can't log into account with md5 php [closed] - php

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
I've got the following code but i can't get the user to log into their account, in the database the length of the password its stored as is 35. I have var_dump the password variable to see what is inserted into it and its the same value as the password stored in the database. Any help, appreciate it
<?php
include_once("config.php");
session_start();
$message = "";
if (isset($_POST['username'])) {
$username = ($_POST['username']);
$password =md5($_POST['password']);
$password = ($password);
$sql = "SELECT * FROM user WHERE username = '$username' && password='$password'";
$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_row($query);
$userid = $row[0];
$checkuser = $row[5];
$checkpassword = $row[4];
$type = $row[1];
$name = $row[2];
$surname = $row[3];
if ($username != $checkuser || $password != $checkpassword) {
$message = " username or password entered is incorrect.";
}
if ($username == $checkuser && $password == $checkpassword) {
$_SESSION['username'] = $username;
$_SESSION['type'] =$type;
$_SESSION['name'] = $name;
$_SESSION['surname'] = $surname;
$_SESSION['userid'] = $userid;
if($_SESSION['type'] == "admin") {
header("Location: adminindex.php");
} else {
header("Location: index.php");
}
}
}
?>

There may or may not be an issue with the fact that you're not using prepared statements, but you're definitely leaving yourself open to SQL injection.
Prepared statement example:
$stmt = $conn->prepare("SELECT * FROM user WHERE username =? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
See: http://php.net/manual/en/mysqli.prepare.php

Related

How to fix this login page isn't working in php/mysql?

I created a login page using mysql with user role, but login page not working/not loading.
Here is the code:
<?php
include "config.php";
if (isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$stmr = db->prepare("SELECT * FORM login WHERE username=? AND password=?");
$stmt->bindParam(1, username);
$stmt->bindParam(2, password);
$stmt->execute();
$row = $stmt->fetch();
$user = $row['username'];
$pass = $row['password'];
$id = $row['id'];
$type = $row['type];
if ($username==$user && $pass==$password) {
session_stat();
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
if($type=='Member'){
?>
<script>window.location.href="index.php"</script>
<?php
} else {
?>
<script>window.location.href="index.php"</script>
<?php
}
} else {
?>
<strong>Oops!</strong> You Can not Not Visit This Page.
</div>
<?php
}
}
?>
I don't understand where is the problem. Please help me to solve this problem.
____ Advance Thanks And All The Best.
You have a couple of syntax errors on your code here are they :
$stmt->bindParam(1, username);
$stmt->bindParam(2, password);
$type = $row['type];
session_stat();
Security Vulnerability md5() more especially that you are doing all this in a production server, you should use password_hash() and password_verify()` available on the php.net documentation.
and many more errors I just found as I look in your code, better add this line while you are still developing ` on top of every page so you can see all your errors, when you done on live server then remove that line. look at my comments for more errors.
This is how your login page should look with no errors;
<?php
ob_start();
session_start();
if (isset($_SESSION['username'])) {
header("location:dashboard.php"); // if the user is logged in already dont log themm in again, its gonna irritate them.
}
include "config.php";
if (isset($_POST['SubmitButtonName'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
//return error to the user
} else {
$username = $_POST['username'];
$password = $_POST['password'];
try {
$stmt = $db->prepare("SELECT * FROM login where username = ? ");
$stmt->execute([$username]);
$results = $stmt->fetchall(PDO::FETCH_ASSOC);
if (count($results) > 0) {
//username is correct
foreach ($results as $key => $row) {
//now verify password
if (password_verify($password, $row['password'])) {
// password is correct
$_SESSION['username'] = $row['username'];
$_SESSION['id'] = $row['id'];
if ($row['type'] == "Member") {
header("location:page.php");
} else {
//type not a member redirect to different page
header("location:AppropriatePage.php");
}
} else {
//password incorrect return proper message
}
}
} else {
//user account does not exists return proper message
}
}
catch (PDOException $ex) {
error_log("Error : " . $ex->getMessage());
}
}
}
?>
NB: On your registration page remove this line $password = md5($_POST['password']); and replace with $password =
Password_hash($_POST['password'],PASSWORD_DEFAULT); and then
re-register when you are done you can login again.
Read Jay Blanchard's blog about proper password preparation in php
here :
http://www.jayblanchard.net/proper_password_hashing_with_PHP.html
then for pdo prepared statements read Your Common Sense's blog here :
https://phpdelusions.net/pdo
change session_stat();
to session_start()
and make sure you on your display errors in php.ini file
Problem is in many typos and syntax errors and that is reason why your page not loading. Here fixed typos and syntax:
include "config.php";
if (isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$stmt = $db->prepare("SELECT * FROM login WHERE username=? AND password=?"); //changed
$stmt->bindParam(1, $username); // changed
$stmt->bindParam(2, $password); // changed
$stmt->execute();
$row = $stmt->fetch();
$user = $row['username'];
$pass = $row['password'];
$id = $row['id'];
$type = $row['type']; /// you forgot \' here
if ($username==$user && $pass==$password) {
session_start(); // changed
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
if($type=='Member'){

