[SOLVED] Login Form - Password check not working

[MasterACE14]

I have a Login Script, and it has been working fine, except I just realised its been missing one thing, a password check !!! (don't ask me how I missed that  ). I'm trying to put the password check in, but its just not working for me, even though the password put in is correct, here's my script:

 

<?php

$username = addslashes($_POST["username"]);
$email = addslashes($_POST["email"]);
$password = addslashes(md5($_POST["password"]));

echo $password;

if (empty($username) || empty($email) || empty($password)) {
  echo "<center><br><br><b>You need to enter a Correct Username, Password and E-mail</b><br><br>
    <input type=button value=\"Back\" onClick=\"history.go(-1)\"></center>";
  die();
}

mysql_connect( "localhost", "ace_ACE", "*****" );
mysql_select_db( "ace_cf" );

$pass_check = "SELECT `password` FROM `cf_users` WHERE `username`='" . $username . "' LIMIT 1";
$pass_you = mysql_query( $pass_check );
if($password !== $pass_you) { echo "<center><br><br><b>Their is no Account matching the Username, Password and E-mail address you entered</b><br><br>
            <input type=button value=\"Back\" onClick=\"history.go(-1)\"></center>";
            die(); }

$sql = "SELECT `id` FROM `cf_users` WHERE `username`='" . $username . "' LIMIT 1";
if ($rs = mysql_query( $sql )) {
  if (mysql_num_rows($rs)) {
    $row = mysql_fetch_assoc($rs);
    $_SESSION['username'] = $username;
    $_SESSION['playerid'] = $row['id'];
    header("Location: index.php?page=base");
  } else {
    echo "<center><br><br><b>Their is no Account matching the Username, Password and E-mail address you entered</b><br><br>
            <input type=button value=\"Back\" onClick=\"history.go(-1)\"></center>";
            die();
  }
} else {
  die('Query:<br />' . $sql . '<br /><br />Error:<br />' . mysql_error());
}

?>

 

I put in the correct password, I echo the password, its correct. When I compare it to the database. So why isn't it working?

 

it keeps dieing and displaying:

Their is no Account matching the Username, Password and E-mail address you entered

 

Regards ACE

[Daukan]

Change

$pass_you = mysql_query( $pass_check );\
if($password !== $pass_you) {

to

$stm = mysql_query( $pass_check );
$pass_you = mysql_fetch_row($stm);
if($password !== $pass_you[0]) {

 

Edit: You didn't return a result from the query

[MasterACE14]

Thats done it! good catch 

 

Thanks heaps Daukan

 

Regards ACE

[trq]

There is a fair amount of redundancy in your code. Your running two almost identical queries for no reason.

 

<?php

 if (isset($_POST['submit'])) {
   $username = addslashes($_POST["username"]);
   $email = addslashes($_POST["email"]);
   $password = addslashes(md5($_POST["password"]));

   if (empty($username) || empty($email) || empty($password)) {
     echo "<center><br><br><b>You need to enter a Correct Username, Password and E-mail</b><br><br>
     <input type=button value=\"Back\" onClick=\"history.go(-1)\"></center>";
     die();
   }

   mysql_connect( "localhost", "ace_ACE", "*****" );
   mysql_select_db( "ace_cf" );

   $sql = "SELECT id FROM `cf_users` WHERE `username` = '$username' && `password` = '$password' && `email` = '$email' LIMIT 1";
   if ($result = mysql_query($sql)) {
     if (mysql_num_rows($result)) {
       $row = mysql_fetch_assoc($result);
       $_SESSION['username'] = $username;
       $_SESSION['playerid'] = $row['id'];
       header("Location: index.php?page=base");
     } else {
       echo "<center><br><br><b>Their is no Account matching the Username, Password and E-mail address you entered</b><br><br>
         <input type=button value=\"Back\" onClick=\"history.go(-1)\"></center>";
         die();
     }
   } else {
     echo "Query failed<br />" . mysql_error() . "<br />$sql";
   }

?>