Jump to content

Password wont log in

h1234

By h1234
in PHP Coding Help

 Share

Recommended Posts

h1234 Newbie

h1234

Posted
Posted

i am not using sessions as yet .firstly i would like to test the login script but  I am unable to log in with password. the password does not  recognize only the  username is recognized to either exist or not. The problem is that  as long as i type in the correct username the password does not matter i dont even need to type a password in .

 

Does anyone have a solution? 

 

this is the login.php

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username was not found.Please sign up <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   header('Locations:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256',$userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     header('Location:index.php');


}






}//close first if




























?>
Link to comment
https://forums.phpfreaks.com/topic/283037-password-wont-log-in/
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry.

 

But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations"

 

 

<?php

include("config/connect.php");

if(isset($_POST['username']) && isset($_POST['password']))
{
    $username = mysqli_real_escape_string($dbc, trim($_POST['username']));
    $password = $_POST['password'];

    $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

    $result = mysqli_query($dbc,$query);

    if(!mysqli_num_rows($result))//user not found redirect to home page
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'your username was not found.Please sign up <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    $userdata = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password));

    if($hash != $userdata['password'])// incorect password.redirect to login form again
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'password is incorrect <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    echo 'you are logged in';
    //header('Location: index.php');
}

?>
h1234 Newbie

h1234

Posted
  • Author
Posted

 

You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry.

 

But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations"

<?php

include("config/connect.php");

if(isset($_POST['username']) && isset($_POST['password']))
{
    $username = mysqli_real_escape_string($dbc, trim($_POST['username']));
    $password = $_POST['password'];

    $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

    $result = mysqli_query($dbc,$query);

    if(!mysqli_num_rows($result))//user not found redirect to home page
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'your username was not found.Please sign up <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    $userdata = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password));

    if($hash != $userdata['password'])// incorect password.redirect to login form again
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'password is incorrect <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    echo 'you are logged in';
    //header('Location: index.php');
}

?>

 

 

You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry.

 

But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations"

<?php

include("config/connect.php");

if(isset($_POST['username']) && isset($_POST['password']))
{
    $username = mysqli_real_escape_string($dbc, trim($_POST['username']));
    $password = $_POST['password'];

    $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

    $result = mysqli_query($dbc,$query);

    if(!mysqli_num_rows($result))//user not found redirect to home page
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'your username was not found.Please sign up <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    $userdata = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password));

    if($hash != $userdata['password'])// incorect password.redirect to login form again
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'password is incorrect <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    echo 'you are logged in';
    //header('Location: index.php');
}

?>

thanks it displays error messages now . but now my code is not logging  me in even tho my password and username is correct. it displays thats it incorrect and i have been looking for hours , do you perhaps see something wrong with the query? or the paswords salts? thanks man

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256',$userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:index.php');


}






}//close first if




























?>
h1234 Newbie

h1234

Posted
  • Author
Posted

 

thanks it displays error messages now . but now my code is not logging  me in even tho my password and username is correct. it displays thats it incorrect and i have been looking for hours , do you perhaps see something wrong with the query? or the paswords salts? thanks man

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256',$userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:index.php');


}






}//close first if




























?>

i think it may be my password thats not working :/ you have any ideas?

Psycho Prolific Member

Psycho

Posted
Posted (edited)

I'm guessing it is your hash is not matching. Since I don't know how you are originally creating the hash I can't tell you if you are doing it right in the comparison logic. But, this is debugging 101 - you need to verify what is and is not working as you expect. Add some echo's to the page to see what is going on.

 

If the hashes do not match you need to show the code you use to create the original hash that is set in the DB. You SHOULD create a function to create your hash and call that function both when you create the initial hash and when you create the hash during login for comparison. Right now you are coding the process independently for both processes (bad idea). By having a single function you are guaranteed to get the same results no matter where you call it.

<?php

include("config/connect.php");

if(isset($_POST['username']) && isset($_POST['password']))
{
    $username = mysqli_real_escape_string($dbc, trim($_POST['username']));
    $password = $_POST['password'];
    echo "Debug: username and password were sent<br>\n";
    echo " - Post username '{$_POST['username']}'<br>\n";
    echo " - Escaped username: {$username}<br>\n";
    echo " - Post password: {$password}<br><br>\n";

    $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";
    $result = mysqli_query($dbc,$query);
    echo "Debug: SELECT Query {$query}<br><br>\n";

    if(!mysqli_num_rows($result))//user not found redirect to home page
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'your username was not found.Please sign up <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    $userdata = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password));
    echo "Debug: Passowrd hash created:<br>\n";
    echo " - DB salt: {$userdata['salt']}<br>\n";
    echo " - db Password Hash: {$userdata['password']}<br>\n";
    echo " - Created Password Hash: {$hash}<br><br>\n";

    if($hash != $userdata['password'])// incorect password.redirect to login form again
    {
        echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
        echo 'password is incorrect <br/>';
        echo '<a href="index.php">Back to Sign up <br/> </a>';
        //header('Location: index.php');
        exit();
    }

    echo 'you are logged in';
    //header('Location: index.php');
}

?>
Edited by Psycho
Barand Prolific Member

Barand

Posted
Posted

h1234,

 

Why don't read the replies in your other thread/s on this problem (http://forums.phpfreaks.com/topic/283047-password-does-not-work-it-always-recognises-it-as-inccorrect-even-tho-its-correct/?do=findComment&comment=1454283) and stop wasting our time by posting the same problem in different threads.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.