I can't do authorization on the site! I register everything is fine! But he does not want to enter the site! I do not know what to do ! + I use the md5 () function, and my database encrypts everything perfectly, but how to make it enter through this function too? Also not included without this feature, please help !!!
Here is the authorization code:
require("include/connect.php");
if (isset($_SESSION["user_id"])) {
// вывод "Session is set"; // в целях проверки
header("Location: main.php");
}
if (isset($_POST['button-login'])) {
if (!empty($_POST['login']) && !empty($_POST['password_1'])) {
$login = htmlspecialchars($_POST['login']);
$email = htmlspecialchars($_POST['email']);
$password = htmlspecialchars($_POST['password_1']);
$query = mysql_query("SELECT * FROM users WHERE id='" . $login . "' AND password='" . $password . "'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['login'];
$dbpassword = $row['password_1'];
}
if ($login == $dbusername && $password == $dbpassword) {
// старое место расположения
// session_start();
$_SESSION['login'] = $login;
$_SESSION['user_id'] = $login;
header("Location: main.php");
}
} else {
// $message = "Invalid username or password!";
echo "Invalid username or password!";
}
} else {
$message = "All fields are required!";
}
}
Try to convert the $password variable into md5()
$password = md5($password);
after md5() encryption check your username & password condition
if($login == $dbusername && $password == $dbpassword)
Hope this will helps!
Related
This is my code
<?php
$con = mysqli_connect("localhost","root","","system_database");
if(isset($_POST['Submit'])){
$Username = trim($_POST['Username']);
$password = trim($_POST['password']);
// encrypt password before submiting it
$password_encrypted = crypt($password, 'is'); // "is" is the salt
$sql = "SELECT * FROM register WHERE Username = '$Username' AND password='$password_encrypted'";
$query = $con -> query($sql);
$result = mysqli_num_rows($query);
if($result == true){
header ("location: report.php");
} else {
echo "username or password wrong";
}
}
?>
add like this
<?php
$con = mysqli_connect("localhost","root","","system_database");
if(isset($_POST['Submit'])){
$Username = trim($_POST['Username']);
$password = trim($_POST['password']);
if(!empty($Username) && !empty($password)){
$Username = mysqli_real_escape_string($con,$Username);
$password = mysqli_real_escape_string($con,$password);
// encrypt password before submiting it
$password_encrypted = crypt($password, 'is'); // "is" is the salt
$sql = "SELECT * FROM register WHERE Username = '{$Username}' AND password='{$password_encrypted}'";
if($result = mysqli_query($con,$sql)){
if(mysqli_num_rows($result) > 0){
mysqli_free_result($result);
header("Location: report.php");
}else{
echo "username or password wrong";
}
}
}else{
echo "username or password not found";
}
}
?>
Why can't i block users with banstatus "Banned" from accessing the website? The error now is that the php banned all users from accessing the website even when their banstatus is not banned. Please help to identify the error as i have been trying to solve the error for a long time and couldn't solve it still. Thank you in advance :)
These are my codes:
if(!empty($_POST['username'])){
$username=$_POST['username'];
}
else
{
$username=null;
echo "<font color='red'> Please enter your username! </font></p>";
}
if(!empty($_POST['password'])){
$password= md5($_POST['password']);
}
else
{
$password=null;
echo "<font color='red'> Please enter your password! </font></p>";
}
if ($username && $password) {
$connection = mysql_connect("", "", "", "");
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$db = mysql_select_db("", $connection);
$query = mysql_query("SELECT * FROM users WHERE username='$username' and password='$password' and active=1", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
if ($rows['banstatus'] == '') {
session_start();
$_SESSION['username'] = $username;
header("Location:somewhere.php");
}
else{
echo "<br><br><br><b><font color='red'>Your account has been banned. Please contact the administrator.</font></b><br><br>";
}
}
else {
echo "<br><br><br><b><font color='red'> Login is not successful.</font></b><br><br>";
}
mysql_close($connection); // Closing Connection
}
if(!empty($_POST['username'])){
$username=$_POST['username'];
}
else
{
$username=null;
echo "<font color='red'> Please enter your username! </font></p>";
}
if(!empty($_POST['password'])){
$password= md5($_POST['password']);
}
else
{
$password=null;
echo "<font color='red'> Please enter your password! </font></p>";
}
if ($username && $password) {
$connection = new mysqli($your_db_IP_ADDR, $your_db_username, $your_db_pass, $your_db_database_name);
/*$username = stripslashes($username);*/ //if you using mysqli real_escape_string you don't need to stripslashes
/*$password = stripslashes($password);*/ //MD5 is an hash. You don't need to stripslashes it
$username = $connection->real_escape_string($username);
/*$password = $connection->real_escape_string($password)*/ // your $password is an MD5 hash. You don't need to escape it;
$results = $connection->query("SELECT * FROM users WHERE username='$username' and password='$password' and active = 1");
if ($results->num_rows === 1) {
$row = $results->fetch_assoc(); //call it row, it just one
if ($row['banstatus'] === '') {
session_start();
$_SESSION['username'] = $username;
$connection->close(); // Closing Connection also HERE before redirect
header("Location:somewhere.php");
} else {
echo "<br><br><br><b><font color='red'>Your account has been banned. Please contact the administrator.</font></b><br><br>";
}
} else {
echo "<br><br><br><b><font color='red'> Login is not successful.</font></b><br><br>";
}
$mysqli->close();
}
I'm having a problem with redirecting a page in php.
