nightcrawler Posted June 21, 2007 Share Posted June 21, 2007 OK, For some reason the following is supposed to create a session and authenticate users. It connects to a database, and should work. My problem is that users who already exist are able to log in with any password, not the one that's in the database. I have no idea why this is happening. Passwords are stored with MD5 Encryption in Database. Here's the authentication/login script: signon.php <?php session_start(); ini_set("include_path", "contains path to my includes"); $newip = $_SERVER['REMOTE_ADDR']; if (!isset($_SESSION['username']) || empty($_SESSION['username']) || $newip != $_SESSION['ip'] ) { if (@$_POST['signedon'] == true) { include("..."); //... is replaced with database connection information $signon_username = $_POST['signon_username']; $signon_pass = md5($_POST['signon_userpass']); $sql = "SELECT * FROM checkbook_users WHERE username='$signon_username' AND password='$signon_pass'"; $result = mysql_query($sql); $count = 0; $count = mysql_num_rows($result); if ($count == 1) { // If only one entry is found, that matches both username and password then set up session, move page. $result_fetched = mysql_fetch_array($result, MYSQL_ASSOC); extract($result_fetched); $_SESSION['username'] = "$username"; $_SESSION['id'] = "$id"; $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; echo "Signing In"; echo "<script language=javascript> setTimeout(\"location.href='chooser.php'\", 0); </script>"; } else { echo "<span style='color:red'>Username or Password is invalid.</span>"; include("signonform.inc"); } } else { include("signonform.inc"); } } else { echo "You are already signed on. To sign off <a href='signoff.php'>click here</a>."; } ?> signonform.inc <form action='signon.php' method='POST'> <table border=0> <tr><td>Username:</td> <td><input type='text' name='signon_username' size='30' maxlength='20'></td></tr> <tr><td>Password:</td> <td><input type='password' name='signon_password' size='30' maxlength='20'></td></tr> <input type = 'hidden' name = 'signedon' value = 'true'> <tr><td><input type='submit' value='Sign On'></td> <td><input type='button' value='Register' onClick="window.open('register.php', '_self')"></td></tr> </table> </form> Not sure if anybody can find anything syntactically wrong with this, if more info needed let me know. Link to comment https://forums.phpfreaks.com/topic/56577-mysql-user-authentication-script/ Share on other sites More sharing options...
Trium918 Posted June 21, 2007 Share Posted June 21, 2007 Try this! <?php session_start(); ini_set("include_path", "contains path to my includes"); $newip = $_SERVER['REMOTE_ADDR']; if (!isset($_SESSION['username']) || empty($_SESSION['username']) || $newip != $_SESSION['ip'] ) { if (@$_POST['signedon'] == true) { include("..."); //... is replaced with database connection information $signon_username = $_POST['signon_username']; //changed this and the query below $signon_pass = $_POST['signon_userpass']; $sql = "SELECT * FROM checkbook_users WHERE username='$signon_username' AND password=MD5('$signon_pass')"; $result = mysql_query($sql); $count = 0; $count = mysql_num_rows($result); if ($count == 1) { // If only one entry is found, that matches both username and password then set up session, move page. $result_fetched = mysql_fetch_array($result, MYSQL_ASSOC); extract($result_fetched); $_SESSION['username'] = "$username"; $_SESSION['id'] = "$id"; $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; echo "Signing In"; echo "<script language=javascript> setTimeout(\"location.href='chooser.php'\", 0); </script>"; } else { echo "<span style='color:red'>Username or Password is invalid.</span>"; include("signonform.inc"); } } else { include("signonform.inc"); } } else { echo "You are already signed on. To sign off <a href='signoff.php'>click here</a>."; } ?> Link to comment https://forums.phpfreaks.com/topic/56577-mysql-user-authentication-script/#findComment-279484 Share on other sites More sharing options...
nightcrawler Posted June 21, 2007 Author Share Posted June 21, 2007 Yeah, tried that, same thing. I have no idea what's going on.. Link to comment https://forums.phpfreaks.com/topic/56577-mysql-user-authentication-script/#findComment-279557 Share on other sites More sharing options...
Trium918 Posted June 21, 2007 Share Posted June 21, 2007 Yeah, tried that, same thing. I have no idea what's going on.. What is the password in plain text and what is the password in MD5() hash? I need for you to open your MySQL prompt and select the password from any user and then post it here. Select password from table; Link to comment https://forums.phpfreaks.com/topic/56577-mysql-user-authentication-script/#findComment-279583 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.