I have a log in system where the user must log in to access the main website. However, the validation isn't working.
It's mainly the password function that isn't working. Any suggestions why?
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='$login'");
$numrows = mysql_num_rows($query);
if ($numrows==!0)
{
//code to login
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['login'];
$dbpassword = $row['password'];
}
//check to see if they match
if($login==$dbusername&&$password==$password)
{
$_SESSION['login']=$username;
$_SESSION['password']=$password;
sleep(5);
header('Location: nindex.php');
die();
}
else
die ("incorrect password");
}
else
die("That user does not exist");
}
else
die("please provide a username and password");
?>
There are some problems in your code, try this
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='".$login."' AND password='".$password."'");
$numrows = mysql_num_rows($query);
if ($numrows > 0)
{
//code to login
header('Location: nindex.php');
die();
}
else
{
echo "incorrect username or password";
}
}
?>
I have noticed 4 things.
1) When you check to see if they match
you are comparing $password to $password instead of "$dbpassword"
2) Why do you call "sleep(5)" ?
3) You need to encrypt the password before storing to the database because if your site get hacked, your user passwords will eventually be in bad hands.
4) you should never store a password in a session variable (for security reasons)
Related
I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):
<?php
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
else
echo "Incorrect Password";
}
else
die("Username does not exist");
}
else
die("Please enter a username and password.");
?>
I have put mysql_real_escape_string() around your post values to prevent sql injection
Also mysqli is the latest way to connect to mysql database but i have not added that to your code:
session_start();
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login");
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
}
else {
echo "Incorrect Password";
}
}
<?php
if(isset($_POST['login'])) {
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('db') or die("cannot select DB");
$pass = $_POST['pass'];
$user = $_POST['user'];
$encryptedpass = hash('whirlpool', $pass);
$query=mysql_query("SELECT * FROM players WHERE user='".$user."' AND pass='".$encryptedpass."'");
$numrows=mysql_num_rows($query);
echo("$encryptedpass");
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['user'];
$dbpassword=$row['pass'];
}
if($user == $dbusername && $encryptedpass == $dbpassword)
{
echo("logged in");
session_start();
$_SESSION['sess_user']=$user;
header("Location: settings.php");
} else
echo "Invalid username or password!";
}
}
?>
The hashing echo works as it should, how-ever even though the user & pass are correct it says invald password.... Help would be great!
EDIT: Thats weird... When I enter the wrong pass, invalid password echo doesnt show up... How odd
Not sure what the error is there, but the following (basically the same) works fine.
Make sure that your post values are actually being passed, and adding or die(mysql_error()) will tell you if you have any errors in your sql.
Also, you should escape your strings (if not using prepared statements)
if(isset($_POST['login'])) {
/* Do connection */
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$encrypted = hash('whirlpool', $pass);
$q = mysql_query("SELECT id FROM players WHERE user = '".$user."' AND pass = '".$encrypted."'",$server)or die(mysql_error());
if(mysql_num_rows($q)>0) {
/* Login approved */
$row = mysql_fetch_array($q);
print $row['id'];
}else{
/* Could not login */
}
}
I have created a site with a login and register.It was working, but when I finished it something was very wrong, I can't login to the site.
I can register a new user and that is added in the mysql db but when I try to login the redirect does not work it will not goto the page index.php.
Can anyone look at this source because and see if you can find anything wrong.
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost","root","") or DIE ("Could not connect");
mysql_select_db("case") or die ("could not find db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
header('location: index.php');
/*echo "Login successful. <a href='membersarea.php'>click her to enter members erea<a/>"; */
/*$_SESSION['username']=$dbusername; */
}
else
echo "Incorrect password";
}
else echo ("That username dows not exist");
}
else
die ("Please enter a username and password");
?>
Get rid of php closing tag ?> and whitespaces, html, blank lines before php opening tag <?php. Also check if there is no output before :
header("Location:");
Like print,var_dump, echo and so on. Also check your if condition, maybe you are just skipping it.
