cornick Posted February 11, 2007 Share Posted February 11, 2007 This board has been a great help so far. But I seem to have gotten myself stuck on something. My registration page works, but when I go to have a user login, I get the same message for every user. 'Incorrect password, please try again.' I know enough to see where that takes me in my code but I'm stumped for an answer on what I've done wrong. To some of you it's probably an easy fix, so if you have a minute and can look at this, I would appreciate it very much. -Jeff <?php // Include file has the database connection information. include('includes/connection.inc'); // Checks if there is a login cookie. if(isset($_COOKIE['ID_my_site'])) // If there is, it logs you in and directes you to the members page. { $username = $_COOKIE['ID_my_site']; $pass = $_COOKIE['Key_my_site']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { } else { header("Location: members.php"); } } } // If the login form is submitted. if (isset($_POST['submit'])) { // Makes sure they filled it in. if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } // Checks the information against the database. if (!get_magic_quotes_gpc()) { $_POST['username'] = addslashes($_POST['username']); } $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error()); // Gives error if user dosen't exist and tells them to register. $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database. <a href=registration.php>Click Here to Register</a>'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); // Gives error if the password is wrong. if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } else { // If login is ok then we add a cookie. $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(ID_my_site, $_POST['username'], $hour); setcookie(Key_my_site, $_POST['pass'], $hour); // Then redirect them to the members area. header("Location: members.php"); } } } else { // If they are not logged in. ?> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table border="0"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 11, 2007 Share Posted February 11, 2007 do a print_r($_POST); and print_r($info); and compare them. Is the info the same, it's getting the right user, etc? I don't think you can do this: $_POST['pass'] = md5($_POST['pass']); use $pass = md5($_POST['pass']); and check that. Quote Link to comment Share on other sites More sharing options...
cornick Posted February 11, 2007 Author Share Posted February 11, 2007 do a print_r($_POST); and print_r($info); and compare them. Is the info the same, it's getting the right user, etc? I don't think you can do this: $_POST['pass'] = md5($_POST['pass']); use $pass = md5($_POST['pass']); and check that. Does it matter where I put these two lines? print_r($_POST); print_r($info); And I changed $_POST['pass'] = md5($_POST['pass']); to $pass = md5($_POST['pass']); and no dice with that one. Came up with the same message. Sorry about the wrong placement with this, thought it was an sql problem. Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 11, 2007 Share Posted February 11, 2007 Put them after you get the user info. Quote Link to comment Share on other sites More sharing options...
cornick Posted February 11, 2007 Author Share Posted February 11, 2007 Put them after you get the user info. Done. And this is what comes up. Array ( [username] => example [pass] => 123 [submit] => Login ) Incorrect password, please try again. That is the correct username and password for a fake account I just created. Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 11, 2007 Share Posted February 11, 2007 well the passwords aren't encrypted, so comparing the md5(password) to the password in the db will always be wrong. Quote Link to comment Share on other sites More sharing options...
cornick Posted February 11, 2007 Author Share Posted February 11, 2007 well the passwords aren't encrypted, so comparing the md5(password) to the password in the db will always be wrong. Okay, so the display there should be the encrypted password, not the actual one. Here is the section of code from my registration form. // Encrypt the password and add slashes if needed $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); } Then from my login page. (which is above) $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); // Gives error if the password is wrong. if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 11, 2007 Share Posted February 11, 2007 Same thing, you can't edit that $_POST that way, AFAIK. $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); } Needs to be : $pass = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $pass = addslashes($_POST['pass']); } You should also use mysql_real_escape_string(), not addslashes(), as you're using mysql Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.