Register & Login form problem...

[Hazukiy]

Hi, I'm currently learning PHP so I'm getting some help from people on the forums but I got given a piece of code by one of the members for a login form but not a registration form, so I did what anyone else would and I gave making the registration form ago, so far I came up with the code below, I don't know weather that's the correct way of doing it but it works, it adds those who register to the database, now my only problem is that the login form doesn't work and I'm not 100% why? I'm starting to think it's something to do with the MD5 encryption? But anyway some help and advise would be very much appreciated, thanks

 

 

 

     Registration Form:

<?php 
include ("dbConfig.php"); 

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{
	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = mysql_real_escape_string($_POST['password']);
	$passwordSQL = MD5($password);
	
	$q = "INSERT INTO TABLENAME(name, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);	
	header('Location: register.php?op=thanks');

}	
	
	
?>

	<form action="?op=reg" method="POST">
	Username:<br><font color="red">*</font><input class="InputForm" type="text" name="username" id="username"><br>
	<br>
	Email:<br><font color="red">*</font><input class="InputForm" type="text" name="email" id="email"><br>
	<br>
	Password:<br><font color="red">*</font><input class="InputForm" type="password" name="password" id="password"><br>
	<br>
	<input type="checkbox" name="tick"><font color="gray" size="3"> I agree to the Terms of Use<br>
	<br>
	<button type="submit" name="submit" class="InputButton" value="Submit">Submit</button>
	</form>

 

     Login Form:

<?php 
session_start();
include "dbConfig.php";

$errorMsg = "";

if ($_GET["op"] == "fail") 
{ 
$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
{
$errorMsg = "* You need to provide a username & password.";
}
   else
{
$usernameSQL = mysql_real_escape_string($username);
$passwordSQL = MD5($password);

$q = "SELECT id FROM 'TABLENAME'
 WHERE 'username'='{$usernameSQL}'
   AND 'password'='{$passwordSQL}'
 LIMIT 1";

   $r = mysql_query($q);
if(!$r)
        {
            $errorMsg = "* Wrong username or password.";
        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
        }
}
}
?>

<form action="?op=login" method="POST">
Username:<br>
<input class="InputForm" type="text" name="username" id="username" value="<?php echo htmlentities($usernameSQL); ?>">
<br><br>
Password:<br>
<input class="InputForm" type="password" name="password" id="password">
<br><br>
<button type="submit" name="submit" class="InputButton" value="Login">Submit</button>
<h1 class="FailLoginState"><?php echo $errorMsg; ?></h1>
</form>

Edited March 14, 2013 by Hazukiy

[AyKay47]

Unless you have mysql enabled to allow single quotes as qualifiers, that syntax is incorrect.

Proper MySQL debugging should be implemented:

 

 

$r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);

 

1. $errorMsg is not output anywhere in the script, nor is script execution discontinued when an error occurs.

 

2. Using an MD5 hash on passwords is simply not enough, as it is simple enough to crack an MD5 hashed value using brute force methods.

    Instead, I recommend using the crypt function with a compatible salt.

[Hazukiy]

Unless you have mysql enabled to allow single quotes as qualifiers, that syntax is incorrect.

Proper MySQL debugging should be implemented:

 

 

$r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);

 

1. $errorMsg is not output anywhere in the script, nor is script execution discontinued when an error occurs.

 

2. Using an MD5 hash on passwords is simply not enough, as it is simple enough to crack an MD5 hashed value using brute force methods.

    Instead, I recommend using the crypt function with a compatible salt.

 

 

Ok so do I put that in the registration form or login form? The registration form works fine now but the login form still does not work? :/ It's as if it's not reading the password or something?

[AyKay47]

Place the MySQL debugging code in the login.php page and display the error(s) received.

 

The MD5 comment applies to the entire application.

Edited March 14, 2013 by AyKay47

[Hazukiy]

Place the MySQL debugging code in the login.php page and display the error(s) received.

 

The MD5 comment applies to the entire application.

 

 

Ok so I did that and it came up with this error:

 

 

 

 

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''TABLENAME' WHERE 'username'='USER' AND 'password'='PASSWORD' at line 1

Query: SELECT id FROM 'TABLENAME' WHERE 'username'='USER' AND 'password'='PASSWORD' LIMIT 1

[AyKay47]

change the query to:

 

 

SELECT id FROM TABLENAME WHERE username='USER' AND password='PASSWORD' LIMIT 1

 

Again, single quotes can only be used a qualifiers is you configure the mysql server to accept them.

[Hazukiy]

 

elseif(!mysql_num_rows($r))

        {

            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";

        }

 

 

Ok so all the code's fine now apart from this. It keeps giving the error displayed.

[AyKay47]

Ok so all the code's fine now apart from this. It keeps giving the error displayed.

 

Then no rows were found..

[Hazukiy]

I don't know why it's doing that? I've set the database up correctly and it's registering users correctly? :/ Weird