WARNING! you have an SQL injection ERROR. Try with:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
Now, simplify your life:
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
Is it right?
if( mysql_num_rows($query) > 0 ) {
header('location: index.php');
}
At first sight, I notice this:
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
The if is outside the loop. It will only be used against the last row.
If you only have one user, it should be working.
The code below is from a login script, written in PHP. The database that it checks passwords against encrypts the passwords using MD5 however when the login script checks against the database for a password, it is checking the raw password without encryption. I am familiar with the md5() function but how would I incorporate that into the following:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username && $password) {
$connect = mysql_connect("host", "user", "password") or die("Couldn't connect");
mysql_select_db("dbname") or die("Couldn't find the database");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
echo "You're in! Click <a href='../member.php'>here</a> to enter the member page.";
$_SESSION['username'] = $username;
}else{
echo "Incorrect password";
}
}else{
die("That username does not exist.");
}
}else{
die("Please enter a valid username and password.");
}
?>
You should be checking and querying the database for a match, not bringing the results down and checking them locally. With that said:
$password = md5($_POST['password']);
Then also change:
SELECT * FROM users WHERE username='$username' AND password='$password'
But I'd also have a look at using PDO instead of placing the values directly in a SQL query. At the very least you should be using mysql_real_escape_string to avoid injection attacks.
$salt=sha1($postpassword);
$arr= strlen($postpassword);
$count=ceil($arr/2);
$stringarr=str_split($postpassword,$count);
$password1=hash("sha512", $stringarr['0']);
$password2=$salt . ( hash( 'whirlpool', $salt . $stringarr['1'] ) );
return $password1.$password2;
Okay, so I want to make a simple login page. I've created a register page successfully, but i can't get the login thing down.
login.php:
<?php
session_start();
include("mainmenu.php");
$usrname = mysql_real_escape_string($_POST['usrname']);
$password = md5($_POST['password']);
$con = mysql_connect("localhost", "root", "g00dfor#boy");
if(!$con){
die(mysql_error());
}
mysql_select_db("users", $con) or die(mysql_error());
$login = "SELECT * FROM `users` WHERE (usrname = '$usrname' AND password = '$password')";
$result = mysql_query($login);
if(mysql_num_rows($result) == 1 {
$_SESSION = true;
header('Location: indexlogin.php');
}
else {
echo = "Wrong username or password." ;
}
?>
indexlogin.php just echoes "Login successful." What am I doing wrong?
Oh, and just FYI- my database is "users" and my table is "data".
<?php
session_start();
include("mainmenu.php");
$usrname = mysql_real_escape_string($_POST['usrname']);
$password = md5($_POST['password']);
$con = mysql_connect("localhost", "root", "g00dfor#boy");
if (!$con) {
die(mysql_error());
}
mysql_select_db("users", $con) or die(mysql_error());
$login = "SELECT * FROM `users` WHERE (usrname = '$usrname' AND password = '$password')";
$result = mysql_query($login);
if (mysql_num_rows($result) == 1) {
$_SESSION['logged_in'] = true;
header('Location: indexlogin.php');
exit;
} else {
echo "Wrong username or password.";
}
?>
I added mysql_real_escape_string() to prevent SQL injection.
No, I didn't because you already had it.
I cleaned up the formatting of the code a bit.
I changed $_SESSION = true; (which doesn't make sense) into $_SESSION['logged_in'] = true;. Then, in indexlogin.php you can do something like if ($_SESSION['logged_in']) { echo $secret; }
I fixed echo = "Wrong username or password."; to echo "Wrong username or password.";
I added a closing bracket near mysql_num_rows($result) == 1.
You said:
my database is "users" and my table is
"data".
If this is correct, you will need to change SELECT * FROM users to SELECT * FROM data.
I don't think you can set $_SESSION = true, because $_SESSION is an array. Try $_SESSION['logged_in'] = true.