Login Issues

[EoNSteve]

Hello,

 

I am working on a login script and before I even touch the sessions/cookies, I am getting an error.

 

Code below:

if (isset($_POST["postlogin"]) && !empty($_POST["postlogin"])) {
require_once('config.php');

    
mysql_connect("$dbhost", "$dbuser", "$dbpasswd") 
or die(mysql_error());  mysql_select_db("$dbname") 
or die(mysql_error());  
   
    $subuname = $_POST['asuname'];
    $subupass = md5($_POST['asupass']);
echo $subuname;
echo $subupass;

$loginsql = mysql_query("select * from users where u_name='$subuname'") or die(mysql_error());
$loginresult = mysql_fetch_array($loginsql);
echo $loginresult['u_name']."<BR>";

//if (mysql_num_rows($loginresult) > 0 )
if (($loginresult['u_name'] == '$subuname') && ($loginresult['u_pass'] == '$subupass'))
{
echo "it worked";
}
else
{
echo "login failed";
}

Regardless of whether the login information is successful or fails, I get a 'login failed'. Anyone see why? I have a bunch of random echos to show where the values are and they all seem correct.

[cyberRobot]

Variables don't work within single-quoted strings. Try changing this

if (($loginresult['u_name'] == '$subuname') && ($loginresult['u_pass'] == '$subupass'))

to this

if (($loginresult['u_name'] == $subuname) && ($loginresult['u_pass'] == $subupass))

Edited July 21, 2017 by cyberRobot

[cyberRobot]

Side notes:

• The query is susceptible to SQL injection attacks. If you haven't already, you'll want to look into mysql_real_escape_string(). More information can be found here: http://php.net/manual/en/function.mysql-real-escape-string.php
• The mysql_* functions no longer exist in the newest version of PHP. You'll need to switch to PDO (or MySQLi) eventually. With those, you can used prepared statements to prevent SQL injection attacks.
• The md5() function should be replaced with a stronger hashing function. More information can be found here: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

[benanamen]

OP, stop what you are doing!

 

The code is complete obsolete dangerous junk that has been completely removed from PHP. You need to use PDO with prepared statements.

 

https://phpdelusions.net/pdo

[EoNSteve]

I am getting that I need to use PDOs. Time to learn something new I guess.

 

I am planning to use real_escape once I get the rest of the coding complete, right now I just want to get it working.

 

I have already made teh change to SHA1 from MD5.

Edited July 21, 2017 by EoNSteve

[Jacques1]

I am planning to use real_escape once I get the rest of the coding complete, right now I just want to get it working.

 

No, you need to use prepared statements, and correct queries are an essential part of getting your code to work.

 

You cannot keep your errors and at the same time expect the code to function properly. That should be obvious.

 

 

 

I have already made teh change to SHA1 from MD5.

 

Which doesn't help you one bit. Did you read cyberRobot's response? Neither MD5 nor SHA-1 nor any similar algorithm was ever designed for password hashing. They can be easily attacked with a standard PC at a rate of billions(!) of calculations per second.

 

It's the year 2017. We use bcrypt now.

[cyberRobot]

...right now I just want to get it working.

 

 

Is the "login failed" issue solved? I assume you saw Reply #2. 

[EoNSteve]

 

 

Is the "login failed" issue solved? I assume you saw Reply #2. 

I did and it is now.

 

I will get away from SHA1 then and move to bcrypt. I guess I have been out of this too long and should do some research on new methods.

[cyberRobot]

I did and it is now.

 

That's good to hear! If you have any questions as you work through the other stuff, don't hesitate to ask.