<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
?>
<html>
<head>
<title>Log in</title>
</head>
<body>
<?php
$form = "<form action='./log.php' method='POST'>
<table>
<tr>
<td>Username</td>
<td><input type='text' name='name'></td>
</tr>
<tr>
<td>Password</td>
<td><input type='text' name='password'></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login'></td>
</tr>
</table>
</form>";
if ($_POST['loginbtn']) {
$user = $_POST['name'];
$password = $_POST['password'];
if($user) {
if($password) {
require('connect.php');
$password = md5($password)
//make user login info correct
$query = mysql_query("SELECT * FROM users where name= '$user'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
$row = mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['name'];
$dbpass = $row['password'];
$dbactive = $row['active'];
if($password == $dbpass) {
if($dbactive == 1) {
//set session info
$_SESSION['id'] = $dbid;
$_SESSION['name'] = $dbuser;
echo "You have logged in as <b>$dbname</b> <a href='en/index.html'>Click Here</a> to go on next page";
}
else {
echo "You must activate your account to login. $form";
}
}
else {
echo "You did not enter the correct password";
}
}
else {
echo "The username you entered was not found. $form";
}
mysql_close();
}
else {
echo "Tou must eneter your password. $form";
}
}
else {
echo "Tou must eneter a username. $form";
}
}
else {
echo $form;
}
?>
</body>
</html>
*My registration system instert password on db in md5 format.
but this login form can't find my password and print me problem "You did not enter the correct passsword".
How to sloving this problem?*
Persistently trying to solve the problem but have not been able
It may possible while inserting password into database some white space or other values are inserted alongwith password field. So once again check your inserting code. Use trim befor making password md5 like $password = md5(trim($password)) at both side(for Insert and Select). also note that it is case sensitive. As said in the comment section dont use md5 as it is not that much secure.
Related
I don't understand what is wrong with this code, I followed an old tutorial and it might be a bit dated so I'm unsure what is wrong. All the names for the database are correct and the functions should be fine, I have looked at the code for a while and can't see what is wrong.
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
?>
<!DOCTYPE html>
<head>
</head>
<body>
<?php
$form ="<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login'/></td>
</tr>
</table>
</form>";
if ($_POST['loginbtn']) {
$user = $_POST['user'];
if ($user) {
if ($password) {
require("connect.php");
$password = md5(md5("fghxjks".$password."HGJDjbCKGC"));
$query = mysql_query("SELECT * FROM userlogins WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows == 1) {
$row = msql_fetch_assoc($query);
$dbuser = $row['username'];
$dbpass = $row['password'];
if ($password == $dbpass) {
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;
echo "You have been logged in as <b>$dbuser</b>.";
}
else {
echo "The password you entered is not correct.";
}
}
else {
echo "The username you entered was not found. $form";
}
mysql_close();
}
else {
echo "You must enter your password. $form";
}
}
else {
echo "You must enter your username. $form";
}
}
else {
echo $form;
}
?>
</body>
The $password variable is not set. You should add:
$password = $_POST['password'];
Before if ($password)
Also, $user comes from user input ($_POST['user']). Never put user input directly in a mysql_query, as it makes the query vulnerable to SQL injection. In this case, the attacker won't be able to do much, because mysql_query doesn't support multiple queries. But you should always use mysql_real_escape_string on user input:
$query = mysql_query('SELECT * FROM userlogins WHERE username=\''.mysql_real_escape_string($user).'\'');
Can anyone help, I have been trying to get this php code to work, with limited success, it seem the else statement in the while statement is being ignored, i have looked at other examples and just can't see what I've done wrong. The code is used within a login form and the part that doesn't work is when a user inputs the wrong password. I am new to PHP and this is for a college assignment. I will include the code for the login page also.
