Jump to content

[SOLVED] PHP Login


Daney11

Recommended Posts

Hey guys,

 

Ive just created a forgot_password feature on my website.

 

<?php
error_reporting(0);
ini_set('register_globals', 0);

session_start();

include_once('settings.php'); // This Includes The Settings Of The Website
include_once('functions.php'); // This Includes The Functions Of The Website
include_once('team.php'); // This Includes The Team Information Of The Website

if (isset($_POST['submitted'])) {

if (empty($_POST['member_email'])) {
  $member_id = FALSE;
  echo 'Please Enter A Email Address';
  }
  else {
  
  $query = "SELECT member_id FROM members WHERE member_email='".escape_data($_POST['member_email'])."'";
  $result = mysql_query($query) or trigger_error("Query: $query\n<br />MySQL Error: " .mysql_error());
  
  if (mysql_num_rows($result) == 1) {
  
    list($member_id) = mysql_fetch_array ($result, MYSQL_NUM);

}

else {

echo 'There Is No Email Address In The Database';
$member_id = FALSE;

}

}


if ($member_id) {

$p = substr(md5(uniqid(rand(),1)), 9, 15);

$query = "UPDATE members SET member_password=SHA('$p') WHERE member_id=$member_id";
$result = mysql_query($query) or trigger_error("Query: $query\n<br />MySQL Error: " .mysql_error());

if(mysql_affected_rows() == 1) {

$body = "Pass";

mail($_POST['member_email'], 'your pass', $body, 'From: admin@dane.com');

echo $p;

mysql_close();

exit();

}

else {

echo 'This Process Cannot Be Completed, Please Contact An Admin';

}

}

else {

echo 'Try Again';

}

mysql_close();
}
?>
<form action="forgot_password.php" method="post">
<table>
<tr>
<td>Forgot Password</td>
</tr>
<tr>
<td><input type="text" name="member_email" size="20" maxlength="40" value="<?php if (isset($_POST['member_email'])) echo $_POST['member_email']; ?>" /></td>
</tr>
<tr>
<td><input type="submit" name="submit" value="Reset My Password" /><input type="hidden" name="submitted" value="TRUE" /></td>
</tr>
</table>
</form>

 

The code changes the password fine in md5 in the database, however i can now not login with the password provided.

 

<?php



error_reporting(0);
ini_set('register_globals', 0);

session_start();

include_once('header.php'); // This Includes The Header Of The Website Layout
include_once('settings.php'); // This Includes The Settings Of The Website
include_once('functions.php'); // This Includes The Functions Of The Website
include_once('team.php'); // This Includes The Team Information Of The Website

?>
<form method="post" action="login.php">
<?php
	  
if (isset($_POST['member_email']) && isset($_POST['member_password']))

{

$member_email = htmlentities($_POST['member_email']);
$member_password = htmlentities(md5($_POST['member_password']));
$log_password = htmlentities($_POST['member_password']);

$query = 'SELECT * FROM members '."where member_email='$member_email'" . "and member_password='$member_password'" . "and member_teamid='$team_url'";
$result = mysql_query($query);
$loginrow = mysql_fetch_array($result);
if (mysql_num_rows($result) >0 )

{



$_SESSION['member_id'] = $loginrow['member_id'];
$_SESSION['member_username'] = $loginrow['member_username'];
$_SESSION['member_nation'] = $loginrow['member_nation'];
$_SESSION['valid_user'] = $member_email;
$_SESSION['valid_teamid'] = $member_teamid;

} 

}

if (isset($_SESSION['valid_user']))

{

?>
<table width="508" height="1" cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td><img src="images/spacer.gif" height="1"></td>
</tr>
</table>
<table width="508" height="19" cellpadding="0" cellspacing="0" border="0" align="center" class="resultstable">
<tr>
<td> Welcome <?php echo ''.$_SESSION['member_username'].'' ?></td>
</tr>
</table>
<?php

// Start Login Success Log
$log_type = 'Login';
$log_body = "Username: $member_email";
$log_body .= "\n";
$log_body .= "Password: $log_password";

mysql_query("INSERT INTO `logs` (log_id, log_ip, log_site, log_user, log_type, log_body) VALUES ('NULL', '$member_ip', '$team_url', '".$_SESSION['valid_user']."', '$log_type', '$log_body')");
// End Login Success Log
mysql_query("UPDATE members SET member_loggedin=member_loggedin+1 WHERE member_email = '".$_SESSION['valid_user']."'");

}
  
else

{

if (isset($member_email))

{

// Start Login Fail Log
$log_type = 'Failed Login';
$log_body = "Username: $member_email";
$log_body .= "\n";
$log_body .= "Password: $log_password";

mysql_query("INSERT INTO `logs` (log_id, log_ip, log_site, log_user, log_type, log_body) VALUES ('NULL', '$member_ip', '$team_url', '$member_ip', '$log_type', '$log_body')");
// End Login Fail Log
  
echo("You Could Not Be Logged In");

}

?>
<table width="100%" cellpadding="0" cellspacing="0" border="0" height="60">
<tr> 
<td width="50%" height="20" valign="middle"> <strong>Username:</strong></td>
<td width="50%" height="20" valign="middle"><input class="loginform" type="text" name="member_email"></td>
</tr>
<tr> 
<td width="50%" height="20" valign="middle"> <strong>Password:</strong></td>
<td width="50%" height="20" valign="middle"><input class="loginform" type="password" name="member_password"></td>
</tr>
<tr> 
<td width="50%" height="20" valign="middle"> <strong><a href="forgot_password.php">Forgot Password?</a></strong></td>
<td width="50%" height="20" valign="middle"><input class="loginform" type="submit" value="Login"></td>
</tr> 
</table>
</form> 
<?php

}

include_once('footer.php'); // This Includes The Footer Of The Website Layout

?>

Link to comment
Share on other sites

When you match your passwords, you use this (abrev):

$member_password = htmlentities(md5($_POST['member_password']));
...
and member_password='$member_password'"

 

However when you create & hash the password you do:

$p = substr(md5(uniqid(rand(),1)), 9, 15);

$query = "UPDATE members SET member_password=SHA('$p') 

 

You've wrapped the md5 hash with a sha hash, but when checking you don't! This must also match when they join up!

 

FN:

Same revraz has just stated!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.