[SOLVED] log in action

[Rother2005]

I’ve got data in my database and the code acknowledges that the user is there but not the password :S

the error i get is Incorrect password, please try again. even tho its the right password

<?php
// Connects to your Database
mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("booze") or die(mysql_error());

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{
$Username = $_COOKIE['ID_my_site'];
$Pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM member WHERE Username = '$Username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($Pass != $info['Password'])
{
}
else
{
header("Location: members.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['Username'] | !$_POST['Pass']) {
die('You did not fill in a required field.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM member WHERE Username = '".$_POST['Username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.<a href=loginpage.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['Pass'] = stripslashes($_POST['Pass']);
$info['Password'] = stripslashes($info['Password']);
$_POST['Pass'] = md5($_POST['Pass']);

//gives error if the password is wrong
if ($_POST['Pass'] != $info['Password']) {
die('Incorrect password, please try again.');
}
else
{

// if login is ok then we add a cookie
$_POST['Username'] = stripslashes($_POST['Username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['Username'], $hour);
setcookie(Key_my_site, $_POST['Pass'], $hour);

//then redirect them to the members area
header("Location: members.php");
}
}
}
else
{

// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="Username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="Pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}

?>

thanks in advance!

[dcro2]

I'm pretty sure strings are stored with slashes in the database, so it might not be the same without slashes.

[Rother2005]

so if i take out the slashes it sould work?

is there not way to keep them (encrypt the password as it is entered into the database?)

[dcro2]

If you remove the slashes in the register script, and md5() and insert that into the database then do it equally in the login script.

[edit]I'm sorry, I'm wrong... I think.[/edit]

[edit2]Wait, I think I'm right. Sorry, I'm confused now.[/edit2]

[Rother2005]

i dont quite understand that 2b honest heres my reg script can you point out what s needs to be dun?

<?php
include('connect1.inc');?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Booze Cruise Reg</title>

</head>
<body>

<?php
if(!$_POST['register']){echo'<p align="center"><strong>Member Registration</strong></p>
<form name="form1" method="POST" action="">
<p align="center">Username: <input type="text" name="username"></p>
<p align="center">Password: <input type="text" name="password"></p>
<p align="center">Firsname: <input type="text" name="firstname"></p>
<p align="center">Surname:  <input type="text" name="surname"></p>
<p align="center">Address 1:<input type="text" name="address1"></p>
<p align="center">Address 2:<input type="text" name="address2"></p>
<p align="center">Town:    <input type="text" name="town"></p>
<p align="center">County:  <input type="text" name="county"></p>
<p align="center">Postcode: <input type="text" name="postcode"></p>
<p align="center">Tel No:  <input type="text" name="telno"></p>
<p align="center">Mobile:  <input type="text" name="mobile"></p>
<p align="center">Email:    <input type="text" name="email"></p>
<p align="center"><input type="submit" name="register" value="Enter Details"></p></form>';}

else{$username=$_POST['username'];$password=$_POST['password'];$firstname=$_POST['firstname'];$surname=$_POST['surname'];$address1=$_POST['address1'];$address2=$_POST['address2'];$town=$_POST['town'];$county=$_POST['county'];
$postcode=$_POST['postcode'];$telno=$_POST['telno'];$mobile=$_POST['mobile'];$email=$_POST['email'];

$sql = "INSERT INTO member(Username,Password,Firstname,Surname,Address1,Address2,Town,County,Postcode,TelNo,Mobile,Email)
VALUES ('$username','$password','$firstname','$surname','$address1','$address2','$town','$county','$postcode','$telno','$mobile','$email')";

mysql_query($sql)             

or die(mysql_error());

echo("You are registered! $username");}?>

</body>
</html>

[dcro2]

Oh.. well, just do this:

Replace:
[code]$sql = "INSERT INTO member(Username,Password,Firstname,Surname,Address1,Address2,Town,County,Postcode,TelNo,Mobile,Email)
VALUES ('$username','$password','$firstname','$surname','$address1','$address2','$town','$county','$postcode','$telno','$mobile','$email')";[/code]
With:
[code]$password = stripslashes($password);
$password = md5($password);

$sql = "INSERT INTO member(Username,Password,Firstname,Surname,Address1,Address2,Town,County,Postcode,TelNo,Mobile,Email)
VALUES ('$username','$password','$firstname','$surname','$address1','$address2','$town','$county','$postcode','$telno','$mobile','$email')";[/code]

[Rother2005]

ok... made that change but its making the password go funny, i input in the reg form 'R' as the password and it was changed to 'e1e1d3d405'

so its been encrypted great,  :) but how do it get the program / code to decrypt?


sorry to keep bothering you

[fert]

you can't easily decrypt md5

[Rother2005]

i new someone was gunna say something like that so there is no function to decrypt it, or is there another way to vaildate the password for easy converstion?

