Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I am trying to create login system with access level but i the bellow code always shows please enter you password. please help me where i am wrong.
session_start();
if(isset($_REQUEST['submit'])) {
$username=$_POST['username'];
$mypassword=$_POST['password'];
if($username){
if($password){
require('conn/iclude.php');
$password=sha1($password);
$query=mysql_query("SELECT * FROM admin where name='$username'");
$numrow=mysql_num_rows($query);
if($numrow==1){
$row=mysql_fetch_assoc($query);
$dbid=$row['id'];
$dbuser=$row['name'];
$dbpass=$row['pass'];
$role=$row['role'];
if($password==$dbpass) {
$_SESSION['username']=$dbuser;
$_SESSION['useridid']=$dbid;
if($role == 1){
header('Location:admin.php');
}elseif ($role==2) {
header('Location:1/neasp.php');
}elseif ($role==3) {
header('Location:2/index.php');
}elseif ($role==4) {
header('Location:3/index.php');
}elseif ($role==5) {
header('Location:4/index.php');
}
}else{}
}else{
echo"Hello World";
}
}else{echo "You must enter your password";}
}else {echo "You must enter your name";}
}
thanks below is html form
$mypassword=$_POST['password'];
^^^^^^^^^^^ **MY** password
if($password){
^^----no **MY**
If your system was properly configured for debugging, e.g. display_errors and error_reporting turned on, you'd have gotten warnings about using undefined variables. A development/test system should *NEVER have these settings off in the first place.
You are also vulnerable to SQL injection attacks. Enjoy having your server pwn3d.
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 3 days ago.
Improve this question
Im new to php and im building a login and registration form.
Everything works except when i click log in with a user credentials that are in my database my error for "user not found is showing.
I've included the code snippet for my error to see if i have typed something wrong.
protected function getUser($email, $pwd)
{
$stmt = $this->connect()->prepare("SELECT pwd FROM web WHERE lName = ? OR Email = ?;");
if (!$stmt->execute(array($email, $pwd))) {
$stmt = null;
header("location: ../index.php?error=stmtfailed");
exit();
}
if ($stmt->rowCount() == 0) {
$stmt = null;
header("location: ../index.php?error=usernotfound");
exit();
}
$pwdHashed = $stmt->fetchAll(PDO::FETCH_ASSOC);
$checkPwd = password_verify($pwd, $pwdHashed[0]["pwd"]);
if you need any more info let me know!
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 1 year ago.
Improve this question
I'm trying to make a login page for a website that I'm working on, I have access to the server.
I can load some pages that work 100%, but when I go to add a member to the site, it gives me an error message saying:
Error 500
The sharedweb.unisite.ac.uk page isn’t working. sharedweb.unisite.ac.uk is currently unable to handle this request.
and I don't know why. The script that's causing this error is:
<?php
// include function files for this application
require_once('bookmark_fns.php');
//create short variable names
$email=$_POST['email'];
$username=$_POST['username'];
$passwd=$_POST['passwd'];
$passwd2=$_POST['passwd2'];
// start session which may be needed later
// start it now because it must go before headers
session_start();
try {
// check forms filled in
if (!filled_out($_POST)) {
throw new Exception('You have not filled the form out correctly. Please go back and try again.');
}
// email address not valid
if (!valid_email($email)) {
throw new Exception('That is not a valid email address. Please go back and try again.');
}
// passwords not the same
if ($passwd != $passwd2) {
throw new Exception('The passwords you entered do not match. Please go back and try again.');
}
// check password length is ok
// ok if username truncates, but passwords will get
// munged if they are too long.
if (!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z]{6,12}$/)', $passwd)) {
throw new Exception('Your password must be between 6 and 12 characters inclusive. Please go back and try again.');
}
// attempt to register
// this function can also throw an exception
register($username, $email, $passwd);
// register session variable
$_SESSION['valid_user'] = $username;
// provide link to members page
do_html_header('Registration successful');
echo "Welcome " $_POST["username"];
echo 'Your registration was successful. Go to the members page to start setting up your bookmarks!';
do_html_url('member.php', 'Go to members page');
// end page
do_html_footer();
}
catch (Exception $e) {
do_html_header('Warning:');
echo $e->getMessage();
do_html_footer();
exit;
}
?>
How can I fix this?
There's 2 syntax errors in your code:
Firstly, you need to concat string with a variable using .:
echo "Welcome " . $_POST["username"];
Secondly, there's an extra closing bracket here:
if (!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z]{6,12}$/)', $passwd)) {
throw new Exception('Your password must be between 6 and 12 characters inclusive. Please go back and try again.');
}
Remove the extra bracket:
if (!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z]{8,12}$/', $passwd)) {
throw new Exception('Your password must be between 6 and 12 characters inclusive. Please go back and try again.');
}
As for this error:
Deprecated: Function ereg() is deprecated
PHP Manual:
ereg() was DEPRECATED in PHP 5.3.0, and REMOVED in PHP 7.0.0.