<?php
ob_start();
session_start();
error_reporting(0);
$username = $_POST['username'];
$password = $_POST['password'];
//sanitize username
$username = mysql_real_escape_string($username);
if($username&&$password) {
include 'db.php';
$query = mysql_query("SELECT id, username, password, salt
FROM member
WHERE username = '$username';");
$numrows = mysql_num_rows($query);
$result = mysql_query($query);
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$salt = $userData['salt'];
$hash = hash('sha256', $salt . hash('sha256', $password) );
if ($numrows !=0) {
while ($rows = mysql_fetch_assoc($query))
{
$dbusername = $rows['username'];
$dbpassword = $hash;
if ($username===$dbusername&&$hash===$dbpassword)
{
$_SESSION['username']=$dbusername;
header("location: index.php?remarks=success");
}
else
{
header("location: index.php?remarks=incorrect");
}
}
}
else
header("location: index.php?remarks=register");
}
else
header("location: index.php?remarks=other");
?>
<html>
<head>
<title>Login Form</title>
</head>
<body>
<form method="post" action="code_index.php">
<table width="274" border="0" align="center" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2">
<div align="center">
<?php
$remarks=$_GET['remarks'];
if ($remarks==null and $remarks=="")
{
echo "Login Here<br/> <a href='registration.php'>Or Click Here to Register.</a>";
}
if ($remarks=='register')
{
echo "That username Does not Exists.<br/><a href='registration.php'>Click Here to register.</a>";
}
if ($remarks=='incorrect')
{
echo "Incorrect Password.<br/>Please Re-enter Password";
}
if ($remarks=='success')
{
echo "Login Successful. <br/> <a href='membersarea.php'>Click Here to go to the Members Area.</a>";
}
if ($remarks=='other') {
echo "Please enter a Username and Password<br/><a href='registration.php'>Or Click Here to register.</a>";
}
?>
</div></td>
</tr>
<tr>
<td>Username:</td>
<td><input type="text" name="username" placeholder="Enter your Username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" placeholder="Enter your Password"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
You need to assign dbpassword from database
//$dbpassword = $hash; //This is wrong
Do it like this.
$dbpassword = $rows['password'];
if ($username===$dbusername&&$hash===$dbpassword)
Can you try this,
ob_start();
session_start();
error_reporting(0);
$username = $_POST['username'];
$password = $_POST['password'];
//sanitize username
$username = mysql_real_escape_string($username);
if(isset($username) && isset($password)) {
include 'db.php';
$query = mysql_query("SELECT id, username, password, salt
FROM member
WHERE username = '$username' ");
$numrows = mysql_num_rows($query);
if ($numrows > 0) {
while ($rows = mysql_fetch_array($query))
{
$dbusername = $rows['username'];
$salt = $rows['salt'];
$hash = hash('sha256', $salt . hash('sha256', $password) );
$dbpassword = $hash;
if ($username==$dbusername && $hash==$dbpassword)
{
$_SESSION['username']=$dbusername;
header("location: index.php?remarks=success");
}
else
{
header("location: index.php?remarks=incorrect");
}
}
}else{
header("location: index.php?remarks=register");
}
}else{
header("location: index.php?remarks=other");
}
i got a problem on my validation script using php; when the user only fills out username form and emptied the password it still logs the user in it should show the user that the password field is blank error. i'm kinda new to php and i'm hoping you can help me. thanks!
here's my code for checking login
<?php
$usernameErr = $passwordErr = "";
$username = $password = "";
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if (empty($_POST['username']))
{$usernameErr = "Username is required.";}
else
{$username =($_POST['username']);}
if (empty($_POST['password']))
{$passwordErr = "Password is required.";}
else
{$password =($_POST['password']);}
}
?>
<body>
<div id="header" align="center">
<h1>PT. Sumber Urip Alfindo</h1>
</div>
<br/>
<div id="content" align="center">
<form id="login" name="login" method="post" action="checklogin.php">
<table>
<tr>
<td>Username</td>
<td></td>
<td><input name="username" type="text" id="username"><span class="error"><?php echo $usernameErr;?></span></td>
</tr>
<tr>
<td>Password</td>
<td></td>
<td><input name="password" type="password" id="password"><span class="error"><?php echo $passwordErr;?></span></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="submit" value="Login"></td>
</tr>
</table>
</form>
<?php
$sql="SELECT * FROM $tbl_name WHERE usrname='$username'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1 && $username="admin")
{
header("location:mainadmin.php");
}
else if($count==1)
{
header("location:main.php");
}
else
{
echo "Wrong username or password";
}
?>
Before anyone moans, I'm not replacing mysql with mysqli/PDO to answer the question. Yes it's wrong that it's used but it's not related to the question.
Correct model: if (there is not an error) { log the person in } else { do something else}.
Your model: check for errors. log the user in anyway.
