How to match user input with database for captcha - php

I developed a login page with video captcha.For now the login function work perfectly.
In this page user required to watch video,and then answer a question before they are allowed to login once the answer match with database.
The problem is how do I validate the input for answer with the answer in database. My database table for video consist of ID | Video | question | answer
require "config.php"; //Connection Script, include in every file!
//Check to see if the user is logged in.
if(isset($_SESSION['email'])){
header("location: members.php"); //isset check to see if a variables has been 'set'
}
if(isset($_POST['submit']))
{
//Variables from the table
$email = $_POST['email'];
$password = $_POST['password'];
//Prevent MySQL Injections
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysqli_real_escape_string($con, $email);
$password = mysqli_real_escape_string($con, $password);
//Check to see if the user left any space empty!
if($email == "" || $password == "")
{
echo "Please fill in all the information!";
}
//Check to see if the username AND password MATCHES the username AND password in the DB
else
{
$query = mysqli_query($con,"SELECT * FROM detail WHERE email = '$email' and password = '$password'") or die("Can not query DB.");
$count = mysqli_num_rows($query);
if($count == 1){
//YES WE FOUND A MATCH!
$_SESSION['email'] = $email; //Create a session for the user!
header ("location: members.php");
}
else{
echo "Username and Password DO NOT MATCH! TRY AGAIN!";
}
}
}
?>
</span>
<form action="login.php" method="post">
<label><b>Login</b>Not a member? Register now!</label><br /><br />
<label>Email :<span>*</span></label><br />
<input name="email" type="text" id="email" placeholder="username#domain" required>
<br />
<label>Password :<span>*</span></label><br />
<input name="password" type="password" id="password" placeholder="********"required>
<br />
</div>
<div style="float:right; width:50%; ">
<?php
mysql_connect("localhost","root","");
mysql_select_db("details");
$res=mysql_query("select * from video ORDER BY RAND() LIMIT 1");
while($row=mysql_fetch_array($res))
{
?>
<center><video width="360" height="270" controls><source src="**<?php echo $row["video"];?>**" type="video/mp4">
</video><center>**<?php echo $row['question']; ?>**</center> </center>
<input name="captcha" type="text" size"4" placeholder="" required><br>
</fieldset>
<br /><br />
<input type="reset" value="Reset" />
<input type="submit" name="submit" value="Login">
</form>
<?php
}
?>

Related

Can't pass over to another page after logging in to site & It also won't let me log in after filling out the registration form

