Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
below is my simple login.php code, I created a user with
usermail: admin userpass: admin123
But whenever I try to login with admin account, it ignores the if statement and it opens the homepage.php, what might be the problem, thank you.
<?php
$connection = mysql_connect("localhost","user","password") or die("Could not connect to the database");
mysql_select_db("nisbet", $connection);
error_reporting(0);
if($_POST['login']){
if($_POST['usermail'] && $_POST['userpass']){
$usermail = mysql_real_escape_string($_POST['usermail']);
$userpass = mysql_real_escape_string(hash("sha512",$_POST['userpass']));
$user = mysql_fetch_array(mysql_query("SELECT * FROM `user` WHERE `usermail` = '$usermail'"));
if($user == 0){
die("User does not exits <a href='index.php'>← Back</a>");
}
if($user['userpass'] != $userpass){
die("Incorrect password! <a href='index.php'>← Back</a>");
}
//die("You are now logged in as $usermail !");
if($user['usermail'] == 'admin' && $user['userpass'] == 'admin123'){
header('Location: adminpage.php');
}else{
header('Location: homepage.php');
}
}
}
The $userpass variable contains a hash of the submitted password, so comparing it to "admin123" won't work.
You should compare it to the hash of "admin123" instead, or not comparing them a second time since you've already done that before in your code.
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 3 days ago.
Improve this question
Im new to php and im building a login and registration form.
Everything works except when i click log in with a user credentials that are in my database my error for "user not found is showing.
I've included the code snippet for my error to see if i have typed something wrong.
protected function getUser($email, $pwd)
{
$stmt = $this->connect()->prepare("SELECT pwd FROM web WHERE lName = ? OR Email = ?;");
if (!$stmt->execute(array($email, $pwd))) {
$stmt = null;
header("location: ../index.php?error=stmtfailed");
exit();
}
if ($stmt->rowCount() == 0) {
$stmt = null;
header("location: ../index.php?error=usernotfound");
exit();
}
$pwdHashed = $stmt->fetchAll(PDO::FETCH_ASSOC);
$checkPwd = password_verify($pwd, $pwdHashed[0]["pwd"]);
if you need any more info let me know!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
how to block user after 3 login attempts ?
Here is my code :
session_start();
/************Connexion************/
if(isset($_POST['cnx'])){
require_once('../config.php');
$db = new DBSTOCK();
$cnx = $db->connect();
$user=$_POST['user'];
$pass=$_POST['pass'];
// To protect from MySQL injection for Security purpose
$user = strip_tags($user);
$pass = strip_tags($pass);
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysqli_real_escape_string($cnx,$user);
$pass = mysqli_real_escape_string($cnx,$pass);
$q=mysqli_query($cnx,"select * from admin where user='".$user."'");
$row = mysqli_fetch_array($q); //or die(mysqli_error($con));
$pw = $row['pass'];//hashed password in database
$username = $row['user'];
if($user==$username && password_verify($pass, $pw)) {
$_SESSION["user"]=$user;
header("Location: ../view/accueil.php");
}
else{
header("Location: ../index.php?failed=0");
}}
/************Deconnexion************/
if(isset($_GET['decnx'])){
session_destroy();
session_unset();
header("Location: ../index.php");
}
any script suggestion i can add to my code so a user can be blocked for 10 minutes after 3 consecutive failed login attempts ?
Add the following two columns to your row:
last_attempt as a datetime
attempt_count as an int
In your login logic, check these two values, if it's 3 or more and within the time frame (ex: 10mins), then update last_attempt and increment attempt_count, this second part is not necessary but you might want to know this. If it's been more than 10mins, then set attempt_count back to 0 if they pass or 1 if they fail and update last_attempt again.
As a bonus, you now also know the last time the user logged in, which is useful when you want to find unused accounts.
There are so many ways to do that. If you want to block the device then you can create a cookie for 10 mins, and set a condition if username matched then it will not hit the database for log in.
Or if you want to block for any device for that user, then you have to maintain the user status, where three consecutive failure attempt will change user status and the time when it is blocked. But this time you have check whether the blocked time was 10 mins before or not for every login attempt.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I did the following administrator login for a client's website, and I just wanted to ask if this method is secure, I use a userID cookie check along with a "is the administrator online" entry in the db that i also check for security reasons.
Sorry if my formatting is bad, i will accept any tips, please have patience with me, I'm a newbie programmer that just entered the phase "First projects for clients".