[dcro2]

Well, in the login script, you convert the submitted password to md5 and check it against the hash in the database (hash = the password in md5). Which is what I understand you're already doing...

[Rother2005]

so its here where it is checking the password

while($info = mysql_fetch_array( $check ))
{
$_POST['Pass'] = stripslashes($_POST['Pass']);
$info['Password'] = stripslashes($info['Password']);
$_POST['Pass'] = md5($_POST['Pass']);

//gives error if the password is wrong
if ($_POST['Pass'] != $info['Password']) {
die('Incorrect password, please try again.');
}

so what this is saying is while checking ($check)
get pass take away slashes, repost pass (now without slashes)
put into var info the password entered stripslashes repost in var without slashes
get pass ....MD5.... back into pass

but the next part is is saying if pass var = the info in var info is the same then die??

all the above maybe poo but im just trying to make sense of things

[Rother2005]

rite even using the password copied out of the DB is not working

[dcro2]

If password entered in form does not equal the password in the database then die();
If it does match, create the cookie and stuff.

[edit]No... no... if you use the encrypted password from the database it will only re-encrypt it and it won't match up. Use the original password you registered with[/edit]

[Rother2005]

is there anything you can recomend to help me out here?

[dcro2]

Enter the password you originally registered with instead of the already encrypted password in the database.

[Rother2005]

just give the error 'Incorrect password, please try again.'

:( thats not fun

[Rother2005]

does having the password set as char make a diff?

[dcro2]

Can you use this as your login script? Just to test it

[code]<?php

// Connects to your Database
mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("booze") or die(mysql_error());

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site'])) //if there is, it logs you in and directes you to the members page
{
$Username = $_COOKIE['ID_my_site'];
$Pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM member WHERE Username = '$Username'")or die(mysql_error());
$info = mysql_fetch_array( $check )
if ($Pass != $info['Password'])
{
}
else
{
header("Location: members.php");
}
}

//if the login form is submitted
if (isset($_POST['submit'])) // if form has been submitted
{

// makes sure they filled it in
if(!$_POST['Username'] || !$_POST['Pass'])
{
die('You did not fill in a required field.');
}

// checks it against the database
$check = mysql_query("SELECT * FROM member WHERE Username = '".$_POST['Username']."'") or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=loginpage.php>Click Here to Register[/url]');
}
$info = mysql_fetch_array( $check )
$_POST['Pass'] = stripslashes($_POST['Pass']);
$_POST['Pass'] = md5($_POST['Pass']);

//gives error if the password is wrong
if ($_POST['Pass'] != $info['Password'])
{
die('Incorrect password, please try again. Original Password = '.$_POST['Pass'].'. DB Password = '.$info['Password']);
}
else
{
// if login is ok then we add a cookie
$_POST['Username'] = stripslashes($_POST['Username']);
$hour = time() + 3600;
setcookie("ID_my_site", $_POST['Username'], $hour);
setcookie("Key_my_site", $_POST['Pass'], $hour);

//then redirect them to the members area
header("Location: members.php");
}
}
else
{

// if they are not logged in
?>
<form action="" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="Username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="Pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}

?>[/code]

[Rother2005]

Parse error: parse error, unexpected T_IF in C:\Program Files\xampp\htdocs\logform.php on line 14

[dcro2]

Woops, forgot a ";" on line 13 :P

[Rother2005]

no worries that is one thing i hate about programing in any lan miss 1 .,; and the whole thing goes to pot

its now saying

Parse error: parse error, unexpected T_VARIABLE in C:\Program Files\xampp\htdocs\logform.php on line 42

ah it the say just a ; missing

[dcro2]

And another one at line 41... I guess I can't transform while() into a normal statement right.

[Rother2005]

Incorrect password, please try again. Original Password = 92eb5ffee6ae2fec3ad71c777531578f. DB Password = 92eb5ffee6

??? ??? ???

[dcro2]

I see what's happening... the password field in the database is a char, you say, it needs to be a VARCHAR with a limit of 255 characters.

Then re-register and remove that line about the original password and database password.

[Rother2005]

all working smoothly cheers;
but i think im gunna have to read up a lot more on this PHP/MYSQL would you recommend any books (the college course im going on also has ASP but ive been told its like a drag and drop version of PHP/MYSQL)