mbrooking Posted December 5, 2012 Share Posted December 5, 2012 Hi I'm not too sure if this is a PHP problem or a MySql problem, I presume its the PHP as I have no errors. So anyway I have a basic login form on a website I am creating. The website is connected to my database in PhpMyAdmin fine as I can register a new user fine. However the login is constantly saying that the password is incorrect. my login form is <form name="loginform" method="post" action="check-login.php" > <p><strong>Enter your login details and click 'login':</strong></p> <p>Username:<br /> <input type="text" name="username" size="20" value=""></p> <p>Password:<br /> <input type="password" name="password" size="20" value=""></p> <p><input type="submit" name="Submit" value=" Login >> "></p> </form> the check-login script is: <?php $user=$_POST["username"]; $pass=$_POST["password"]; include("dblogin.php"); $sql="SELECT * FROM login"; $result=mysql_query($sql); while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { if($user==$row["username"]&&$pass==$row["password"]) { $_SESSION["userid"]=$row["id"]; $_SESSION["cost"]=0; $_SESSION["products"]=0; $_SESSION["order"]=""; header ('Location: teaprices.php'); } } if ($_SESSION["userid"]=="") { header ('Location: incorrect_login.php'); } ?> This is my table CREATE TABLE IF NOT EXISTS `login` ( `username` varchar(50) COLLATE latin1_general_ci NOT NULL DEFAULT '', `password` varchar(50) COLLATE latin1_general_ci NOT NULL DEFAULT '' ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci; The login script was working perfectly fine before I created a registration form for the website. since that it has stopped working, there isn't any encryption for the password in the database so i know there isn't a problem for the part. Thank you in advance. Matt Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 5, 2012 Share Posted December 5, 2012 You don't have an `id` field in your `login` table. So... $_SESSION["userid"]=$row["id"]; Is not populating $_SESSION['userid'] with anything. So... if ($_SESSION["userid"]=="") { header ('Location: incorrect_login.php'); } With always return true. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 6, 2012 Share Posted December 6, 2012 What you really should be doing, is to delete the link to the tutorial you've been following. It's at least a decade out of date, and incorporates no security what so ever! This leaves you, and your users, open to attacks where an attacker would easily gain access to all passwords in clear text. If you're wondering about how that's so bad, think about this for a while: How many places are you using the same username/e-mail and password combination, and what else can a malicious person find from logging into your other sites and (not to mention) your e-mail account? That's why I strongly recommend that you read this article about secure login systems. It'll teach you how to create a proper and secure login system, and it also provides a premade class for you. So that you don't have to write it from scratch. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.