justin7410 Posted March 29, 2013 Share Posted March 29, 2013 (edited) Hey Guys, I am in the beginning stages of creating a user login / register system for my website. currently, i am working on the conditionals to make sure the information logged in is proper , either matching the DB of my users or spitting an error array , letting my users know that either they need to enter both a valid username & pass or that the info entered does not match the Database. i have created a few functions that clean up the $_POST variables using mysql_real_escape_string: and my main function login(); function sanitize($data) { return mysql_real_escape_string($data); } function user_id_from_username($username){ $username = sanitize($username); return (mysql_result(mysql_query(" SELECT `user_id` FROM `users` WHERE `username`= '$username'"), 0 , 'user_id')); } function login($username, $password){ $user_id = user_id_from_username($username); $username = sanitize($username); $password = md5($password); return(mysql_result(mysql_query(" SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"), 0) == 1) ? $user_id : false; } and the conditionals to check the parameters given: if (empty($_POST) === false) { $username = $_POST['loginname']; $password = $_POST['loginpass']; if (empty($username) === true || empty($password) === true) { $errors[] = 'You need to enter a valid Username & Password'; } else if (user_exists($username) === false ) { $errors[] = ' Sorry we could not find this user info in our userbase.'; } else if (user_active($username) === false ) { $errors[] = 'This account still needs to be activated'; } else { $login = login($username, $password); if ($login === false) { $errors[] = ' The Username / Password combination you entered is incorrect.'; } else { echo 'Login Ok!!'; Now finally my issue : When i click login all of my conditionals work except the most important one. When I input a working username and password i am given the same error from my array that the combination is not correct. so its finding the username but the password is not matching and accepting ? any suggestions ? i have been trying to figure this out for a minute. Thanks guys!. edit: (just wanted to add: sorry mods for all caps in title, tried to go back and edit but was to late) Edited March 29, 2013 by justin7410 Quote Link to comment Share on other sites More sharing options...
ulferik Posted March 29, 2013 Share Posted March 29, 2013 I don't really see anything that's wrong. Try adding more output to the login() function, which is currently very compact. Store the generated SQL query in a variable, and print it on the screen before running it. Store the returned COUNT(*) value in a variable, and print that too on the screen. Then you'll see what's going on. Quote Link to comment Share on other sites More sharing options...
justin7410 Posted March 29, 2013 Author Share Posted March 29, 2013 Hey ulferik, i really appreciate the feedback unfortunately i am pretty new to programming and php as a whole. i tried to do what you have said separating the query into its own variable , not sure how to create the return count into a variable $query = mysql_query(" SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password`= '$password' "); $result = return(mysql_result($query) ; ????? function login($username, $password){ $user_id = user_id_from_username($username); $username = sanitize($username); $password = md5($password); $query = mysql_query(" SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password`= '$password' "); return(mysql_result($query, 0) == 1) ? $user_id : false; I tried printing these on screen using both print_r and var_dump getting either a NULL or undeclared variable error for both my $login variable from the OP .. any other suggestions or help would be greatly appreciated. thanks again guys.. Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted March 29, 2013 Share Posted March 29, 2013 (edited) You really need to add some error checking and debugging code to your functions. You're expecting them to work all the time with the current code you've provided, you need to make sure the query has executed before returning data etc. "ulferik" meant doing this: $myQuery = "SELECT `user_id` FROM `users` WHERE `username`= '{$username}'"; $myResult = mysql_query($myQuery); if(mysql_error()) { echo 'MySQL Error: '. mysql_error() .'<br>'; echo 'Query: '.$myQuery; } else if(!mysql_num_rows($myResult)) { //### No rows returned } else { //### Row has been returned } Edited March 29, 2013 by PaulRyan Quote Link to comment Share on other sites More sharing options...
