The code below is from a login script, written in PHP. The database that it checks passwords against encrypts the passwords using MD5 however when the login script checks against the database for a password, it is checking the raw password without encryption. I am familiar with the md5() function but how would I incorporate that into the following:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username && $password) {
$connect = mysql_connect("host", "user", "password") or die("Couldn't connect");
mysql_select_db("dbname") or die("Couldn't find the database");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
echo "You're in! Click <a href='../member.php'>here</a> to enter the member page.";
$_SESSION['username'] = $username;
}else{
echo "Incorrect password";
}
}else{
die("That username does not exist.");
}
}else{
die("Please enter a valid username and password.");
}
?>
You should be checking and querying the database for a match, not bringing the results down and checking them locally. With that said:
$password = md5($_POST['password']);
Then also change:
SELECT * FROM users WHERE username='$username' AND password='$password'
But I'd also have a look at using PDO instead of placing the values directly in a SQL query. At the very least you should be using mysql_real_escape_string to avoid injection attacks.
$salt=sha1($postpassword);
$arr= strlen($postpassword);
$count=ceil($arr/2);
$stringarr=str_split($postpassword,$count);
$password1=hash("sha512", $stringarr['0']);
$password2=$salt . ( hash( 'whirlpool', $salt . $stringarr['1'] ) );
return $password1.$password2;
Related
I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):
<?php
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
else
echo "Incorrect Password";
}
else
die("Username does not exist");
}
else
die("Please enter a username and password.");
?>
I have put mysql_real_escape_string() around your post values to prevent sql injection
Also mysqli is the latest way to connect to mysql database but i have not added that to your code:
session_start();
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login");
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
}
else {
echo "Incorrect Password";
}
}
This is the login php script, I don't get no errors or echos so I have no idea what's going on. The "*'s" is me censoring that info. If you would like to see the live page it is here.
<?php
printf("Client library version: %s\n", mysqli_get_client_info());
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
var_dump('test');
if (!empty($username) && !empty($password)){
echo $username
echo $password
$connect = mysql_connect("localhost", "atsbusin_atsbusin", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] == $dbusername;
} else {
echo "Incorrect password!";
}
} else {
die("invalid username, check the spelling or register that name");
}
}
echo 'something'
?>
This is the final working code, thanks to all who helped! Now for me to switch over to mysqli and do the security measures suggested (have a feeling I'll be back ☺ )
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect("localhost", "atsbusin_atsbusi", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] = $dbusername;
} else {
echo "Incorrect password!";
}
?>
The only way this wont echo anything and not give you an error is If the username exists and the password does not match So it will go through:
if($numrows != 0){
}
Try to put a var_dump('test'); in that IF statement and see if it does show something.
You also have no ; after the
$username = $_POST['username']
$password = $_POST['password']
change it to:
$username = $_POST['username'];
$password = $_POST['password'];
Some extra notes:
you probably want a else around: die("Do not leave username and/or password field blank");
Dont use mysql it will be deprecated as of PHP 5.5.0, and will be removed in the future.
You're wide open to MYSQL injection
EDIT:
It also wouldn't show an error or echo if you fill in the username and password and they both dont match
There are some php syntax errors in your script.
You have missed semicolons at below lines, update code and set display errors on to see if there is any other error
$username = $_POST['username'];
$password = $_POST['password'];
Your code has some syntax and logical errors.
1) You're missing ; when variable assigning.
$username = $_POST['username'];
$password = $_POST['password'];
2) You're not using && in your if() statement, but two $
if ($username == $dbusername && $password == $dbpassword) {
3) You're using a comparison (==) on your $_SESSION and not an assignment (=).
$_SESSION['username'] = $dbusername;
Notes
Check the password matches the one in the database on the query itself (after you encrypt it)
With your current logic, it suggests you store your passwords in plain text. This is a BIG NO-NO.
You're wide open to SQL injections
<?php
if(isset($_POST['login'])) {
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('db') or die("cannot select DB");
$pass = $_POST['pass'];
$user = $_POST['user'];
$encryptedpass = hash('whirlpool', $pass);
$query=mysql_query("SELECT * FROM players WHERE user='".$user."' AND pass='".$encryptedpass."'");
$numrows=mysql_num_rows($query);
echo("$encryptedpass");
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['user'];
$dbpassword=$row['pass'];
}
if($user == $dbusername && $encryptedpass == $dbpassword)
{
echo("logged in");
session_start();
$_SESSION['sess_user']=$user;
header("Location: settings.php");
} else
echo "Invalid username or password!";
}
}
?>
The hashing echo works as it should, how-ever even though the user & pass are correct it says invald password.... Help would be great!
EDIT: Thats weird... When I enter the wrong pass, invalid password echo doesnt show up... How odd
Not sure what the error is there, but the following (basically the same) works fine.
Make sure that your post values are actually being passed, and adding or die(mysql_error()) will tell you if you have any errors in your sql.