Check out this post: Deprecated: Function ereg() is deprecated
Tip: You should turn on Error Reporting by adding this code to the top of your PHP files which will assist you in finding errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
below is my simple login.php code, I created a user with
usermail: admin userpass: admin123
But whenever I try to login with admin account, it ignores the if statement and it opens the homepage.php, what might be the problem, thank you.
<?php
$connection = mysql_connect("localhost","user","password") or die("Could not connect to the database");
mysql_select_db("nisbet", $connection);
error_reporting(0);
if($_POST['login']){
if($_POST['usermail'] && $_POST['userpass']){
$usermail = mysql_real_escape_string($_POST['usermail']);
$userpass = mysql_real_escape_string(hash("sha512",$_POST['userpass']));
$user = mysql_fetch_array(mysql_query("SELECT * FROM `user` WHERE `usermail` = '$usermail'"));
if($user == 0){
die("User does not exits <a href='index.php'>← Back</a>");
}
if($user['userpass'] != $userpass){
die("Incorrect password! <a href='index.php'>← Back</a>");
}
//die("You are now logged in as $usermail !");
if($user['usermail'] == 'admin' && $user['userpass'] == 'admin123'){
header('Location: adminpage.php');
}else{
header('Location: homepage.php');
}
}
}
The $userpass variable contains a hash of the submitted password, so comparing it to "admin123" won't work.
You should compare it to the hash of "admin123" instead, or not comparing them a second time since you've already done that before in your code.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I did the following administrator login for a client's website, and I just wanted to ask if this method is secure, I use a userID cookie check along with a "is the administrator online" entry in the db that i also check for security reasons.
Sorry if my formatting is bad, i will accept any tips, please have patience with me, I'm a newbie programmer that just entered the phase "First projects for clients".
<?php
include_once('config.php');
if(isset($_POST['usr']) && isset($_POST['pwd'])){
$usr=$_POST['usr'];
$pwd=md5($_POST['pwd']);
$userquery="SELECT * FROM nexus_administrators WHERE user='".$usr."';";
$execuser=mysqli_query($con,$userquery);
$usrnum= mysqli_num_rows($execuser);
$pwdquery="SELECT * FROM nexus_administrators WHERE pwd='".$pwd."';";
$execpwd=mysqli_query($con,$pwdquery);
$pwdnum= mysqli_num_rows($execpwd);
$query="SELECT adminid FROM nexus_administrators WHERE pwd='".$pwd."' AND user='".$usr."';";
$result=mysqli_query($con,$query);
$row=mysqli_fetch_array($result);
$uid= $row['adminid'];
echo $uid;
if($usrnum==1 && $pwdnum==1){
setcookie("uid", $uid, time()+3600*1000);
$puthimonline= "UPDATE nexus_administrators SET isOn=1 WHERE adminid='".$uid."';";
mysqli_query($con,$puthimonline);
header('Location: adminpanel.php');
}
}
//Ai n-ai cookie dai la poarta
if (!isset($_COOKIE['uid'])){
echo " INTRUS !!!!";
echo " </br> Zbori sau o s**i pe ciuperca";
}else{
//te verific si-n baza
$query= "SELECT * FROM nexus_administrators WHERE adminid='".$_COOKIE['uid']."' AND isOn=1;";
$result=mysqli_query($con,$query);
if(mysqli_num_rows($result)!= 1){
header('Location: index.php');
}else{
if(isset($_GET['log'])){
$puthimoffline= "UPDATE nexus_administrators SET isOn=0 WHERE adminid='".$_COOKIE['uid']."';";
mysqli_query($con,$puthimoffline);
header('Location: index.php');
}
echo "hello my dear admin";
echo"
<a href='adminpanel.php?log=0'> Log Out</a>";
};
}
?>
No, this is flawed. There are several problems.
It makes no sense to count the number of users that have the same password (second query)
a md5 hash is not sufficient for storing the passwords. If an attacker gets access to the database, he can easily find the passwords. You must use a salt.
save isonline in the database makes no sense. If the user does not log off, access remains granted forever in the database.
You save the userid in the cookie. It's not secure, because it is easy to spoof.
last but not least your code is open for SQL injection (once from a query string variable, and two instances from cookies).
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am trying to add a resend verification action to my login/register system using tampus login system. I am following this tutorial.
Okay I am not a fan of php frameworks so I will make this one for you with MySQL:
if(empty($_POST["user"]) || empty($_POST["pass"])){
echo "Missing values";
} else {
//You would need the mysql connection variable named $db_conn
$db_conn = mysqli_connect("localhost","user","pass","db_name");
$user = $_POST["user"];
$pass = md5($_POST["pass"]);//MD5 encrypt;
$sql = "SELECT id FROM users WHERE username='$user' AND password='$pass'"
$query = mysqli_query($db_conn,$sql);
if(mysql_num_rows($query) > 1){
//Do the login thingys like cookies and redirects
} else {
echo "Check your credentials";
}
}
I think I could not made it easier and better to understand