php Login - Not working?..

[MrSamCraft]

Hello,

 

So im in the middle of making a login section and so far so good, until i hit a brick wall...

 

So for the users needto active the account. I tested this with my test account and before I activated the test account via the database (changed it form 0 to 1) it said "User not activated". From that point on I activated it, now when i try to login Im just getting "That username/password combination is incorrect" (But its not...)

 

Here have a look for your self

http://enderbase.com/login.php

Username: test

Password: test

 

Here the code

 

User.php

 

<?php
function logged_in() {
	return (isset($_SESSION['iduser'])) ? true : false;
}

function user_exists($username) {
	$username = sanitize($username);
	return (mysql_result(mysql_query("SELECT COUNT(`iduser`) FROM `user` WHERE `username` = '$username'"), 0) == 1) ? true : false;
}

function user_active($username) {
	$username = sanitize($username);
	return (mysql_result(mysql_query("SELECT COUNT(`iduser`) FROM `user` WHERE `username` = '$username' AND `active` = 1"), 0) == 1) ? true : false;
}

function iduser_from_username($username) {
	$username = sanitize($username);
	return mysql_result(mysql_query("SELECT `iduser` FROM `user` WHERE `username` = '$username'"), 0, 'iduser');
}

function login($username, $password) {
	$iduser = iduser_from_username($username);
	
	$username = sanitize($username);
	$password = md5($passowrd);
	
	return (mysql_result(mysql_query("SELECT COUNT(`iduser`) FROM `user` WHERE `username` = '$username' AND `password` = '$password'"), 0) == 1) ? $iduser : false;
}
?>

 

 

 

 

Login.php

<?php
include 'core/init.php';

if (empty($_POST) === false) {
	$username = $_POST['username'];
	$password = $_POST['password'];

	if (empty($username) === true || empty($password) === true) {
		$errors[] = 'You need to enter a username and password!';
	} else if (user_exists($username) === false) {
		$errors[] = 'We can\'t find that username. Have you registerd?';	
	} else if (user_active($username) === false) {
		$errors[] = 'You havn\'t activated your account!';
	} else {
		$login = login($username, $password);
		if ($login === false) {
			$errors[] = 'That username/password combination is incorrect!';
		} else {
			$_SESSION['iduser'] = $login;
			header('Location: index.php');
			exit();
		}	
	}
} 
?>

 

Thanks,

 Sam

 

(p.s. Im a noob to this )

[crf1121359]

had the same issue before. try activating the user's account via the activation.php file and try again.

[crf1121359]

p.s. stop using mysql function. you risk the sql injection and php wont support them soon. use mysqli function instead which is alot harder to use but more secure. I am strugling with mysqli myself by the way.

[MrSamCraft]

had the same issue before. try activating the user's account via the activation.php file and try again.

OK, thanks ill try!

[AyKay47]

You can acquire all of the necessary information that you need from one query, instead of the 3-4 you are currently using.

 

Are you storing the md5 hashed version of the password inside of the database?

 

Using exit() at the end of a script does nothing, as the script will exit naturally.

 

Side note, using an md5 hash on passwords is simply not enough, as md5 hashes are easy enough to crack using brute force methods. I suggest instead using the crypt function with CRYPT_BLOWFISH hash type and a compatible salt.