This is what you're doing now
// checking stuff
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if (empty($_POST['username']))
{$usernameErr = "Username is required.";}
// blah blah check check check
}
// don't bother considering the error, just log them in anyway
$sql="SELECT * FROM $tbl_name WHERE usrname='$username'";
// etc
But what you need to do is this:
// check for errors and store them
$errors=array(); // create an empty array to store errors
if (empty($_POST['username'])){
$errors['usernameErr'] = "Username is required."; // add an error
}else{
$username =($_POST['username']);
}
if (empty($_POST['password'])){
$errors['passwordErr'] = "Password is required."; // add an error
}else{
$password =($_POST['password']);
}
// etc etc
// check if there were any errors anywhere along the way
// and if not, proceed with login
if (!count($errors)) { // check there are no errors
$sql="SELECT * FROM $tbl_name WHERE usrname='$username'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// etc etc
}else{
// if there were errors do something else
echo implode("<br />", $errors); // output the errors however you like
}
Try this for a start
<?php
/* validate form first */
if (!empty($_POST['username']))
{ $username = $_POST['username'];
}
else{ echo "Username is required."; }
if (!empty($_POST['password']))
{ $password = $_POST['password'];
}
else{ echo "password is required."; }
/* Do the queries second i.e */
SELECT * FROM Persons WHERE username='' AND password ='';
?>
hi,You should describe your question clearly,I have read your code and checked it ,when i not fills out password,it was really display Password is required.
general validation method is as follows:
if(empty($_POST['username'])){
$usererror = '...';
return false;
}else{
$username = $_POST['username'];
}
if(empty($_POST['password'])){
$passerror = '...';
return false;
}else{
$password = $_POST['password'];
}
The best way to handle error validation is to use same variable, especially if you have many input form data
$username = $_POST['username'];
$password = $_POST['password'];
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if ($username == '') {
$error_msg[]= 'Username is required';
} else if ($password == '') {
$error_msg[]= 'Password is required';
}
}
if (!empty($error_msg)) {
$ERROR_MSG = implode($error_msg);
exit;
}
Hi again this is me nearly done with the gubbings of the site but im scratching my head to why this reset password page does not go through any of it procedures. Im sure it is again something minor but i cant see it, seems as though my reset button is not working at all but its the correct spelling when i call it and all the brackets as far as i can tell are correct. im sure the more i get used to these errors the more ill catch them myself. apologies for the dumb question.
Here's my code:
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['userid'];
$username = $_SESSION['username'];
?>
<html>
<head>
<title> Member system : Forgot password</title>
</head>
<body>
<?php
if(!$username && !$userid) {
if($_POST['resetbtn']) {
//get form data
$user = $_POST['user'];
$email = $_POST['email'];
//make sure info provided
if($user) {
if($email) {
if((strlen($email) > 7) && (strstr($email, "#")) && (strstr($email, ".")) ) {
require("./connect.php");
$query = mysql_query("SELECT * FROM user WHERE username='$user'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
// info about account
$row = mysql_fetch_assoc($query);
$dbemail = $row['email'];
//make sure email is correct
if($email == $dbemail) {
// generate a password
$pass = rand();
$pass = md5($pass);
$pass = substr($pass, 0, 15);
$password = md5(md5("12345".$pass."54321"));
//update db with new pass
mysql_query("UPDATE user SET password='$password' WHERE username='$user'");
//make sure password was changed
$query = mysql_query("SELECT * FROM user WHERE username='$user' AND password='$password'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
//create our email variables
$webmaster = "mwilkins877#gmail.com";
$headers = "From: Mike<$webmaster>";
$subject = "Your new password";
$message = "Your password has been reset, your new password is below. \n";
$message .= "Password: $pass\n";
echo $pass."<br/>";
if(mail($email, $subject, $message, $headers)) {
echo "Your password has been reset an email has been sent with your new password";
}
else
echo "An error has occured and your email wasnt sent containing your new password";
}
else
echo "An error has occured and the password was not set";
}
else
echo "You have entered the wrong email address";
}
else
echo "The user name was not found";
mysql_close();
}
else "Please enter a valid email address";
}
else
echo "please enter your email";
}
else
echo "Please enter your user name";
}
else
echo"<from action='./forgotpass.php' method='post'>
<table>
<tr>
<td>User name</td>
<td><input type='text' name='user'/></td>
</tr>
<tr>
<td>email</td>
<td><input type='text' name='email'/></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='resetbtn' value='Reset password'/> </td>
</tr>
</table>
</form>";
}
else
echo "Please log out to view this page";
?>
</body>
</html>
I would appreciate your help on this as its only just me learning for fun. Look forward to hearing back of some one hopefully. thanks in advance.
please correct the spelling of the form
echo"<from action='./forgotpass.php' method='post'>
to
echo"<form action='./forgotpass.php' method='post'>
Hope this will fix your issue
Just try this. Its working for me.
