Jump to content

MYSQL User Authentication Script

nightcrawler

By nightcrawler
in MySQL Help

 Share

Recommended Posts

nightcrawler Newbie

nightcrawler

Posted
Posted

OK, For some reason the following is supposed to create a session and authenticate users.

It connects to a database, and should work.

 

My problem is that users who already exist are able to log in with any password, not the one that's in the database.

I have no idea why this is happening.

 

Passwords are stored with MD5 Encryption in Database.

 

Here's the authentication/login script:

 

signon.php

<?php
session_start(); 
ini_set("include_path", "contains path to my includes");
$newip = $_SERVER['REMOTE_ADDR'];

if (!isset($_SESSION['username'])  || empty($_SESSION['username']) || $newip != $_SESSION['ip'] ) { 
	if (@$_POST['signedon'] == true) {
		include("..."); //... is replaced with database connection information
		$signon_username = $_POST['signon_username']; 
		$signon_pass = md5($_POST['signon_userpass']);

		$sql = "SELECT * FROM checkbook_users WHERE username='$signon_username' AND password='$signon_pass'"; 
		$result = mysql_query($sql);

		$count = 0;
		$count = mysql_num_rows($result);

		if ($count == 1) { // If only one entry is found, that matches both username and password then set up session, move page.
			$result_fetched = mysql_fetch_array($result, MYSQL_ASSOC);
			extract($result_fetched);
			$_SESSION['username'] = "$username"; 
			$_SESSION['id'] = "$id"; 
			$_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 

			echo "Signing In";
			echo "<script language=javascript> setTimeout(\"location.href='chooser.php'\", 0); </script>";
		}
		else {
			echo "<span style='color:red'>Username or Password is invalid.</span>";
			include("signonform.inc");
		}
	}
	else {
		include("signonform.inc");
	}
}
else {
	echo "You are already signed on.  To sign off <a href='signoff.php'>click here</a>.";
}
?>

 

signonform.inc

<form action='signon.php' method='POST'>
<table border=0>
	<tr><td>Username:</td> <td><input type='text' name='signon_username' size='30' maxlength='20'></td></tr>
	<tr><td>Password:</td> <td><input type='password' name='signon_password' size='30' maxlength='20'></td></tr>
	<input type = 'hidden' name = 'signedon' value = 'true'>
	<tr><td><input type='submit' value='Sign On'></td>
	<td><input type='button' value='Register' onClick="window.open('register.php', '_self')"></td></tr>
</table>
</form>

 

Not sure if anybody can find anything syntactically wrong with this, if more info needed let me know.

Link to comment
https://forums.phpfreaks.com/topic/56577-mysql-user-authentication-script/
Share on other sites
Trium918 Advanced Member

Trium918

Posted
Posted

Try this!

<?php
session_start(); 
ini_set("include_path", "contains path to my includes");
$newip = $_SERVER['REMOTE_ADDR'];

if (!isset($_SESSION['username'])  || empty($_SESSION['username']) 
|| $newip != $_SESSION['ip'] ) { 

if (@$_POST['signedon'] == true) {
include("..."); //... is replaced with database connection information
$signon_username = $_POST['signon_username']; 

//changed this and the query below
$signon_pass = $_POST['signon_userpass'];

$sql = "SELECT * FROM checkbook_users WHERE username='$signon_username'
AND password=MD5('$signon_pass')"; 
$result = mysql_query($sql);

$count = 0;
$count = mysql_num_rows($result);

if ($count == 1) { 
// If only one entry is found, that matches both username and password then set up session, move page.
$result_fetched = mysql_fetch_array($result, MYSQL_ASSOC);
extract($result_fetched);
$_SESSION['username'] = "$username"; 
$_SESSION['id'] = "$id"; 
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 

echo "Signing In";
echo "<script language=javascript> setTimeout(\"location.href='chooser.php'\", 0); </script>";
}
else {
 echo "<span style='color:red'>Username or Password is invalid.</span>";
 include("signonform.inc");
}

}
else {
	include("signonform.inc");
}
}
else {
	echo "You are already signed on.  To sign off <a href='signoff.php'>click here</a>.";
}
?>

Trium918 Advanced Member

Trium918

Posted
Posted

Yeah, tried that, same thing.

 

I have no idea what's going on..

 

What is the password in plain text and what is the password in

MD5() hash?

 

I need for you to open your MySQL prompt and select the

password from any user and then post it here.

 

Select password from table;

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.