h1234 Posted October 17, 2013 Share Posted October 17, 2013 i am not using sessions as yet .firstly i would like to test the login script but I am unable to log in with password. the password does not recognize only the username is recognized to either exist or not. The problem is that as long as i type in the correct username the password does not matter i dont even need to type a password in . Does anyone have a solution? this is the login.php <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; header('Locations:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256',$userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; header('Location:index.php'); } }//close first if ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted October 17, 2013 Share Posted October 17, 2013 In both cases you are redirected to the index page. You wouldn't notice a difference because they do the same thing. Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 17, 2013 Share Posted October 17, 2013 You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry. But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations" <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?> Quote Link to comment Share on other sites More sharing options...
h1234 Posted October 17, 2013 Author Share Posted October 17, 2013 You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry. But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations" <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?> You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry. But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations" <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?> thanks it displays error messages now . but now my code is not logging me in even tho my password and username is correct. it displays thats it incorrect and i have been looking for hours , do you perhaps see something wrong with the query? or the paswords salts? thanks man <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username and or password is incorrect<br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256',$userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password or username combination is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; //header('Location:index.php'); } }//close first if ?> Quote Link to comment Share on other sites More sharing options...
h1234 Posted October 17, 2013 Author Share Posted October 17, 2013 thanks it displays error messages now . but now my code is not logging me in even tho my password and username is correct. it displays thats it incorrect and i have been looking for hours , do you perhaps see something wrong with the query? or the paswords salts? thanks man <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username and or password is incorrect<br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256',$userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password or username combination is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; //header('Location:index.php'); } }//close first if ?> i think it may be my password thats not working :/ you have any ideas? Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 17, 2013 Share Posted October 17, 2013 (edited) I'm guessing it is your hash is not matching. Since I don't know how you are originally creating the hash I can't tell you if you are doing it right in the comparison logic. But, this is debugging 101 - you need to verify what is and is not working as you expect. Add some echo's to the page to see what is going on. If the hashes do not match you need to show the code you use to create the original hash that is set in the DB. You SHOULD create a function to create your hash and call that function both when you create the initial hash and when you create the hash during login for comparison. Right now you are coding the process independently for both processes (bad idea). By having a single function you are guaranteed to get the same results no matter where you call it. <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; echo "Debug: username and password were sent<br>\n"; echo " - Post username '{$_POST['username']}'<br>\n"; echo " - Escaped username: {$username}<br>\n"; echo " - Post password: {$password}<br><br>\n"; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); echo "Debug: SELECT Query {$query}<br><br>\n"; if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); echo "Debug: Passowrd hash created:<br>\n"; echo " - DB salt: {$userdata['salt']}<br>\n"; echo " - db Password Hash: {$userdata['password']}<br>\n"; echo " - Created Password Hash: {$hash}<br><br>\n"; if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?> Edited October 17, 2013 by Psycho Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 17, 2013 Share Posted October 17, 2013 unfortunately, the OP in this thread has another thread where problems abound with putting data into the wrong columns and not using the same processing to check the password that was used when originally hashing it. Quote Link to comment Share on other sites More sharing options...
Barand Posted October 17, 2013 Share Posted October 17, 2013 h1234, Why don't read the replies in your other thread/s on this problem (http://forums.phpfreaks.com/topic/283047-password-does-not-work-it-always-recognises-it-as-inccorrect-even-tho-its-correct/?do=findComment&comment=1454283) and stop wasting our time by posting the same problem in different threads. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.