Drumlegend Posted February 11, 2013 Share Posted February 11, 2013 (edited) I have been working on an application for a university project and I have somehow managed to break my code and I have no idea what I have done to break it. I have created a registration and log in script which used to work but I can no longer login with the registered details. I could really use some help on this so I don't spend hours ripping my hair out. I have attached an image of my user database. Code for registration <?php include 'PasswordHash.php'; $sql = new mysqli('localhost', '****', '****', '****'); // Create an array to catch any errors in the registration form. $errors = array(); /** * Make sure the form has been submitted before trying to process it. This is * single most common cause of 'undefined index' notices. */ if (!empty($_POST)) { // First check that required fields have been filled in. if (empty($_POST['username'])) { $errors['username'] = "Username cannot be empty."; } // Restrict usernames to alphanumeric plus space, dot, dash, and underscore. /* if (preg_match('/[^a-zA-Z0-9 .-_]/', $_POST['username'])) { $errors['username'] = "Username contains illegal characters."; } */ if (empty($_POST['firstname'])) { $errors['firstname'] = "First Name cannot be empty."; } if (empty($_POST['surname'])) { $errors['surname'] = "Surname cannot be empty."; } if (empty($_POST['password'])) { $errors['password'] = "Password cannot be empty."; } if (strlen($_POST['password']) < { $errors['password'] = "Password must be at least 8 charcaters."; } // Force passwords to contain at least one number and one special character. /* if (!preg_match('/[0-9]/', $_POST['password'])) { $errors['password'] = "Password must contain at least one number."; } if (!preg_match('/[\W]/', $_POST['password'])) { $errors['password'] = "Password must contain at least one special character."; } */ if (empty($_POST['password_confirm'])) { $errors['password_confirm'] = "Please confirm password."; } if ($_POST['password'] != $_POST['password_confirm']) { $errors['password'] = "Passwords do not match."; } $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); if (!$email) { $errors['email'] = "Not a valid email address."; } /** * Escape the data we're going to use in our query. Never trust user input. */ $username = $sql->real_escape_string($_POST['username']); $email = $sql->real_escape_string($email); $firstname = $sql->real_escape_string($_POST['firstname']); $surname = $sql->real_escape_string($_POST['surname']); $addressline1 = $sql->real_escape_string($_POST['addressline1']); $addressline2 = $sql->real_escape_string($_POST['addressline2']); $city = $sql->real_escape_string($_POST['city']); $county = $sql->real_escape_string($_POST['county']); $postcode = $sql->real_escape_string($_POST['postcode']); /** * Check that the username and email aren't already in our database. * * Note also the absence of SELECT * */ $query = "SELECT username, email FROM users WHERE username = '{$username}' OR email = '{$email}'"; $result = $sql->query($query); /** * There may well be more than one point of failure, but all we really need * is the first one. */ $existing = $result->fetch_object(); if ($existing) { if ($existing->username == $_POST['username']) { $errors['username'] = "That username is already in use."; } if ($existing->email == $email) { $errors['email'] = "That email address is already in use."; } } } if (!empty($_POST) && empty($errors)) { /** * Hash password before storing in database */ $hasher = new PasswordHash(8, FALSE); $password = $hasher->HashPassword($_POST['password']); $query = "INSERT INTO users (firstname, surname, username, email, password, addressline1, addressline2, city, county, postcode, created) VALUES ('{$firstname}','{$surname}','{$username}','{$email}', '{$password}','{$addressline1}','{$addressline2}','{$city}','{$county}','{$postcode}', NOW())"; $success = $sql->query($query); if ($success) { $message = "Account created."; } else { $errors['registration'] = "Account could not be created. Please try again later."; } } ?> Login Code <?php session_start(); // If the user is already logged in then redirect them to homepage if (isset($_SESSION['user_id'])) { exit(); } include 'PasswordHash.php'; $sql = new mysqli('localhost', '****', '****', '****'); $hasher = new PasswordHash(8, FALSE); if (!empty($_POST)) { // Again, never trust user input! $user = $sql->real_escape_string($_POST['username']); $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt FROM users WHERE username = '{$username}'"; $user = $sql->query($query)->fetch_object(); /** * Check that the query returned a result (otherwise user doesn't exist) * and that provided password is correct. */ if ($user && $user->password == $hasher->CheckPassword($_POST['password'], $user->password)) { /** * Set cookies here if/as needed. * Set session data as needed. DO NOT store user's password in * cookies or sessions! * Redirect the user if/as required. */ session_regenerate_id(); $_SESSION['user_id'] = $user->id; $_SESSION['username'] = $user->username; $_SESSION['authenticated'] = TRUE; $_SESSION['signature'] = md5($user->id . $_SERVER['HTTP_USER_AGENT'] . $user->salt); header('Location:../login.php'); } /** * Don't provide specific details as to whether username or password was * incorrect. If an attacker knows they've found a valid username, you've * just made their life easier. */ else { $error = "Login failed."; } } ?> Thank you in advance and I'm sorry for the amount of code. Some of the code I used was from tutorials, as I am new to php. Edited February 11, 2013 by Drumlegend Quote Link to comment https://forums.phpfreaks.com/topic/274365-login-failed/ Share on other sites More sharing options...
requinix Posted February 11, 2013 Share Posted February 11, 2013 // Again, never trust user input! $user = $sql->real_escape_string($_POST['username']); $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt FROM users WHERE username = '{$username}'"; Variable mismatch. Quote Link to comment https://forums.phpfreaks.com/topic/274365-login-failed/#findComment-1411852 Share on other sites More sharing options...
Drumlegend Posted February 12, 2013 Author Share Posted February 12, 2013 // Again, never trust user input! $user = $sql->real_escape_string($_POST['username']); $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt FROM users WHERE username = '{$username}'"; Variable mismatch. So what do I need to change, I am confused. Quote Link to comment https://forums.phpfreaks.com/topic/274365-login-failed/#findComment-1411919 Share on other sites More sharing options...
Drumlegend Posted February 12, 2013 Author Share Posted February 12, 2013 I see the mistake I made now, thank you. Needed to change $user to $username Quote Link to comment https://forums.phpfreaks.com/topic/274365-login-failed/#findComment-1411932 Share on other sites More sharing options...
jazzman1 Posted February 12, 2013 Share Posted February 12, 2013 So what do I need to change, I am confused. // Again, never trust user input! $user = $sql->real_escape_string($_POST['username']); $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt FROM users WHERE username = '{$user}'"; Quote Link to comment https://forums.phpfreaks.com/topic/274365-login-failed/#findComment-1411934 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.