Jump to content

PHP log in error.


Hazukiy

Recommended Posts

Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks.

 

 

LOGIN.PHP

 

 

<?php 
session_start();
include "dbConfig.php";

$errorMsg = "";

if ($_GET["op"] == "fail") 
{ 
$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
{
$errorMsg = "* You need to provide a username & password.";
}
   else
{
$usernameSQL = mysql_real_escape_string($username);
$passwordSQL = crypt($password);

$q = "SELECT * FROM Table1
 WHERE username='$usernameSQL' 
   AND password='$passwordSQL' 
 LIMIT 1"; 
   $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
if(!$r)
        {
            $errorMsg = "* Wrong username or password.";
        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
exit();
        }
}
}
?>

 

 

 

 

 

 

 

 

 

 

REGISTER.PHP

 

 

<?php 
include ("dbConfig.php"); 

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{


	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = mysql_real_escape_string($_POST['password']);
	$passwordSQL = crypt($password);
	
	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();

}	
	
	
?>
Edited by Hazukiy
Link to comment
Share on other sites

 

Hi, I'm trying to make a php register and login form but it seems almost impossible. I've got this far and it keeps returning a row error and I have no idea what that means or what would be causing it? It keeps returning the "elseif(!mysql_num_rows($r))" and I have no idea why it's doing that? Really need help on this one cause I've been stuck on this problem for around 1 month now and no one seems to know why it's doing this. Thanks.

 

 

LOGIN.PHP

 

 

<?php 
session_start();
include "dbConfig.php";

$errorMsg = "";

if ($_GET["op"] == "fail") 
{ 
$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
{
$errorMsg = "* You need to provide a username & password.";
}
   else
{
$usernameSQL = mysql_real_escape_string($username);
$passwordSQL = crypt($password);

$q = "SELECT * FROM Table1
 WHERE username='$usernameSQL' 
   AND password='$passwordSQL' 
 LIMIT 1"; 
   $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
if(!$r)
        {
            $errorMsg = "* Wrong username or password.";
        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
exit();
        }
}
}
?>

 

 

 

 

 

 

 

 

 

 

REGISTER.PHP

 

 

<?php 
include ("dbConfig.php"); 

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{


	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = mysql_real_escape_string($_POST['password']);
	$passwordSQL = crypt($password);
	
	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();

}	
	
	
?>

 

Wouldn't advise using mysql anymore - it's deprecated. Use MySQLI or PDO.

 

Have you tried some debugging. I would suggest some of the following:

 

  • echo out the crypted password and username after you set them and manually compare them to what you have in your database

     

  • try tweak your query so you are only selecting the username, then only selecting the password - this might give you some idea of what variable is failing to match
Link to comment
Share on other sites

Double Edit.

 

You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is.

 

Remove the mysql_real_escape_string() from the register script for the password.

Edited by PaulRyan
Link to comment
Share on other sites

Double Edit.

 

You only CRYPT() the password when logging in, yet you are escaping and then using CRYPT() when registering which may be changing what the password actually is.

 

Remove the mysql_real_escape_string() from the register script for the password.

 

 

Ok so I've removed "$passwordSQL = mysql_real_escape_string($_POST['password']);". So I echoed out the password and it would seem that the encryption is different to what the database has? What do you suggest?

Link to comment
Share on other sites

You'll have to re-register I think, because the password in the DB is already escaped.

 

Register a new account, then try logging in with it?

 

Ok so I've done the following that you said and what happens now is that when I register no password is put into the database, it's just a blank area. I suspect that's because they are no '$password' in the register.php.

Link to comment
Share on other sites

 

This:

 

$passwordSQL = crypt($password);

 

Should be:

 

$passwordSQL = crypt($_POST['password']);

 

 

Okie so it's encrypting the password again when you register but still can't log in :/  Here's an update on the latest code:

 

 

Login.php

<?php 
session_start();
include "dbConfig.php";
	
$errorMsg = "";
	
if ($_GET["op"] == "fail") 
{ 
	$errorMsg = "* You need to be logged in to access the members area!";
}

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{ 
   $username = trim($_POST["username"]);
   $password = trim($_POST["password"]);
   
   if (empty($username) || empty($password))
	{
		$errorMsg = "* You need to provide a username & password.";
	}
   else
	{
		$usernameSQL = mysql_real_escape_string($username);
		$passwordSQL = crypt($password);
		
		$q = "SELECT * FROM Table1
			  WHERE username='$usernameSQL' 
			    AND password='$passwordSQL' 
			  LIMIT 1"; 
	    $r = mysql_query($q) or die("Error: " . mysql_error() . "<br>Query: " . $q);
		if(!$r)
        {
            $errorMsg = "* Wrong username or password.";

        }
        elseif(!mysql_num_rows($r))
        {
            $errorMsg = "* Sorry, couldn't log you in. Wrong login information.";
        }
        else
        {
            $_SESSION["valid_id"] = $obj->id;
            $_SESSION["valid_user"] = $username;
            $_SESSION["valid_time"] = time();
            header("Location: members.php");
			exit();
        }
	}	
}
?>

 

 

Register.php

 

<?php 
include ("dbConfig.php"); 

$errorMsg = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") 
{
	$usernameSQL = mysql_real_escape_string($_POST['username']);
	$emailSQL = mysql_real_escape_string($_POST['email']);
	$passwordSQL = crypt($_POST['password']);

	$q = "INSERT INTO Table1(username, email, password)VALUES('$usernameSQL', '$emailSQL', '$passwordSQL')";
	$r = mysql_query($q);
	header("Location: register.php?op=thanks");
	exit();
}	
	
	
?>
Link to comment
Share on other sites

Do some debugging, check the data in the register page, and compare it to the database.

Then do the same with the login page too.

 

Also, check the column type for the password field, to make sure it is long enough etc.

 

 

Ok so with the register.php I entered the same details three times with the same password three times and it seems that it's changing the password encryption every time? So like one would be:

 

"$1$5dd2moqP$F5yNWthBJ55c.y8PJ5VYM1"

 

and the next time I enter it, it'll be:

 

"$1$m8AYjsv3$7wvwqZNZZCWju6Ci9PCl8"

 

Any ides? xD

Edited by Hazukiy
Link to comment
Share on other sites

I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time.

 

You need to add a salt to the function, example:

 

  $saltString = 'SALT GOES HERE';

  $salt = '$2y$10$'. substr(md5($saltString),0,22);

  $password = crypt('jim', $salt);
 
  echo $password;

 

You should then store the $saltString with user record, so you know what salt to use for which user.

You could use a site wide salt if you wanted, up to you.

 

*Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have.

Edited by PaulRyan
Link to comment
Share on other sites

I've done a few tests and the re-looked up CRYPT(), it requires a salt as the second argument, otherwise it will return a different string each time.

 

You need to add a salt to the function, example:

 

  $saltString = 'SALT GOES HERE';

  $salt = '$2y$10$'. substr(md5($saltString),0,22);

  $password = crypt('jim', $salt);
 
  echo $password;

 

You should then store the $saltString with user record, so you know what salt to use for which user.

You could use a site wide salt if you wanted, up to you.

 

*Edit - There is an alternative way, that doesn't require a salt with the password. It would require a change around of the log in script you have.

 

 

 

I think what I'll do mate is start all over again cause the code is a complete mess and I don't think it's going to work any time soon :/ So I'll make a basic sign up and login form without encryption and I'll go from there ;)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.