Jump to content

Why is this not loggin me in


I-AM-OBODO
Go to solution Solved by I-AM-OBODO,

Recommended Posts

Hi all. I'm really having an awful time. Pls what could be the problem with this cos i can login into my local server but cant login when i go live.

 

thanks

 

<?php    
if(isset($_POST['login'])){

$username=$_POST['username'];
$password=$_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$pass = md5($password);


$stmt = $pdo->prepare("SELECT * FROM confirm WHERE username=:username AND password=:password");
$stmt->execute(array(
':username' =>$username,
':password' => $pass
));

if ($stmt->rowCount() ==1){
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

header("location: ./account/");
exit();
}
else {
echo 'Invalid Username or Password';
}
    }
?> 
Link to comment
Share on other sites

Besides it not working...

 

md5 is not secure enough to use, also don't save plain text passwords into a session

 

Edit:

Don't save any password info, plain text or encrypted.

Creating something like $_SESSION['logged_in'] == true or even $_SESSION['username'] is enough

 

Consider adding user levels to know a user from an admin

Edited by QuickOldCar
Link to comment
Share on other sites

Bind the parameters and get rid of the stripslashes and mysql_* everything

 

Let PDO escape it.

bindValue

bindParam

$stmt->bindValue(':username', $username, PDO::PARAM_STR);
$stmt->bindValue(':password', $pass, PDO::PARAM_STR);
$stmt->execute();

More on encryption.

Take a look at password_hash() , crypt or bcrypt

Edited by QuickOldCar
Link to comment
Share on other sites

Thanks all. I'm in transit. will try them out. I think the problem should be the path. and my password will change to sha1 or maybe after md5 then I sha1 again or what do u think?

 

my admin uses a different login totally from the users.

Edited by Mr-Chidi
Link to comment
Share on other sites

your code has no apparent error checking logic in it and any of the pdo statements could be failing due to errors. after you make the pdo connection, you should set the error mode to exception and you should set emulated prepares to off/false. you should also have php's error_reporting set to E_ALL and display_errors set to ON when debugging any code problems to get php to help you.

 

you also need to use the same password hashing method in the login code that was used when the user's account was created. what exactly is your user registration password hashing code? 

Link to comment
Share on other sites

your code has no apparent error checking logic in it and any of the pdo statements could be failing due to errors. after you make the pdo connection, you should set the error mode to exception and you should set emulated prepares to off/false. you should also have php's error_reporting set to E_ALL and display_errors set to ON when debugging any code problems to get php to help you.

 

you also need to use the same password hashing method in the login code that was used when the user's account was created. what exactly is your user registration password hashing code?

thanks for yours above. the password hashing is same both on logging.

I said I could login on my localhost but cant when live.

Link to comment
Share on other sites

we cannot tell you why your code is not working without feedback from you. there's a dozen different possible reasons your code is not logging you in. you must do some debugging to find out what your code and data are doing on your server to narrow down the possibilities.

 

the suggestions i made about php's error_reporting/display_errors and PDO's error mode were a starting place to get some information about what might be going on, since you have provided no information other than 'it doesn't work'.

Link to comment
Share on other sites

 

and my password will change to sha1 or maybe after md5 then I sha1 again or what do u think?

 

It's a bad idea, one of the 3 mentioned above.

That would not make it more secure and increase the chance of a collision.

 

 

I said I could login on my localhost but cant when live.

 

Is pdo even enabled on that server?

ensure the extension is uncommented in the php.ini file

extension=php_pdo_mysql.dll

Enable error reporting as mac_gyver suggested.

Top of your script.

error_reporting(E_ALL | E_NOTICE);
ini_set('display_errors', '1');

You can wrap the pdo in a try/catch block and see any errors

try {
    $stmt = $pdo->prepare("SELECT * FROM confirm WHERE username=:username AND password=:password");
    $stmt->bindValue(':username', $username, PDO::PARAM_STR);
    $stmt->bindValue(':password', $pass, PDO::PARAM_STR);
    $stmt->execute();
        }
        catch (PDOException $e) {
            print "Error!: " . $e->getMessage() . "<br/>";
            die();
        }
Link to comment
Share on other sites

 

It's a bad idea, one of the 3 mentioned above.

That would not make it more secure and increase the chance of a collision.

 

 

Is pdo even enabled on that server?

ensure the extension is uncommented in the php.ini file

extension=php_pdo_mysql.dll
Enable error reporting as mac_gyver suggested.

Top of your script.

error_reporting(E_ALL | E_NOTICE);
ini_set('display_errors', '1');
You can wrap the pdo in a try/catch block and see any errors[cuode=auto:0]

try {

$stmt = $pdo->prepare("SELECT * FROM confirm WHERE username=:username AND password=:password");

$stmt->bindValue(':username', $username, PDO::PARAM_STR);

$stmt->bindValue(':password', $pass, PDO::PARAM_STR);

$stmt->execute();

}

catch (PDOException $e) {

print "Error!: " . $e->getMessage() . "<br/>";

die();

}[/code]

yes I think pdo is enabled cos I could log in at the admin end and It's using pdo

Link to comment
Share on other sites

  • Solution

Thanks all.

 

Been out of town for a while that's the reason i'm reply now.

I managed to get it to work. i changed a couple of things and i cannot really pin-point what made it work. I removed all the mysql_real_escape_string and changed the path.

 

Thank you so very much.

 

ps: still studying password_hash so that i can start implement.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.