My site won't let me log into it after filling out the registration form, everything in the database is correct but it just wont let me log in! Also if I do sort out the logging in problem will it let me pass over to 'home.php'? Sorry for being such a novice and thank you for your time in advance!
<?php
session_start();
if(!isset($_SESSION["userlogin"])){
}else{
$username = $_SESSION["userlogin"];
}
?>
<?php
$reg = #$_POST['reg'];
//declaring variables to prevent errors
$first_name = ""; //First Name
$last_name = ""; //Last Name
$username = ""; //Username
$email = ""; //Email
$email2 = ""; //Email 2
$password = ""; //Password
$password2 = ""; // Password 2
$signupdate = ""; // Sign up Date
$usercheck = ""; // Check if username exists
//registration form
$first_name = strip_tags(#$_POST['first_name']);
$last_name = strip_tags(#$_POST['last_name']);
$username = strip_tags(#$_POST['username']);
$email = strip_tags(#$_POST['email']);
$email2 = strip_tags(#$_POST['email2']);
$password = strip_tags(#$_POST['password']);
$password2 = strip_tags(#$_POST['password2']);
$signupdate = date("Y-m-d"); // Year - Month - Day
if ($reg) {
if ($email==$email2) {
// Check if user already exists
$usercheck = mysql_query("SELECT username FROM users WHERE username='$username'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($usercheck);
//Check whether Email already exists in the database
$echeck = mysql_query("SELECT email FROM users WHERE email='$email'");
//Count the number of rows returned
$emailcheck = mysql_num_rows($echeck);
if ($check == 0) {
if ($emailcheck == 0) {
//check all of the fields have been filed in
if ($username && $first_name && $last_name &&
$email && $email2 && $password && $password2)
{
// check that passwords match
if ($password==$password2) {
// check the maximum length of username/first name/last name does not exceed 25 characters
if (strlen($username)>25 ||
strlen($first_name)>25 ||
strlen($last_name)>25)
{
echo "The maximum limit for username/first name/last name is 25 characters!";
}else {
// check the maximum length of password does not exceed 25 characters and is not less than 5 characters
if (strlen($password)>30||strlen($password)<5) {
echo "Your password must be between 5 and 30 characters long!";
}else {
//encrypt password and password 2 using crypt before sending to database
$password = crypt($password);
$password2 = crypt($password2);
$query = mysql_query("INSERT INTO users VALUES ('','$username','$first_name','$last_name','$email','$password','$signupdate','0')");
header("Location: index.php");
exit;
}
}
} else {
echo "Your passwords don't match!";
}
} else {
echo "Please fill in all of the fields";
}
}else{
echo "Sorry, but it looks like someone has already used that email!";
}
}else{
echo "Username already taken ...";
}
}else {
echo "Your E-mails don't match!";
}
}
?>
<?php
//Login Script
if (isset($_POST["userlogin"]) && isset($_POST["passwordlogin"])) {
$userlogin = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["userlogin"]); // filter everything but numbers and letters
$passwordlogin = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["passwordlogin"]); // filter everything but numbers and letters
$cryptpasswordlogin = crypt($passwordlogin);
$sql = mysql_query("SELECT id FROM users WHERE username='$userlogin' AND password='$cryptpasswordlogin' LIMIT 1"); // query the person
//Check for their existance
$userCount = mysql_num_rows($sql);
echo mysql_error();
//Count the number of rows returned
if ($userCount == 1) {
while($row = mysql_fetch_array($sql)){
$id = $row["id"];
}
$_SESSION["userlogin"] = $userlogin;
header("home.php");
exit();
}else{
echo 'That information is incorrect, try again';
exit();
}
}
?>
<div>
<h2>Already a Memeber? Login below ...</h2>
<form action="index.php" method="post" name="form1" id="form1">
<input type="text" size="40" name="userlogin" id="user_login" class="auto-clear" placeholder="Username..." /><p />
<input type="text" size="40" name="passwordlogin" id="password_login" placeholder="Password..." /><p />
<input type="submit" name="button" id="button" value="Login to your account">
</form>
</div>
<div>
<h2>Sign up Below ...</h2>
<form action="#.php" method="post">
<input type="text" size="40" name="username" class="auto-clear" title="Username" placeholder="Username..."><p />
<input type="text" size="40" name="first_name" class="auto-clear" title="First Name" placeholder="First name..."><p />
<input type="text" size="40" name="last_name" class="auto-clear" title="Last Name" placeholder="Last name..."><p />
<input type="text" size="40" name="email" class="auto-clear" title="Email" placeholder="Email..."><p />
<input type="text" size="40" name="email2" class="auto-clear" title="Repeat Email" placeholder="Email again..."><p />
<input type="password" size="40" name="password" placeholder="Password..."><p />
<input type="password" size="40" name="password2" placeholder="Password again..."><p />
<input type="submit" name="reg" value="Sign Up!">
</form>
</div>
</div>
</body>
</html>

Please note in this simple test. Using crypt() twice on the same string will not generate the same result.
echo crypt('password') . PHP_EOL;
echo crypt('password') . PHP_EOL;
Results are :
$1$5u1.o45.$QqFY/BeCcln/LO7efiDp61
$1$R55.G3..$LQ9HxetMhV3KmJYM2q8UR/
So when you use crypt() to HASH the password on registration, and then again when you try the login part of your script, even if the user enters the correct password it will NOT generate the same HASH therefore this query will not find the user row
SELECT id
FROM users
WHERE username='$userlogin'
AND password='$cryptpasswordlogin'
LIMIT 1
i.e. crypt() will not generated the same HASH twice from the same string.
Please dont roll your own password hashing. PHP provides password_hash()
and password_verify() please use them.
And here are some good ideas about passwords
If you are using a PHP version prior to 5.5 there is a compatibility pack available here

PHP-Login script isn't working

The PHP script supposed to receive two variables : username and password but it doesn't do that and it always "echo" : "missing input".
I tried to echo the two variables but nothing was echoed, which i think means that they are not initialized.
This is the script:
require_once ('connect.php');
$username= $_POST['username'];
$password= $_POST['password'];
if(isset($_POST['username']) && isset($_POST['password'])) {
if(!empty($username) && !empty($password)) {
$query = "Select * from merchant where username='$username' and password = '$password' ";
$r = mysqli_query($con, $query);
if(mysqli_query($con,$query)) {
echo "Welcome";
mysqli_close($con);
}
else {
echo "Wrong password or username";
mysqli_close($con);
}
}
else {
echo "you must type both inputs";
}
}
else {
echo "missing input";
}
I tried sending the post data using Postman and via HTML page but both returned the same thing: "missing input"
This is the HTML i used
<form action="mlog.php" method="post">
<input type="textbox" name="username" value="username" />
<input type="textbox" name="password" value="password" />
<input type="submit" name="login" value="submit" />
</form>

its <input type="text">
<form action="mlog.php" method="post">
<input type="text" name="username" value="username" />
<input type="text" name="password" value="password" />
<input type="submit" name="login" value="submit" />
</form>

