Hazukiy Posted March 20, 2013 Share Posted March 20, 2013 (edited) Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks. LOGIN.PHP <?php session_start(); include "dbConfig.php"; $errorMsg = ""; if ($_GET["op"] == "fail") { $errorMsg = "* You need to be logged in to access the members area!"; } if ($_SERVER['REQUEST_METHOD'] == "POST") { $username = trim($_POST["username"]); $password = trim($_POST["password"]); if (empty($username) || empty($password)) { $errorMsg = "* You need to provide a username & password."; } else { $usernameSQL = mysql_real_escape_string($username); $passwordSQL = crypt($password); $q = "SELECT * FROM Table1 WHERE username='$usernameSQL' AND password='$passwordSQL' LIMIT 1"; $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q); if(!$r) { $errorMsg = "* Wrong username or password."; } elseif(!mysql_num_rows($r)) { $errorMsg = "* Sorry, couldn't log you in. Wrong login information."; } else { $_SESSION["valid_id"] = $obj->id; $_SESSION["valid_user"] = $username; $_SESSION["valid_time"] = time(); header("Location: members.php"); exit(); } } } ?> REGISTER.PHP <?php include ("dbConfig.php"); if ($_SERVER['REQUEST_METHOD'] == "POST") { $usernameSQL = mysql_real_escape_string($_POST['username']); $emailSQL = mysql_real_escape_string($_POST['email']); $passwordSQL = mysql_real_escape_string($_POST['password']); $passwordSQL = crypt($password); $q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')"; $r = mysql_query($q); header("Location: register.php?op=thanks"); exit(); } ?> Edited March 20, 2013 by Hazukiy Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted March 20, 2013 Share Posted March 20, 2013 Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks. LOGIN.PHP <?php session_start(); include "dbConfig.php"; $errorMsg = ""; if ($_GET["op"] == "fail") { $errorMsg = "* You need to be logged in to access the members area!"; } if ($_SERVER['REQUEST_METHOD'] == "POST") { $username = trim($_POST["username"]); $password = trim($_POST["password"]); if (empty($username) || empty($password)) { $errorMsg = "* You need to provide a username & password."; } else { $usernameSQL = mysql_real_escape_string($username); $passwordSQL = crypt($password); $q = "SELECT * FROM Table1 WHERE username='$usernameSQL' AND password='$passwordSQL' LIMIT 1"; $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q); if(!$r) { $errorMsg = "* Wrong username or password."; } elseif(!mysql_num_rows($r)) { $errorMsg = "* Sorry, couldn't log you in. Wrong login information."; } else { $_SESSION["valid_id"] = $obj->id; $_SESSION["valid_user"] = $username; $_SESSION["valid_time"] = time(); header("Location: members.php"); exit(); } } } ?> REGISTER.PHP <?php include ("dbConfig.php"); if ($_SERVER['REQUEST_METHOD'] == "POST") { $usernameSQL = mysql_real_escape_string($_POST['username']); $emailSQL = mysql_real_escape_string($_POST['email']); $passwordSQL = mysql_real_escape_string($_POST['password']); $passwordSQL = crypt($password); $q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')"; $r = mysql_query($q); header("Location: register.php?op=thanks"); exit(); } ?> Wouldn't advise using mysql anymore - it's deprecated. Use MySQLI or PDO. Have you tried some debugging. I would suggest some of the following: echo out the crypted password and username after you set them and manually compare them to what you have in your database try tweak your query so you are only selecting the username, then only selecting the password - this might give you some idea of what variable is failing to match Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 20, 2013 Share Posted March 20, 2013 (edited) Double Edit. You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is. Remove the mysql_real_escape_string() from the register script for the password. Edited March 20, 2013 by PaulRyan Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 20, 2013 Author Share Posted March 20, 2013 Double Edit. You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is. Remove the mysql_real_escape_string() from the register script for the password. Ok so I've removed "$passwordSQL = mysql_real_escape_string($_POST['password']);". So I echoed out the password and it would seem that the encryption is different to what the database has? What do you suggest? Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 21, 2013 Share Posted March 21, 2013 (edited) You'll have to re-register I think, because the password in the DB is already escaped. Register a new account, then try logging in with it? Edited March 21, 2013 by PaulRyan Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 21, 2013 Author Share Posted March 21, 2013 You'll have to re-register I think, because the password in the DB is already escaped. Register a new account, then try logging in with it? Ok so I've done the following that you said and what happens now is that when I register no password is put into the database, it's just a blank area. I suspect that's because they are no '$password' in the register.php. Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 21, 2013 Share Posted March 21, 2013 This: $passwordSQL = crypt($password); Should be: $passwordSQL = crypt($_POST['password']); Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 21, 2013 Author Share Posted March 21, 2013 This: $passwordSQL = crypt($password); Should be: $passwordSQL = crypt($_POST['password']); Okie so it's encrypting the password again when you register but still can't log in :/ Here's an update on the latest code: Login.php <?php session_start(); include "dbConfig.php"; $errorMsg = ""; if ($_GET["op"] == "fail") { $errorMsg = "* You need to be logged in to access the members area!"; } if ($_SERVER['REQUEST_METHOD'] == "POST") { $username = trim($_POST["username"]); $password = trim($_POST["password"]); if (empty($username) || empty($password)) { $errorMsg = "* You need to provide a username & password."; } else { $usernameSQL = mysql_real_escape_string($username); $passwordSQL = crypt($password); $q = "SELECT * FROM Table1 WHERE username='$usernameSQL' AND password='$passwordSQL' LIMIT 1"; $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q); if(!$r) { $errorMsg = "* Wrong username or password."; } elseif(!mysql_num_rows($r)) { $errorMsg = "* Sorry, couldn't log you in. Wrong login information."; } else { $_SESSION["valid_id"] = $obj->id; $_SESSION["valid_user"] = $username; $_SESSION["valid_time"] = time(); header("Location: members.php"); exit(); } } } ?> Register.php <?php include ("dbConfig.php"); $errorMsg = ""; if ($_SERVER['REQUEST_METHOD'] == "POST") { $usernameSQL = mysql_real_escape_string($_POST['username']); $emailSQL = mysql_real_escape_string($_POST['email']); $passwordSQL = crypt($_POST['password']); $q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')"; $r = mysql_query($q); header("Location: register.php?op=thanks"); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 21, 2013 Share Posted March 21, 2013 Do some debugging, check the data in the register page, and compare it to the database. Then do the same with the login page too. Also, check the column type for the password field, to make sure it is long enough etc. Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 21, 2013 Author Share Posted March 21, 2013 (edited) Do some debugging, check the data in the register page, and compare it to the database. Then do the same with the login page too. Also, check the column type for the password field, to make sure it is long enough etc. Ok so with the register.php I entered the same details three times with the same password three times and it seems that it's changing the password encryption every time? So like one would be: "$1$5dd2moqP$F5yNWthBJ55c.y8PJ5VYM1" and the next time I enter it, it'll be: "$1$m8AYjsv3$7wvwqZNZZCWju6Ci9PCl8" Any ides? xD Edited March 21, 2013 by Hazukiy Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 21, 2013 Share Posted March 21, 2013 (edited) I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time. You need to add a salt to the function, example: $saltString = 'SALT GOES HERE'; $salt = '$2y$10$'. substr(md5($saltString),0,22); $password = crypt('jim', $salt); echo $password; You should then store the $saltString with user record, so you know what salt to use for which user. You could use a site wide salt if you wanted, up to you. *Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have. Edited March 21, 2013 by PaulRyan Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 22, 2013 Author Share Posted March 22, 2013 I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time. You need to add a salt to the function, example: $saltString = 'SALT GOES HERE'; $salt = '$2y$10$'. substr(md5($saltString),0,22); $password = crypt('jim', $salt); echo $password; You should then store the $saltString with user record, so you know what salt to use for which user. You could use a site wide salt if you wanted, up to you. *Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have. I think what I'll do mate is start all over again cause the code is a complete mess and I don't think it's going to work any time soon :/ So I'll make a basic sign up and login form without encryption and I'll go from there Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted March 23, 2013 Author Share Posted March 23, 2013 Can anyone recommend some website that'll teach me how to create clean, safe and effient code cause all the ones that I've come across so far are not that good. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.