Login Form

[bruckerrlb]

Hello, I have a simple login form, and it goes to my execute page, and stores my users id into a variable, and I am a reuser of code, meaning if I got something working the first time, I reuse it, so I had this working for a project, and now I am trying to get it to work, but allow me to explain

 

<?php
//Start session
session_start();

include('comps/dbconnect.php');

//Sanitize the value received from login field
//to prevent SQL Injection
if(!get_magic_quotes_gpc()) {
	$login=mysql_real_escape_string($_POST['username']);
}else {
	$login=$_POST['username'];
}




//Create query
$qry="SELECT id
FROM admin  
 WHERE username='$login' AND password='".md5($_POST['password'])."'";
$result=mysql_query($qry);


//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result)>0) {
		//Login Successful
		session_regenerate_id();
		$member=mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID']=$member['id'];
		session_write_close();
		header("location: member-index.php");
		exit();
	}else {
		//Login failed
		$rows = mysql_num_rows($result);
		print("$rows");

	}
}else {
	die("Query failed");
}
?>

 

It is basically saying that mysql_num_rows is not greater than zero, and it is printing the variable, which in turn is Resource Id = #3, but this isn't even the id of the user i'm logging in with, and it says this for all of the users I try to log in with, so I am thinking there is something wrong with my query, but i'm completely stumped, I don't see what's wrong with my query, I have id as an auto int, and the primary key, a username field and a password field (both charvar). Any tips? Like I said it keeps skipping the session writing step, and goes to printing the variable which it always prints resource id = #3

[bruckerrlb]

If anyone has any other suggestions, it would be appreciated

[nloding]

echo the md5 hash of the posted password.  Use phpMyAdmin or do a custom query to find out if they match.  First make sure that the exact information you're querying is, in fact, in the database.  If it is, are the fields called "id", "username", and "password" in the table called "admin".  Sounds stupid, but I accidentally typed "usrename" once and it took me a while to find it.

 

Try that first and see where it gets you.

 

You may also want some extra security in there too -- in theory, there should only be one matching pair of username/password, so you should be checking to see if the number of rows is == 1 also.

[Orio]

There are two things that I can think of that you might be doing wrong:

1) Check that the table name is correct. Maybe you forgot to change it.

2) Check that the password column has a length of at least 32. MD5 hashes need at least 32 chars, and if the field is less then it "chops" it every time you insert, so it becomes something shorter than 32 chars. This way, when you run the query, you will always get 0 rows.

 

Orio.

[bruckerrlb]

Thank you very much!!! I was on this for more hours than I care to admit, but you are right the md5 password hashing needs to have at least 32 characters in the password field, I only had 20! So a quick fix, and now it works! Thanks again nloding and orio! Now time to make this more secure than NSA (maybe not that secure)

[nloding]

Close the topic with the topic solved mod.  This article helped me out, might help you out too:

 

http://www.evolt.org/PHP-Login-System-with-Admin-Features

[Orio]

Thank you very much!!! I was on this for more hours than I care to admit, but you are right the md5 password hashing needs to have at least 32 characters in the password field, I only had 20! So a quick fix, and now it works! Thanks again nloding and orio! Now time to make this more secure than NSA (maybe not that secure)

 

Well we all learn from our mistakes. I spent once hours too trying to solve this same exact problem when working on some project.

 

Orio.