: center; margin: 1em'>
                If you already have an account, log in.</p>
            <p style='text-align: center; margin: 1em'>
                If you do not have an account, register now.</p>
        </div>
        <div id='reg'>
            <form action=<?php echo $_SERVER['PHP_SELF']?> method="POST">
                <fieldset style='border: 2px solid #000000'>
                    <legend>Registration form</legend>
    <?php
            if(isset($message_2))
            {
                echo "<p class='errors'>$message_2</p>\n";
            }
            foreach($fields_2 as $field => $value)
            {
                    if (preg_match("/pass/i", $field))
                        $type="password";
                    else
                        $type="text";
                    echo "<div id='field'>
                        <label for='$field'>$value</label>
                        <input id='$field' name='$field' type='$type' value='".@$$field."' size='40' maxlength='65' />
                        </div>\n";
            } // end foreach field
    ?>
            <input type="submit" name="Button"
                style='margin-left: 45%; margin-bottom: .5em' value="Register">
                </fieldset>
            </form>
        </div>
    </div>
</body></html>

17238_.php

17239_.php

17240_.php

[Psycho]

I think you are not going to find anyone to read through all of your code to try and find errors. If you wrote this code you should be able to narrow the problem down to a specific section of code. You need to provide what input you are providing, the expected output and the actual output (along with any error messages).

 

If you are getting a message that the username/password are incorrect when attempting to log in then you simply need to look at the conditions you are using. I would assume you are doing a query to find a matching record based upon the username and the hashed password. Therefor I would start by echoing the query to the page to make sure it looks valid (it could be as simple as a variable typo). Then try to run it through PHPMyAdmin. If that all checks out then look at the logic that follows that DB query.

[Psycho]

OK, I just looked at your login script and it really needs some work:

    case "Login":
        include("dbstuff.inc.php");
        $cxn = mysqli_connect($host,$user,$password,$database)
            or die ("Query died: connect");
        $sql = "SELECT user_name FROM Customer
            WHERE user_name = '$_POST[fusername]'";
        $result = mysqli_query($cxn,$sql)
            or die ("Query died: fuser_name");
        $num = mysqli_num_rows($result);
        
        if ( $num > 0 )
        {
            $sql = "SELECT user_name FROM Customer
                WHERE user_name = '$_POST[fusername]'
                AND password = md5 ('$_POST[fpassword]')";
            $result2 = mysqli_query($cxn,$sql)
                or die ("Query died: fpassword");
            $num2 = mysqli_num_rows($result2);
            
            if ( $num2 > 0) //password matches
            {
                $_SESSION['auth'] = "yes";
                $_SESSION['logname'] = $_POST ['fusername'];
                header (" Location: SecretPage.php");
            }
            else //password does not match
            {
                $message_1="The Login Name, '$_POST[fusername]'
                exists, but you have not entered the correct passowrd! Please try again.";
                $fusername = strip_tags(trim($_POST[fusername]));
                include ("form_login_reg.inc") ;
            } // end if $num > 0
        elseif ($num == 0) //login name not found
        {
            $message_1 = "The User Name that you entered does not exist! Please try agian.";
            include("form_login_reg.inc");
        }
        break;

 

1. You do NOT need to be doing two queries. You have one query to get records matching the username and then another for those matching the username and password. That's not necessary. If you wanted to do the two different checks then just do one query to get the password of those record with the selected username. If there are 0 records returned you know the username doesn't exist. Then you could use the result of that query to check the password. But, that is a poor implementation. You should just tell the user that you were unable to validate their information. You should not give any information about "why" the validation failed (username vs. password). That give malicious users more information to try and infiltrate your application.

 

2. You are doing absolutely NO sanitizing of the user input and are wide open to SQL Injection!

3. Do not use yes/no for variables. For Booleans you should be using the logical True/False or 1/0

 

Give the code below a try for your login section. If login fails you should get the query on the page (for debugging only). Then check what values are in the database to see if the results are correct or not.

 

However, I think I see your problem. In your code to INSERT the user record you are using the variable $password [with an MD5() hash]. However, that is the same password variable that you are using to connect to the database. It looks like you are converting the POST data into variables using the same name as the index

    foreach ($_POST as $field => $value)
    {
        $$field = strip_tags(trim($value));   
    }

 

That is a BAD idea as this problem illustrates. User could potentially submit additional fields which could have the same names of other variables in your script to cause any number of problems. Looking at this specific example, if you did have a field called 'password' in the form, then the database connection line would fail because you are defining those variables before you connect to the database. If the db connection succeeds then you don't have a 'password' field in your form (at least not with that exact name).

 

 

Sample, improved script for login process

    case "Login":
        include("dbstuff.inc.php");
        $cxn = mysqli_connect($host,$user,$password,$database)
            or die ("Query died: connect");
        $uname = mysql_real_escape_string(trim($_POST['fusername']));
        $pword =md5($_POST['fpassword']);

        $sql = "SELECT user_name FROM Customer
                WHERE user_name = '$uname' AND password = '$pword'";
        $result = mysqli_query($cxn,$sql)
            or die ("Query died: fuser_name");
        $num = mysqli_num_rows($result);
        
        if (!mysqli_num_rows($result))
        {
            $message_1 = "Unable to authenticate username/password! Please try again.";
            ##THIS LINE FOR DEBUGGING ONLY
            $message_1 .= "<br>Query: {$sql}";
            $fusername = strip_tags(trim($_POST[fusername]));
            include ("form_login_reg.inc") ;
        }
        else
        {
            $_SESSION['auth'] = "yes";
            $_SESSION['logname'] = $_POST ['fusername'];
            header (" Location: SecretPage.php");
        }
        break;

[PFMaBiSmAd]

In your previous thread on this subject, you removed the md5() hashing because your password field was not long enough to hold an md5 value and the test password you have stored was in plain test anyway. Have you correct these things, because until you do, code that uses a md5 value of the entered password won't ever match anything?