mysql charset causes a error in my login form [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
The problem is that everytime (also when I type in the right username and password combination) the error message "Failed 2" appears.
<?php
if (isset($_POST["login-submit"])) {
if(!empty($_POST["username"]) && !empty($_POST["password"])) {
$username = $_POST["username"];
$password = $_POST["password"];
$username = mysql_set_charset($username);
$password = mysql_set_charset($password);
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$result = mysql_query("select * from user where username = '$username' and password = '$password'");
$row = mysql_fetch_array($result);
if($row["username"] == $username && $row["password"] == $password) {
//header("Location: index.php");
echo "<p>Login</p>";
} else {
echo "<p>Failed 2</p>";
}
} else {
echo "<p>Failed 1</p>";
}
}
?>
A Possible problem could be:
You are comparing plain password (from $_POST) with password that
might be encrypted in the database. If this is the case make sure you
encrypt your request password before you compare with saved password
It could be the case that you have saved your username or password with trailing spaces. If this is the case make sure you trim your data before doing comparison
Try to var_dump or print $row (also $_POST) and see what you are getting for more information
I'd recommend using PDO (PHP Data Objects) to run parameterized SQL queries.
It protects you against SQL injection and it speeds up your queries.
Then you can write something like this:
$db = db($server, $user, $pass, $db);
$sql = "select * from user where username =:username and password=:password";
$stmt = $db->prepare($sql);
$stmt->bindParam("user", $yourPostUsername);
$stmt->bindParam("pass", $yourPostPassword);
$stmt->execute();
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
if ($result) {
echo "<p>Login</p>";
} else {
echo "<p>Failed 2</p>";
}
Thanks for your helpful answers. I changed to mysqli. Now the code works. Here it is:
<?php
if (isset($_POST["login-submit"])) {
if(!empty($_POST["username"]) && !empty($_POST["password"])) {
$username = $_POST["username"];
$password = $_POST["password"];
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$login = "select * from user where username = '$username' and password = '$password'";
$result = mysqli_query($db, $login);
$count = mysqli_num_rows($result);
if ($count == 1) {
//header("Location: index.php");
echo "<p>Login</p>";
} else {
echo "<p>Failed 2</p>";
}
} else {
echo "<p>Failed 1</p>";
}
}
?>

PHP / MySQLi: Login form isn't working [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I wrote a PHP code with MySQL for a login form.
Now I heard it's better to use MySQLi - so I tried to rewrite the code. This is my working MySQL code:
$username = $_POST["username"];
$password = md5($_POST["password"]);
$query = "SELECT username, password FROM accounts WHERE username LIKE '$username' LIMIT 1";
$result = mysql_query($query);
$row = mysql_fetch_object($result);
if($row->password == $password)
{
echo "<h3>Hallo $username</h3>";
$_SESSION["username"] = $username;
echo "Login succesfully:";
}
else
{
echo "Login not succesfully";
}
To use MySQLi I tried to change it to the following:
$username = $_POST["username"];
$password = md5($_POST["password"]);
$query = "SELECT username, password FROM accounts WHERE username LIKE '$username' LIMIT 1";
$result = mysqli_query($query);
$row = mysqli_fetch_object($result);
if($row->password == $password)
{
echo "<h3>Hallo $username</h3>";
$_SESSION["username"] = $username;
echo "Login succesfully:";
}
else
{
echo "Login not succesfully";
}
But unfortunately this does not work.
You need to pass database connection string to mysqli_query() as first parameter and the SQL string as second parameter.
In your case, you are passing only one parameter.
That is why it is not working.
Corrected code:
$result = mysqli_query($con,$query);