<?php
include_once('config.php');
if(isset($_POST['usr']) && isset($_POST['pwd'])){
$usr=$_POST['usr'];
$pwd=md5($_POST['pwd']);
$userquery="SELECT * FROM nexus_administrators WHERE user='".$usr."';";
$execuser=mysqli_query($con,$userquery);
$usrnum= mysqli_num_rows($execuser);
$pwdquery="SELECT * FROM nexus_administrators WHERE pwd='".$pwd."';";
$execpwd=mysqli_query($con,$pwdquery);
$pwdnum= mysqli_num_rows($execpwd);
$query="SELECT adminid FROM nexus_administrators WHERE pwd='".$pwd."' AND user='".$usr."';";
$result=mysqli_query($con,$query);
$row=mysqli_fetch_array($result);
$uid= $row['adminid'];
echo $uid;
if($usrnum==1 && $pwdnum==1){
setcookie("uid", $uid, time()+3600*1000);
$puthimonline= "UPDATE nexus_administrators SET isOn=1 WHERE adminid='".$uid."';";
mysqli_query($con,$puthimonline);
header('Location: adminpanel.php');
}
}
//Ai n-ai cookie dai la poarta
if (!isset($_COOKIE['uid'])){
echo " INTRUS !!!!";
echo " </br> Zbori sau o s**i pe ciuperca";
}else{
//te verific si-n baza
$query= "SELECT * FROM nexus_administrators WHERE adminid='".$_COOKIE['uid']."' AND isOn=1;";
$result=mysqli_query($con,$query);
if(mysqli_num_rows($result)!= 1){
header('Location: index.php');
}else{
if(isset($_GET['log'])){
$puthimoffline= "UPDATE nexus_administrators SET isOn=0 WHERE adminid='".$_COOKIE['uid']."';";
mysqli_query($con,$puthimoffline);
header('Location: index.php');
}
echo "hello my dear admin";
echo"
<a href='adminpanel.php?log=0'> Log Out</a>";
};
}
?>
No, this is flawed. There are several problems.
It makes no sense to count the number of users that have the same password (second query)
a md5 hash is not sufficient for storing the passwords. If an attacker gets access to the database, he can easily find the passwords. You must use a salt.
save isonline in the database makes no sense. If the user does not log off, access remains granted forever in the database.
You save the userid in the cookie. It's not secure, because it is easy to spoof.
last but not least your code is open for SQL injection (once from a query string variable, and two instances from cookies).
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I am trying to create login system with access level but i the bellow code always shows please enter you password. please help me where i am wrong.
session_start();
if(isset($_REQUEST['submit'])) {
$username=$_POST['username'];
$mypassword=$_POST['password'];
if($username){
if($password){
require('conn/iclude.php');
$password=sha1($password);
$query=mysql_query("SELECT * FROM admin where name='$username'");
$numrow=mysql_num_rows($query);
if($numrow==1){
$row=mysql_fetch_assoc($query);
$dbid=$row['id'];
$dbuser=$row['name'];
$dbpass=$row['pass'];
$role=$row['role'];
if($password==$dbpass) {
$_SESSION['username']=$dbuser;
$_SESSION['useridid']=$dbid;
if($role == 1){
header('Location:admin.php');
}elseif ($role==2) {
header('Location:1/neasp.php');
}elseif ($role==3) {
header('Location:2/index.php');
}elseif ($role==4) {
header('Location:3/index.php');
}elseif ($role==5) {
header('Location:4/index.php');
}
}else{}
}else{
echo"Hello World";
}
}else{echo "You must enter your password";}
}else {echo "You must enter your name";}
}
thanks below is html form
$mypassword=$_POST['password'];
^^^^^^^^^^^ **MY** password
if($password){
^^----no **MY**
If your system was properly configured for debugging, e.g. display_errors and error_reporting turned on, you'd have gotten warnings about using undefined variables. A development/test system should *NEVER have these settings off in the first place.
You are also vulnerable to SQL injection attacks. Enjoy having your server pwn3d.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am trying to add a resend verification action to my login/register system using tampus login system. I am following this tutorial.
Okay I am not a fan of php frameworks so I will make this one for you with MySQL:
if(empty($_POST["user"]) || empty($_POST["pass"])){
echo "Missing values";
} else {
//You would need the mysql connection variable named $db_conn
$db_conn = mysqli_connect("localhost","user","pass","db_name");
$user = $_POST["user"];
$pass = md5($_POST["pass"]);//MD5 encrypt;
$sql = "SELECT id FROM users WHERE username='$user' AND password='$pass'"
$query = mysqli_query($db_conn,$sql);
if(mysql_num_rows($query) > 1){
//Do the login thingys like cookies and redirects
} else {
echo "Check your credentials";
}
}
I think I could not made it easier and better to understand