Check if the login button was clicked, then check if the username and password are not empty then assign the vars to them if not.
<?php
if(!empty($_POST['username']) && !empty($_POST['password'])) {
$username= $_POST['username'];
$password= $_POST['password'];
$query = "Select * from merchant where username='$username' and password = '$password' ";
$r = mysqli_query($con, $query);
if($r) {
echo "Welcome";
//redirect
}
else {
echo "Wrong password or username";
mysqli_close($con);
}
}
else {
echo "you must type both inputs";
}
}
?>

Login form error with session

I am wondering where is the errors that I am missing.
my form would be like this
<form id="myForm" action="loginAction" name="login" method="POST">
<p> <label class="inputField" > Email Address : </label> </p>
<p> <input class="registerField" id="emailid" name="email" required="required" type="text" placeholder="eg. john.wick#yahoo.com"/> <span class="warning" id="emailWarning"> </p>
<p> <label class="inputField" > Password : </label> </p>
<p> <input class="registerField" id="textpwd" name="password" required="required" type="password" placeholder="Your password"/> </p>
<p> <input name="submit" class="registerButton" type="submit" value="LOGIN"> </p>
loginAction.php at the following code below
<?php
// Report all PHP errors
error_reporting(-1);
session_start();
include 'dbconnect.php';
$username = $_POST['email'];
$password = $_POST['password'];
$username = mysqli_real_escape_string(stripslashes($username));
$password = mysqli_real_escape_string(stripslashes($password));
$loginUser = " SELECT registerPassword, emailAddress FROM register_user
WHERE emailAddress = '$username' AND registerPassword = '$password'";
$loginSuccess = mysqli_query($mysqli, $loginUser) or die(mysqli_error($mysqli));
$loginRow = mysqli_num_rows($loginSuccess);
if($loginRow == 1) {
// $_SESSION['login_user'] = $username;
echo "SUCCESSFUL LOGIN";
//header ("Location: index");
} else {
echo "YOU WRONG";
}
mysqli_close($mysqli);
?>
The answer is YOU WRONG even though the password and email are the same. I am aware that I haven't finished session yet, but this can't login, so i cant do further to Session.

you form field name is email not username change
$username = $_POST['username'];
to
$username = $_POST['email'];
Also on error reporting and
remove spaces before opening php tag like <?php session_start();

You put $username = $_POST['username']; in loginAction.php
change it to $username = $_POST['email'];
Because in your form you write:
<input id="emailid" name="email" type="text"/>
and
if($loginRow!=0) {
// $_SESSION['login_user'] = $username;
echo "SUCCESSFUL LOGIN";
//header ("Location: index");
} else {
echo "YOU WRONG";
}

Why won't my log in page receive any information?

I made a login page for my website. The connection to the database is fine, and I am typing in to the login form the correct values that are in the database. I have a md5 on the password in both the database and the code. Yet, when I check to see if any rows come back, there are none. I would just like another set of eyes to look over what is probably a stupid mistake.
<?php
$email = $_POST['email'];
$password = $_POST['password'];
$password = md5($password);
$query = "SELECT * FROM users WHERE password = '$password' AND email='$email' AND activated='1'";
$queryrun = mysql_query($query);
while($row = mysql_fetch_assoc($queryrun)) {
$fname = $row['firstname'];
echo $fname;
}
$logincheck = mysql_num_rows($queryrun);
if ($logincheck > 0) {
echo 'good, you are in our database';
} else {
echo 'sorry, you are not in our database';
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
Login <br />
<form action="login.php" method="POST">
Email: <input type="text" name="email" />
Password: <input type="password" name="password" />
<input type="submit" value="Log in" />
</form>
</body>
</html>

ERROR 310: too many redirects. Occurring with php coded pages for website I am coding