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['userid'];
$username = $_SESSION['username'];
?>
<body>
<?php
if(!$username && !$userid) {
if($_POST['resetbtn']) {
//get form data
$user = $_POST['user'];
$email = $_POST['email'];
//make sure info provided
if($user) {
if($email) {
if((strlen($email) > 7) && (strstr($email, "#")) && (strstr($email, ".")) ) {
require("./connect.php");
$query = mysql_query("SELECT * FROM user WHERE username='$user'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
// info about account
$row = mysql_fetch_assoc($query);
$dbemail = $row['email'];
//make sure email is correct
if($email == $dbemail) {
// generate a password
$pass = rand();
$pass = md5($pass);
$pass = substr($pass, 0, 15);
$password = md5(md5("12345".$pass."54321"));
//update db with new pass
mysql_query("UPDATE user SET password='$password' WHERE username='$user'");
//make sure password was changed
$query = mysql_query("SELECT * FROM user WHERE username='$user' AND password='$password'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
//create our email variables
$webmaster = "mwilkins877#gmail.com";
$headers = "From: Mike<$webmaster>";
$subject = "Your new password";
$message = "Your password has been reset, your new password is below. \n";
$message .= "Password: $pass\n";
echo $pass."<br/>";
if(mail($email, $subject, $message, $headers)) {
echo "Your password has been reset an email has been sent with your new password";
}
else
echo "An error has occured and your email wasnt sent containing your new password";
}
else
echo "An error has occured and the password was not set";
}
else
echo "You have entered the wrong email address";
}
else
echo "The user name was not found";
mysql_close();
}
else "Please enter a valid email address";
}
else
echo "please enter your email";
}
else
echo "Please enter your user name";
}
else
echo"<form action='./forgotpass.php' method='post'>
<table>
<tr>
<td>User name</td>
<td><input type='text' name='user'/></td>
</tr>
<tr>
<td>email</td>
<td><input type='text' name='email'/></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='resetbtn' value='Reset password'/> </td>
</tr>
</table>
</form>";
Hey all im struggling with a simple membership system. I have coded for a while but not much in php (mainly java) so would appreciate any help or suggestions on what to look at. I always seem to look over simple mistakes and though I have checked it in a syntax checker i'm sure its something very minor
here goes..
my login.php file allows a user to login if they have a username and password and if not sends appropriate responses. But when I log in with a existing username and password it goes to the next page which display your name and link to go to the members section, but when the link is clicked the member section will not seem to recognise my $_SESSION values and therefore asks the user to login again.
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['$userid'];
$username = $_SESSION['$username'];
?>
<html>
<head>
<title>Member system - login</title>
</head>
<body>
<?php
$form = "<form action='./login.php' method='post'>
<table>
<tr>
<td>username :</td>
<td><input type='text' name='user'/></td>
</tr>
<tr>
<td>password :</td>
<td><input type='password' name='password'/></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login'/></td>
</tr>
</table>
</form>";
if($_POST['loginbtn']) {
$user = $_POST['user'];
$password = $_POST['password'];
if($user) {
if($password) {
require("connect.php");
$password = md5(md5("12345".$password."54321"));
//make sure login info correct
$query = mysql_query("SELECT * FROM user WHERE username='$user'");
$numrows = mysql_num_rows($query);
if($numrows == 1) {
$row = mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['username'];
$dbpass = $row['password'];
$dbactive = $row['active'];
if($password == $dbpass) {
if($dbactive == 1) {
//set seesion info
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;
echo "you have been logged in as <b>$dbuser</b> <a href='./member.php'>click here</a> to go to the member page";
}
else
echo "You must be an active member. $form";
}
else
echo "you did not enter the correct password. $form";
}
else
echo "The user name you entered was not found. $form";
mysql_close();
}
else
echo "you must enter your password. $form";
}
else
echo "you must enter a user name. $form";
}
else
echo $form;
?>
This is my login form which does the bulk of the work
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['$userid'];
$username = $_SESSION['$username'];
?>
<html>
<head>
<title> Member system : Members</title>
</head>
<body>
<?php
if($username && $userid) {
echo "Welcome <b>$username</b>, <a href='./logout.php'>logout</a>";
}
else
echo "Please login in to veiw this page <a href='./login.php'>Login in</a>";
?>
</body>
</html>
And this is my member form which seems to not recognise the session and ask for the user to login again.
i know this is the embarrassingly obvious to someone and i apologise for my ignorance but i will learn from this, so if someone could help ill be very grateful.
Regards
Mike
First of all, there is a little mistake. In the first script you use $_SESSION['userid'], and in the second one $_SESSION['$userid] (with a dollar inside the key).
I don't know exactly if that solves your problem, but try to replace:
if($username && $userid) {
with this:
if(isset($_SESSION['userid'],$_SESSION['username'])) {
Greetings Jokus!