Also, you should escape your strings (if not using prepared statements)
if(isset($_POST['login'])) {
/* Do connection */
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$encrypted = hash('whirlpool', $pass);
$q = mysql_query("SELECT id FROM players WHERE user = '".$user."' AND pass = '".$encrypted."'",$server)or die(mysql_error());
if(mysql_num_rows($q)>0) {
/* Login approved */
$row = mysql_fetch_array($q);
print $row['id'];
}else{
/* Could not login */
}
}
I have a log in system where the user must log in to access the main website. However, the validation isn't working.
It's mainly the password function that isn't working. Any suggestions why?
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='$login'");
$numrows = mysql_num_rows($query);
if ($numrows==!0)
{
//code to login
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['login'];
$dbpassword = $row['password'];
}
//check to see if they match
if($login==$dbusername&&$password==$password)
{
$_SESSION['login']=$username;
$_SESSION['password']=$password;
sleep(5);
header('Location: nindex.php');
die();
}
else
die ("incorrect password");
}
else
die("That user does not exist");
}
else
die("please provide a username and password");
?>
There are some problems in your code, try this
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='".$login."' AND password='".$password."'");
$numrows = mysql_num_rows($query);
if ($numrows > 0)
{
//code to login
header('Location: nindex.php');
die();
}
else
{
echo "incorrect username or password";
}
}
?>
I have noticed 4 things.
1) When you check to see if they match
you are comparing $password to $password instead of "$dbpassword"
2) Why do you call "sleep(5)" ?
3) You need to encrypt the password before storing to the database because if your site get hacked, your user passwords will eventually be in bad hands.
4) you should never store a password in a session variable (for security reasons)
I can't figure out what is wrong with program. The password I know is correct but for some reason I am receiving an error saying it is incorrect.
here is my signup.php
$UserName = $_POST['UserName'];
$password = $_POST['password'];
$msd5Password = $md5[$password];
$email = $_POST['email'];
if ($UserName == null || $password == null || $email == null) {
echo 'Please Fill In All The Values';
}
else {
$sql = mysql_query("SELECT * FROM login WHERE email = '$email'");
$numrows = mysql_num_rows($sql);
if($numrows !=0)
{
die("There already is an account created with the email you entered.");
}
else
{
mysql_connect("localhost", "root") or die (mysql_error);
mysql_select_db ("thereview");
mysql_query("INSERT INTO login (UserName, password, email) VALUES ('$UserName', '$md5Password', '$email')")
or die(mysql_error());
header("Location:login.php");
}
}
And here is my login.php
session_start();
$UserName = $_POST['UserName'];
$password = $_POST['password'];
if($UserName == null|| $password == null) {
echo 'Please fill in UserName and Password';
}
else{
mysql_connect("localhost", "root") or die (mysql_error);
mysql_select_db ("thereview");
$query = mysql_query ("SELECT * FROM login WHERE UserName = '$UserName'");
$numrows = mysql_num_rows($query);
if($numrows != 0) {
while($row = mysql_fetch_assoc($query)) {
$dbEmail = $row['email'];
$dbUserName = $row['UserName'];
$dbPassword = $row['password'];
$dbId = $row['id'];
}
if($UserName = $dbUserName && md5($password) == $dbPassword) {
$_SESSION['UserName'] = $dbUserName;
$_SESSION['email'] = $dbEmail;
}
else {
echo 'UserName or Password is incorrect';
}
}
else {
echo 'User does not exist, Create an Account';
}
}
Looks like you have a typo here:
$msd5Password = $md5[$password];
should probably be:
$md5Password = md5($password);
Keep in mind MD5 is not good for password security any longer and you have VERY POOR security for this script, open to injection and other issues.
Are you sure about this?
$msd5Password = $md5[$password];
I think it should be:
$md5Password = md5($password);
$msd5Password = $md5[$password]; should probably read: $md5Password = md5($password); (careful about the details - dollars and parenthesis)
$UserName = $dbUserName should probably be $UserName == $dbUserName
In the sign up script you write $md5$password
I'm not strong in php, but shouldn't that be md5($password) as you write in the login script?
if($UserName **=** $dbUserName && md5($password) == $dbPassword)
will always give you false...
Try $UserName **==** $dbUserName instead.
Try this. You need to put parenthesis around these commands to make sure that its a test of only those values. Also where you have $UserName = $dbUserName you need to have it be == instead of =. Otherwise it will always be set to true rather then be testing it.
if(($UserName == $dbUserName) && (md5($password) == $dbPassword))
Also, at the top the code you have is this:
$msd5Password = $md5[$password];
You have two typos in there. First of all your variable later on is md5Password so you need to remove the s. Also the syntax for md5 is md5($password). Finally md5 is a function not a variable so you don't need the $.
Correct Syntax:
$md5Password = md5($password);
I hope this is helpful!