Jump to content

Login Failed

Drumlegend

By Drumlegend
in PHP Coding Help

 Share

Recommended Posts

Drumlegend Newbie

Drumlegend

Posted
Posted (edited)

I have been working on an application for a university project and I have somehow managed to break my code and I have no idea what I have done to break it.

 

I have created a registration and log in script which used to work but I can no longer login with the registered details. I could really use some help on this so I don't spend hours ripping my hair out.

 

I have attached an image of my user database. post-128086-0-36163400-1360617049_thumb.png

 

Code for registration

 

 

<?php
include 'PasswordHash.php';
$sql = new mysqli('localhost', '****', '****', '****');

// Create an array to catch any errors in the registration form.
$errors = array();

/**
* Make sure the form has been submitted before trying to process it. This is
* single most common cause of 'undefined index' notices.
*/
if (!empty($_POST))
{
// First check that required fields have been filled in.
if (empty($_POST['username']))
{
 $errors['username'] = "Username cannot be empty.";
}


// Restrict usernames to alphanumeric plus space, dot, dash, and underscore.
/*
if (preg_match('/[^a-zA-Z0-9 .-_]/', $_POST['username']))
{
 $errors['username'] = "Username contains illegal characters.";
}
*/
if (empty($_POST['firstname']))
{
 $errors['firstname'] = "First Name cannot be empty.";
}

if (empty($_POST['surname']))
{
 $errors['surname'] = "Surname cannot be empty.";
}

if (empty($_POST['password']))
{
 $errors['password'] = "Password cannot be empty.";
}


if (strlen($_POST['password']) < 
{
 $errors['password'] = "Password must be at least 8 charcaters.";
}


// Force passwords to contain at least one number and one special character.
/*
if (!preg_match('/[0-9]/', $_POST['password']))
{
 $errors['password'] = "Password must contain at least one number.";
}
if (!preg_match('/[\W]/', $_POST['password']))
{
 $errors['password'] = "Password must contain at least one special character.";
}
*/

if (empty($_POST['password_confirm']))
{
 $errors['password_confirm'] = "Please confirm password.";
}

if ($_POST['password'] != $_POST['password_confirm'])
{
 $errors['password'] = "Passwords do not match.";
}

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if (!$email)
{
 $errors['email'] = "Not a valid email address.";
}

/**
 * Escape the data we're going to use in our query. Never trust user input.
 */
$username = $sql->real_escape_string($_POST['username']);
$email = $sql->real_escape_string($email);
$firstname = $sql->real_escape_string($_POST['firstname']);
$surname = $sql->real_escape_string($_POST['surname']);
$addressline1 = $sql->real_escape_string($_POST['addressline1']);
$addressline2 = $sql->real_escape_string($_POST['addressline2']);
$city = $sql->real_escape_string($_POST['city']);
$county = $sql->real_escape_string($_POST['county']);
$postcode = $sql->real_escape_string($_POST['postcode']);

/**
 * Check that the username and email aren't already in our database.
 *
 * Note also the absence of SELECT *

 */
$query = "SELECT username, email
		 FROM users
		 WHERE username = '{$username}' OR email = '{$email}'";
$result = $sql->query($query);

/**
 * There may well be more than one point of failure, but all we really need
 * is the first one.
 */
$existing = $result->fetch_object();

if ($existing)
{
 if ($existing->username == $_POST['username'])
 {
	 $errors['username'] = "That username is already in use.";
 }
 if ($existing->email == $email)
 {
	 $errors['email'] = "That email address is already in use.";
 }
}
}



if (!empty($_POST) && empty($errors))
{
/**
 * Hash password before storing in database
 */
$hasher = new PasswordHash(8, FALSE);
$password = $hasher->HashPassword($_POST['password']);

$query = "INSERT INTO users (firstname, surname, username, email, password, addressline1, addressline2, city, county, postcode, created)
		 VALUES ('{$firstname}','{$surname}','{$username}','{$email}',
'{$password}','{$addressline1}','{$addressline2}','{$city}','{$county}','{$postcode}', NOW())";
$success = $sql->query($query);

if ($success)
{
 $message = "Account created.";
}
else
{
 $errors['registration'] = "Account could not be created. Please try again later.";
}
}
?>

 

Login Code

 

<?php
session_start();



// If the user is already logged in then redirect them to homepage
if (isset($_SESSION['user_id']))
{

exit();

}

include 'PasswordHash.php';

$sql = new mysqli('localhost', '****', '****', '****');

$hasher = new PasswordHash(8, FALSE);

if (!empty($_POST))
{
// Again, never trust user input!
$user = $sql->real_escape_string($_POST['username']);

$query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt
		 FROM users
		 WHERE username = '{$username}'";
$user = $sql->query($query)->fetch_object();

/**
 * Check that the query returned a result (otherwise user doesn't exist)
 * and that provided password is correct.
 */
if ($user && $user->password == $hasher->CheckPassword($_POST['password'], $user->password))
{
 /**
	 * Set cookies here if/as needed.
	 * Set session data as needed. DO NOT store user's password in
	 * cookies or sessions!
	 * Redirect the user if/as required.
	 */
 session_regenerate_id();
 $_SESSION['user_id']	 = $user->id;
$_SESSION['username']	 = $user->username;
 $_SESSION['authenticated'] = TRUE;
 $_SESSION['signature']	 = md5($user->id . $_SERVER['HTTP_USER_AGENT'] . $user->salt);
header('Location:../login.php');

}
/**
 * Don't provide specific details as to whether username or password was
 * incorrect. If an attacker knows they've found a valid username, you've
 * just made their life easier.
 */
else
{
 $error = "Login failed.";
}
}

?>

 

Thank you in advance and I'm sorry for the amount of code.

 

 

Some of the code I used was from tutorials, as I am new to php.

Edited by Drumlegend
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted 

// Again, never trust user input!
$user = $sql->real_escape_string($_POST['username']);

$query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt
                         FROM users
                         WHERE username = '{$username}'";

Variable mismatch.

Link to comment
Share on other sites
jazzman1 Member

jazzman1

Posted
Posted

So what do I need to change, I am confused.

 

// Again, never trust user input!
$user = $sql->real_escape_string($_POST['username']);
$query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt
	   FROM users WHERE username = '{$user}'";

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.