justin7410 Posted March 30, 2013 Author Share Posted March 30, 2013 (edited) Hey PaulRyan, Thanks for the more detailed feedback, that was very helpful , very much appreciated. i agree i need to start laying a better foundation for debugging and back tracking , not only for the code to work cleaner for me but for anyone else who might work on my webpage. i think i might of figured out the problem. My queries all work and my rows are all being returned function login($username, $password){ $user_id = user_id_from_username($username); $username = sanitize($username); $password = md5($password); $query = (" SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password`= '$password' "); $results = mysql_query($query); if(mysql_error()) { echo 'MySQL Error: '. mysql_error() .'<br>'; echo 'Query: '.$query; } else if(!mysql_num_rows($results)) { echo ' rows has not been returned' ; } else { echo $password; } return(mysql_result($results, 0) == 1) ? $user_id : false; } Now what i noticed when i echo out the password, that the password is always being generated to a random md5 password. this password is always changing per each submit to login. this password a "7a70b6c66d24896970042e2a836967ff" character type password. at first, this was the password my database was generating auto for each username, i changed the password manually in mysql edit, then printed the password variable to the screen to see i was still getting "7a70b6c66d24896970042e2a836967ff' on screen. I figured oh!, i need to change the password back and it will validate a matching password to the database. Well unfortunately that did not do the trick , since as i previously stated the password is being auto generated new every time i submit. is this due to my settings of md5 ? or my code not reading this setting correctly ? or is this not even the issue ? any suggestions guys ? thanks again. Edited March 30, 2013 by justin7410 Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted March 30, 2013 Share Posted March 30, 2013 Md5 hashes the value of the password, there is nothing strange here. What do you want to say in proper English to that statement, else if(!mysql_num_rows($results)) { Quote Link to comment Share on other sites More sharing options...
justin7410 Posted March 30, 2013 Author Share Posted March 30, 2013 yes i see my error was in the login variable when i changed $login = login(); to just input the login() directly , the issue went away, not sure as to why my variable was not declaring the function. Quote Link to comment Share on other sites More sharing options...
justin7410 Posted March 30, 2013 Author Share Posted March 30, 2013 EDIT: The problem is actually is not solved, in fact it just to a turn for even more confusion. so as i stated i changed : } else { $login = login($username, $password); if ($login === false) { $errors[] = ' The Username / Password combination you entered is incorrect.'; } else { echo 'Login Ok!!'; TO: } else { if ( login($username, $password) === false) { $errors[] = ' The Username / Password combination you entered is incorrect.'; } else { echo 'Login Ok!!'; Now this worked when i typed in the password and the username in. except now one big problem: the password is the password i changed the original md5 to which was a the random string generated password. then when i entered the generated password i got the same error " combination of username and pass dont match" yet the ONLY password user match that seems to work is the password i edited the sql field to. i just dont see how that password is being matched. the password in the field i have is set to the md5 password. i also created 2 new fake users to validate if their username passwords match. i get the same error as that they do not match. i thought the issue was that it was only grabbing the first user_id from the field due to my conditional of return(mysql_result($results, 0) == 1) ? $user_id : false; but that does not seem to do the trick . i am utterly confused at this point as to why this is happening. all suggestions are welcome. Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted March 30, 2013 Share Posted March 30, 2013 I see a lot of errors in your script you need to start it from scratch. Where do you define the variables $password and $username? Quote Link to comment Share on other sites More sharing options...
justin7410 Posted March 30, 2013 Author Share Posted March 30, 2013 yes you see lots or errors since i am posting snippets of code. not every file thats connected. i am using the $password and $username with POST in my login.php that is the action from my index.php and login.widget <?include('include/init.php'); if (empty($_POST) === false) { $username = $_POST['loginname']; $password = $_POST['loginpass']; if (empty($username) === true || empty($password) === true) { $errors[] = 'You need to enter a valid Username & Password'; } else if (user_exists($username) === false ) { $errors[] = ' Sorry we could not find this user info in our userbase.'; } else if (user_active($username) === false ) { $errors[] = 'This account still needs to be activated'; } else { $login = login($username, $password); if ($login === false) { $errors[] = ' The Username / Password combination you entered is incorrect.'; } else { echo 'Login Ok!!'; // set user session // redirect to homepage } } print_r($errors); } i also have functions i posted in my OP. anyway, i solved the issue of my problem by removing the md5 function from my password... $password = md5($password); i know this is bad for sql injection but i cant seem to figure a way around this problem. i even tried : $password = md5($_POST[$password]); && $password = md5($_POST['passlogin']); each to no avail. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted April 4, 2013 Share Posted April 4, 2013 Unfortunately, MD5 isn't to protect you against SQL injections, but people accessing your DB and getting to the clear-text passwords. Something which MD5 have been totally incapable of doing since 2006. The SQL protection is just a side-effect, since MD5 doesn't return any characters that has a special meaning for SQL. Login systems, while they may appear to be quite simple, does have a LOT of added complexity in the form of security. Security which is absolutely vital to incorporate, unless you want to be held reliable for your user's internet lives being taken over by people with nefarious intents. This is especially true when it comes to e-mail and password combinations. For instance, on how many sites do you use the same password and e-mail to log in with? Not to mention, the high probability of you using that very same password to log into your mail in the first place..? That's why I strongly recommend that you watch this video, and read the article posted below, before moving forwards with your login system: secure login systems The video trumps the article, for the little bit of conflicting information. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.