Check if is email and password correct [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I need to confirm if is email and password correct , but it work with any password I enter. What's the problem? Here is the code:
<?php
if(isset($_POST['submit'])){
$email = mysql_real_escape_string($_POST['email']);
$pass = $_POST['password'];
$hash = hash("sha512", $pass);
$hash1 = hash("whirpool", $hash);
$hash2 = hash("sha384", $hash1);
$password = $hash2;
$query=mysql_query("SELECT * FROM register WHERE email='$email' AND password='$password'") or die(mysql_error());
$count=mysql_num_rows($query);
if($count==1){
while ($row=mysql_fetch_array($query)) {
$username=$row['username'];
$heslo=$row['password'];
$_SESSION['valid'] = $username;
if(isset($_SESSION['valid'])){
$realtime = date("d-m-Y h:i:s");
$session = $_SESSION['valid'];
echo "<script> window.location.replace('index.php');
</script>";
header("Location: index.php");
}else{
echo "Přihlášení neproběhlo správně";
}
}
}
}
?>
The problem you're facing is that you mispelled "whirpool" it should be "whirlpool"
I have changed the code a bit, and this seems to be working. The curly brackets order is the one messing it up for you, as the else points to the incorrect if.
I have added comments throughout the script, so you can see what I'm trying to say.
mysql_connect('localhost','user','pass');
mysql_select_db('test');
# You can use your post methods, I've used these for testing.
$email = mysql_real_escape_string('email');
$pass = $_GET['pw'];
$hash = hash("sha512", $pass);
$hash1 = hash("whirlpool", $hash);
$hash2 = hash("sha384", $hash1);
$pass = $hash2;
# Now you can see the PW input
echo $pass."<br>";
# Nonsense
$password = $pass;
# By using $sql you can echo your query to see what results would it yield upon running it.
$sql = "SELECT * FROM test WHERE em='$email' AND pw='$password'";
$query=mysql_query($sql) or die(mysql_error());
$count=mysql_num_rows($query);
# Echo stuff to see what their results are
echo $sql."<br>";
echo $count."<br>";
# Let's see if we all got it right?
if($count==1){
while ($row=mysql_fetch_array($query)) {
$username=$row['un'];
$heslo=$row['pw'];
$_SESSION['valid'] = $username;
if(isset($_SESSION['valid'])){
$realtime = date("d-m-Y h:i:s");
$session = $_SESSION['valid'];
# Commented out for testing purposes. I mean the header.
echo "all is well";
//header("Location: index.php");
} // this closes the if(isset...
} // this closes the while loop
# Note that the curly brackets have changed. Now the else points correctly to the other branch if $count is not equal to 1.
} else {
echo "Přihlášení neproběhlo správně";
}

my login page is not working properly [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am trying to make login page. i store some data in the database. when i enter the data then it will show the error which i don't know y is coming because i define the index.....
php code
//var_dump($_POST);
// Grab User submitted information
$user = $_POST["username"];
$pass = $_POST["password"];
if(empty($user) && empty($pass))
{
$msg = "Pleae enter username and password";
}
else
{
// Connect to the database
$con = mysql_connect("localhost","root","","jj");
// Make sure we connected succesfully
if(! $con)
{
session_start();
$_SESSION['Logged in'] = true;
die('Connection Failed'.mysql_error());
}
// Select the database to use
mysql_select_db("jj");
$qry = "SELECT username, password FROM login WHERE username = '".$user."' and password = '".$pass."'";
echo $qry;
$result = mysql_query($qry);
//var_dump($result);
$row = mysql_fetch_array($result);
//var_dump($row); //check the row
if($row["username"]==$user && $row["password"]==$pass)
{
$msg = "You are a validated user.";
session_start();
$_SESSION['username'] = $row["username"];
$_SESSION['logged_in'] = true;
header("Location: Iphoneunlockingcenter.html");
die();
}
else
{
$msg ="Sorry, your credentials are not valid, Please try again.";
}
}
}
?>
when i try to login then error comes
which the pic is showing
you have to use ISSET.
try replace this
$user = $_POST["username"];
$pass = $_POST["password"];
by
if(isset($_POST["username"]) and isset($_POST["password"])){
$user = mysql_real_escape_string($_POST["username"]); //escape your variables
$pass = mysql_real_escape_string($_POST["password"]);
}
else {
$user = '';
$pass = '';
}

Categories