Login And Registration Help

[ianhaney]

Hi

 

Got couple of problems I need urgent help with

 

I need a urgent login and registration script that works, the current one I am using is no good for the following reasons

 

I register and stores the info in the database but when I go to login with the details I have just registered, it says the password is wrong so I check it and copy the password from the database into the login form and works, trouble is the password in the database is not the one I created, its generating a different password in the database, think its using all that md5 stuff to hide the password

 

so I need a login and registration form that actually logs in with the password I create in the registration form

 

My second problem is I need to display the username of the user logged in on a order confirmation page

 

Please help me, been trying for hours and the brain is going now and eyes are hurting from trying to figure it out

 

Thank you in advance

 

Kind regards

 

Ian

[Christian F.]

This article on secure login systems should give you everything you need.

[PFMaBiSmAd]

I need a urgent login and registration script that works

 

No, you need to troubleshoot why your code is not working and FIX it.

 

I can tell from the symptom that your login script is not applying any hash method to the entered password to match the hash method it applied in the registration script.

 

And, what code have you tried to get the username to display on a page?

Edited November 15, 2012 by PFMaBiSmAd
added quote

[ianhaney]

I am not 100% sure on how to fix it, hence need the help

 

I have tried using sessions but am not 100% sure on php so am prob doing it wrong somewhere

[White_Lily]

sessions only help if you can actually sign in in the first place lol. Plus if the password is hashed with md5() or any other method you should not just be able to copy and paste the password. This suggests that you don't fully understand what your script is doing, so start by searching particular functions in google and php.net, this should help you to understand the functions that your script is using.

 

Also, we cannot help you solve your coding problem unless you actually post the code that you are using or the code that is causing the problem (prefferable to post whole page of code since the problem may not lie within the error line specified.)

[ianhaney]

I can post the coding below, one sec and will post the coding

 

below is the coding the checks the login form

 

<?php session_start();
$_SESSION['user'] = $_POST['user'];
//connect to db
//insert validation of credentials here
//then, store user_id in session
session_start();
ob_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$userid = mysql_query("SELECT userid FROM users WHERE username='$_POST[username]'");
$_SESSION['userid']=$userid;

// Define $myusername and $mypassword
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:loginsuccess.html");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

 

below is the coding that checks the registration form

 

<?php session_start();
//=============Configuring Server and Database=======
$host        =    '';
$user        =    '';
$password    =    '';
//=============Data Base Information=================
$database    =    '';

$conn        =    mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server
mysql_select_db($database,$conn) or die('Database Information is not correct');

//===============End Server Configuration============

//=============Starting Registration Script==========

$email    =    $_POST['email'];

$username    =    $_POST['txtUser'];

$password    =    $_POST['txtPassword'];

//=============To Encrypt Password===================
$password    =    md5($salt.$password);
//============New Variable of Password is Now with an Encrypted Value========

if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register
{
$query    =    "insert into users(email,username,password)values('$email','$username','$password')";
$res    =    mysql_query($query);
header('location:registersuccess.html');
}

?>

<?php
$to = "$email";
$subject = "Registration Details";
$message = "Email: $email \n Username: $username \n Password: $password";
$from = "ianhaney@irhwebsites.co.uk";
$headers = "From: $from";
mail($to,$subject,$message,$headers);
echo "Mail Sent.";
?>

[White_Lily]

For starters your msql preventing methods (mysql_real_escape_string()) etc, are almost useless as on the very first query you run you are putting the raw value of input straight into mysql without any protection on it at all.

 

Assign all $_POST values a unique variable at the top of your validation, this will make your script easier to read and edit later on.

 

I also don't believe you posted the entire scripts as in the second section of code you specify $password = md5($salt, $password); when the $salt and $password variables dont seem to exist within that block of code.

[ianhaney]

That is all the coding, I copied it from Dreamweaver

[Pikachu2000]

That code is about 10 years out of date, just like the rest of the code on phpeasystep.com, where you got it. That site shouldn't be used as a valid learning tool.