<?php
include '../include/dbfunctions.php';
$email = $password = "";
$err = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['login']) && !empty($_POST['password'])) {
$email = trim($_POST['email']);
$password = trim($_POST['password']);
$link = get_db_connection();
if (mysqli_connect_errno()) {
die(" Something went wrong ! ");
}
$user_email = mysqli_real_escape_string($link, $email);
$user_password = mysqli_real_escape_string($link, $password);
$query = "SELECT username FROM user WHERE user_email = '$user_email' AND user_password = SHA1('$user_password') AND user_active = '1';";
$data = mysqli_query($link, $query);
if (mysqli_num_rows($data) == 1) {
$row = mysqli_fetch_array($data);
$username = $row['username'];
mysqli_close($link);
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();
}
} else {
$err = "Invalid combination of e-mail and password";
echo $err;
}
} else {
}
}
?>
I can't figure it out. If i fill in an invalid password or email, i get the error message. But when they are correct, nothing happens.
if (!empty($username)) {
header('location:http://www.yoursite.be/login/dashboard.php?error=error in login please try agine');
exit();
}
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();}
$username might be empty.
I have my form below.. I want an to perform an operation if that the user enters the wrong password for 3 times, after his account is locked for some minutes.. How do I achieve that in my form?
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click here to log out !';
}
} else
echo 'Incorrect Username or Password Combinations ';
} else
die('That user does not exist');
}
?>
Like another user said before you are vulnerable to SQL injection. Always VALIDATE user input!
As to your issue, you can use the database for this, then someone could block another user's account easily. You can also use sessions variables instead. You only need to record in session the number of failed logins. After 3 fail you can set a session variable with a timestamp of when the user will be allowed to login again (current timestamp + X) and before running the SQL check if the time as passed.
If a user logs-in sucessfuly you should clear or reset those session variables.
(sorry i dont have time making you and example, but it's quite easy to implement.)
Made in mousepad, not tested in any way but it will give you some hints i hope.
<?php
session_start();
define('MAX_LOGIN_ATTEMPTS',3);
if(isset($_SESSION['loginTimeout']) && $_SESSION['loginTimeout']<time()) {
echo "You used all login attempts. Try again in a little while.";
exit() // ups, forgot about this :)
}
if(isset($_POST['username']) && isset($_POST['password'])){
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
$bFail = false;
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
unset($_SESSION['loginTimeout']);
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click here to log out !';
}
} else {
echo 'Incorrect Username or Password Combinations ';
$bFail = true;
}
} else {
die('That user does not exist');
$bFail = true;
}
if($bFail) {
if(isset($_SESSION['loginAttempts'])) $_SESSION['loginAttempts']++;
else $_SESSION['loginAttempts'] = 1;
if($_SESSION['loginAttempts']>MAX_LOGIN_ATTEMPTS) {
// one hour timeout
$_SESSION['loginTimeout'] = time() + 1*60*60;
}
}
}
?>
Hello I have made a login system for my website dubleeble.com and for some reason when you login it only keeps you loged in on one page but when you move to another page it loges you out! How do I fix this?
this is the code I used:
<?php
session_start();
$username = $_POST['user'];
$password = $_POST['pass'];
if($username&&$password) {
$connect = mysql_connect("host", "user","pass") or die("Could't Connect!");
mysql_select_db("db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username==$dbusername&&$password==$dbpassword) {
$_SESSION['username']=$username;
header('Location: ' . $_SERVER['HTTP_REFERER']);
}
else
header('Location:http://dubleeble.com/php/login/incorrect.php');
}
else
header('Location:http://dubleeble.com/php/login/incorrect.php');
}
else
header('Location: ' . $_SERVER['HTTP_REFERER']);
?>
Notes:
'loged' is spelled logged...
you should be using some type of password encryption rather than just storing text values you should
use mysql_real_escape_string like I did to make sure sql injection
isn't possible
make sure you are calling session_start() on every page you use your session variables
$username = $_POST['user'];
$password = $_POST['pass'];
if(isset($username) && isset($password)) {
$connect = mysql_connect("host", "user","pass") or die("Could't Connect!");
mysql_select_db("db");
$row= mysql_fetch_assoc("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."'");
$numrows = mysql_num_rows($row);
if($numrows > 0) {
if($username == $row['username'] && $password == $row['password']) {
session_start();
$_SESSION['username'] = $username;
header('Location: ' . $_SERVER['HTTP_REFERER']);
}
else
header('Location:http://dubleeble.com/php/login/incorrect.php');
}
else
header('Location:http://dubleeble.com/php/login/incorrect.php');
}
else
header('Location: ' . $_SERVER['HTTP_REFERER']);