PHP log in error.

Hazukiy · March 20, 2013

Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks.

LOGIN.PHP

<?php 
session_start();
include "dbConfig.php";

$errorMsg = "";

if ($_GET["op"] == "fail") 
{ 
$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
{
$errorMsg = "* You need to provide a username & password.";
}
   else
{
$usernameSQL = mysql_real_escape_string($username);
$passwordSQL = crypt($password);

$q = "SELECT * FROM Table1
 WHERE username='$usernameSQL' 
   AND password='$passwordSQL' 
 LIMIT 1"; 
   $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
if(!$r)
        {
            $errorMsg = "* Wrong username or password.";
        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
exit();
        }
}
}
?>

REGISTER.PHP

<?php 
include ("dbConfig.php"); 

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{


	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = mysql_real_escape_string($_POST['password']);
	$passwordSQL = crypt($password);
	
	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();

}	
	
	
?>

Edited March 20, 2013 by Hazukiy

Drongo_III · March 20, 2013

Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks.

LOGIN.PHP

<?php 
session_start();
include "dbConfig.php";

$errorMsg = "";

if ($_GET["op"] == "fail") 
{ 
$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
{
$errorMsg = "* You need to provide a username & password.";
}
   else
{
$usernameSQL = mysql_real_escape_string($username);
$passwordSQL = crypt($password);

$q = "SELECT * FROM Table1
 WHERE username='$usernameSQL' 
   AND password='$passwordSQL' 
 LIMIT 1"; 
   $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
if(!$r)
        {
            $errorMsg = "* Wrong username or password.";
        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
exit();
        }
}
}
?>

REGISTER.PHP

<?php 
include ("dbConfig.php"); 

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{


	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = mysql_real_escape_string($_POST['password']);
	$passwordSQL = crypt($password);
	
	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();

}	
	
	
?>

Wouldn't advise using mysql anymore - it's deprecated. Use MySQLI or PDO.

Have you tried some debugging. I would suggest some of the following:

echo out the crypted password and username after you set them and manually compare them to what you have in your database
try tweak your query so you are only selecting the username, then only selecting the password - this might give you some idea of what variable is failing to match

PaulRyan · March 20, 2013

Double Edit.

You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is.

Remove the mysql_real_escape_string() from the register script for the password.

Edited March 20, 2013 by PaulRyan

Hazukiy · March 20, 2013

Double Edit.

You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is.

Remove the mysql_real_escape_string() from the register script for the password.

Ok so I've removed "$passwordSQL = mysql_real_escape_string($_POST['password']);". So I echoed out the password and it would seem that the encryption is different to what the database has? What do you suggest?

PaulRyan · March 21, 2013

You'll have to re-register I think, because the password in the DB is already escaped.

Register a new account, then try logging in with it?

Edited March 21, 2013 by PaulRyan

Hazukiy · March 21, 2013

You'll have to re-register I think, because the password in the DB is already escaped.

Register a new account, then try logging in with it?

Ok so I've done the following that you said and what happens now is that when I register no password is put into the database, it's just a blank area. I suspect that's because they are no '$password' in the register.php.

PaulRyan · March 21, 2013

This:

$passwordSQL = crypt($password);

Should be:

$passwordSQL = crypt($_POST['password']);

Hazukiy · March 21, 2013

This:

$passwordSQL = crypt($password);

Should be:

$passwordSQL = crypt($_POST['password']);

Okie so it's encrypting the password again when you register but still can't log in :/ Here's an update on the latest code:

Login.php

<?php 
session_start();
include "dbConfig.php";
	
$errorMsg = "";
	
if ($_GET["op"] == "fail") 
{ 
	$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
	{
		$errorMsg = "* You need to provide a username & password.";
	}
   else
	{
		$usernameSQL = mysql_real_escape_string($username);
		$passwordSQL = crypt($password);
		
		$q = "SELECT * FROM Table1
			  WHERE username='$usernameSQL' 
			    AND password='$passwordSQL' 
			  LIMIT 1"; 
	    $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
		if(!$r)
        {
            $errorMsg = "* Wrong username or password.";

        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
			exit();
        }
	}	
}
?>

Register.php

<?php 
include ("dbConfig.php"); 

$errorMsg = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{
	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = crypt($_POST['password']);

	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();
}	
	
	
?>

PaulRyan · March 21, 2013

Do some debugging, check the data in the register page, and compare it to the database.

Then do the same with the login page too.

Also, check the column type for the password field, to make sure it is long enough etc.

Hazukiy · March 21, 2013

Do some debugging, check the data in the register page, and compare it to the database.

Then do the same with the login page too.

Also, check the column type for the password field, to make sure it is long enough etc.

Ok so with the register.php I entered the same details three times with the same password three times and it seems that it's changing the password encryption every time? So like one would be:

"$1$5dd2moqP$F5yNWthBJ55c.y8PJ5VYM1"

and the next time I enter it, it'll be:

"$1$m8AYjsv3$7wvwqZNZZCWju6Ci9PCl8"

Any ides? xD

Edited March 21, 2013 by Hazukiy

PaulRyan · March 21, 2013

I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time.

You need to add a salt to the function, example:

  $saltString = 'SALT GOES HERE';

  $salt = '$2y$10$'. substr(md5($saltString),0,22);

  $password = crypt('jim', $salt);
 
  echo $password;

You should then store the $saltString with user record, so you know what salt to use for which user.

You could use a site wide salt if you wanted, up to you.

*Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have.

Edited March 21, 2013 by PaulRyan

Hazukiy · March 22, 2013

I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time.

You need to add a salt to the function, example:
  $saltString = 'SALT GOES HERE';

  $salt = '$2y$10$'. substr(md5($saltString),0,22);

  $password = crypt('jim', $salt);
 
  echo $password;
You should then store the $saltString with user record, so you know what salt to use for which user.

You could use a site wide salt if you wanted, up to you.

*Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have.

I think what I'll do mate is start all over again cause the code is a complete mess and I don't think it's going to work any time soon :/ So I'll make a basic sign up and login form without encryption and I'll go from there

Hazukiy · March 23, 2013

Can anyone recommend some website that'll teach me how to create clean, safe and effient code cause all the ones that I've come across so far are not that good.

Sign In

PHP log in error.

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information