I am currently coding pages for a social network (it's only going to run locally) for my senior project and I am running in to these redirect errors that I have no clue on how to solve. There are around three pages that have the 'header('location:...') code in it. I didn't know what it would do at the different levels of coding so I put all of the coding with an equal amount of indention.
index.php
<? include("inc/incfiles/header.inc.php"); ?>
<?
$reg = #$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; //Password 2
$d = ""; //Sign up Date
$u_check = ""; //Check if username exists
//registration form
$fn = strip_tags(#$_POST['fname']);
$ln = strip_tags(#$_POST['lname']);
$un = strip_tags(#$_POST['username']);
$em = strip_tags(#$_POST['email']);
$em2 = strip_tags(#$_POST['email2']);
$pswd = strip_tags(#$_POST['password']);
$pswd2 = strip_tags(#$_POST['password2']);
$d = date("y-m-d"); // Year - Month - Day
if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filled in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25 characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the length of the password is between 5 and 30 characters long
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES ('','$un','$fn','$ln','$em','$pswd','d','0')");
die("<h2>Welcome to Rebel Connect</h2>Login to your account to get started.");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all fields";
}
}
else
{
echo "Username already taken.";
}
}
else {
echo "Your e-mails don't match!";
}
}
?>
<?
//Login Script
if (isset($_POST["user_login"]) && isset($_POST["user_password"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); // filter everything but numbers and letters
$password_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password_login"]); // filter everything but numbers and letters
$sql = mysql_query("SELECT id FROM users WHERE username='$user_login' AND password='$password_login' LIMIT 1"); // query the person
//Check for their existance
$userCount = mysql_num_rows($sql); //Count the number of rows returned
if ($userCount == 1) {
while($row = mysql_fetch_array($sql)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["user_login"] = $user_login;
$_Session["password_login"] = $password_login;
header("location: index.php");
exit();
} else {
echo 'That information is incorrect, try again';
exit();
}
}
?>
<table class="homepageTable">
<tr>
<td width="60%" valign="top">
<h2>Already a member? Login below.</h2>
<form>
<input type="text" size="25" name="user_login" id="user_login" placeholder="username" />
<input type="password" size="25" name="user_password" id="user_password" placeholder="password" /><br />
<input type="submit" name="button" id="button" value="Login to your account!">
</form>
</td>
<td width="40%" valign="top">
<h2>Sign up below...</h2>
<form action="#" method="post">
<input type="text" size="25" name="fname" placeholder="First Name" value="<? echo $fn; ?>">
<input type="text" size="25" name="lname" placeholder="Last Name" value="<? echo $ln; ?>">
<input type="text" size="25" name="username" placeholder="Username" value="<? echo $un; ?>">
<input type="text" size="25" name="email" placeholder="Email" value="<? echo $em; ?>">
<input type="text" size="25" name="email2" placeholder="Re-enter Email" value="<? echo $em2; ?>">
<input type="password" size="25" name="password" placeholder="Password" value="<? echo $pswd; ?>">
<input type="password" size="25" name="password2" placeholder="Re-enter Password" value="<? echo $pswd2; ?>"><br />
<input type="submit" name="reg" value="Sign Up!">
</form>
</td>
</tr>
</table>
</body>
</html>
header.inc.php
<?
include ("inc/scripts/mysql_connect.inc.php");
// starts the session
session_start();
// checks whether the user is logged in or not
$user = $_SESSION["user_login"];
if (!isset($_SESSION["user_login"])) {
header("location: index.php");
exit();
}
else
{
header("location: home.php");
exit();
}
?>
<html>
<head>
<link href="css/main.css" rel="stylesheet" type="text/css">
<title>Rebel Reach - PHS Student Social Network</title>
</head>
<body>
<div class="headerMenu">
<div id="wrapper">
<div class="logo">
<img src="img/find_friends_logo.png">
</div>
<div class="search_box">
<form method="get" action="search.php" id="search">
<input name="q" type="text" size="60" placeholder="Search..." />
</form>
</div>
<div id="menu">
Home
About
Sign Up
Login
</div>
</div>
</div>
<br />
<br />
<br />
<br />
home.php
<?
session_start();
$user = $_SESSION["user_login"];
//If the user is not logged in
if (!isset($_SESSION["user_login"])) {
header('location: index.php');
exit();
}
else
{
//If the user is logged in
echo "Hi, $user, You're logged in<br />Welcome to what is soon to be your NEWSFEED";
}
?>

You've got a catch-22 in your code:
index.php includes your function library
the function library checks for the existence of that session variable.
if the variable doesn't exist, redirect to index.php
e.g. you've written a very complicated version of the classic BASIC 10 GOTO 10.

Categories