[sakosky1]

I recently decided to add user specific content to my site. Using a tutorial I found online, I created the signup and login pages without any problems. But when I went to test them, I found that I could make an account, but that I couldn't login. As evidence by the pic below, the account is indeed created, but when I try to login with the password it sent to my email, It squaks. Any help that you can provide would be greatly appreciated. I have inserted *** into fields that I wish to protect.

Thanks,
Sakosky1

After creating the account, I check in phpMyAdmin to see that the account was created.


I check my email, it has a message with this:

Quote

Your personal login ID and password are as
follows:

userid: test1
password: ada028

I try to login, and I get this response:

Quote

Access Denied
Your user ID or password is incorrect, or you are not a registered user on this site. To try logging in again, click here. To register for instant access, click here.

This is the code for the login page:

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';

session_start();

$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

if(!isset($uid)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="uid" size="8" /><br />
    Password: <input type="password" name="pwd" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

dbConnect("*****************");
$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,'fullname');
?>

for the common.php page:

<?php // common.php

function error($msg) {
    ?>
    <html>
    <head>
    <script language="Javascript">
    <!--
        alert("<?=$msg?>");
        history.back();
    //-->
    </script>
    </head>
    <body>
    </body>
    </html>
    <?
    exit;
}
?>

And the db.php page:

<?php // db.php

$dbhost = 'localhost';
$dbuser = '**************';
$dbpass = '*********';

function dbConnect($db='') {
    global $dbhost, $dbuser, $dbpass;
    
    $dbcnx = @mysql_connect($dbhost, $dbuser, $dbpass)
        or die('The site database appears to be down.');

    if ($db!='' and !@mysql_select_db($db))
        die('The site database is unavailable.');
    
    return $dbcnx;
}
?>

Thanks Again

This post has been edited by sakosky1: 07 August 2010 - 10:52 AM

[JackOfAllTrades]

$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password = PASSWORD('$pwd')";

First step: print the value of $sql and compare.

[sakosky1]

When I add the command

Quote

PRINT $sql;

I get:

Quote

SELECT * FROM usrt WHERE userid = 'test1' AND password = PASSWORD('ada028')
Access Denied
Your user ID or password is incorrect, or you are not a registered user on this site. To try logging in again, click here. To register for instant access, click here.

Was that what you were saying to do?

[JackOfAllTrades]

Yes, that was it. What happens when you run that in MySQLAdmin? Does it work there?

How did you add the password to the usrt table? The methods obviously must match exactly.

[CTphpnwb]

I would change this:

$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password = PASSWORD('$pwd')";

to this:

$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password ='$pwd'";

[sakosky1]

I don't have MySQLAdmin.

I tried the change that CTphpnwb mentioned without any success.

The line that makes the password is

Quote

$newpass = substr(md5(time()),0,6);

Below is the code from the signup page:

<?php
else:
    // Process signup submission
    dbConnect('proximac_xlan2');

    if ($_POST['newid']=='' or $_POST['newname']==''
      or $_POST['newemail']=='') {
        error('One or more required fields were left blank.\\n'.
              'Please fill them in and try again.');
    }
    
    // Check for existing user with the new id
    $sql = "SELECT COUNT(*) FROM usrt WHERE userid = '$_POST[newid]'";
    $result = mysql_query($sql);
    if (!$result) {	
        error('A database error occurred in processing your '.
              'submission.\\nIf this error persists, please '.
              'contact you@example.com.');
    }
    if (mysql_result($result,0,0)>0) {
        error('A user already exists with your chosen userid.\\n'.
              'Please try another.');
    }
    
    $newpass = substr(md5(time()),0,6);
    
    $sql = "INSERT INTO usrt SET
              userid = '$_POST[newid]',
              password = PASSWORD('$newpass'),
              fullname = '$_POST[newname]',
              email = '$_POST[newemail]',
              notes = '$_POST[newnotes]'";
    if (!mysql_query($sql))
        error('A database error occurred in processing your '.
              'submission.\\nIf this error persists, please '.
              'contact you@example.com.\\n' . mysql_error());
              
    // Email the new password to the person.
    $message = "G'Day!

Your personal login ID and password are as
follows:

    userid: $_POST[newid]
    password: $newpass

You aren't stuck with this password! Your can
change it at any time after you have logged in.
";

    mail($_POST['newemail'],"Your login info",
         $message, "From:<blabla@example.com>");
         
    ?>

[CTphpnwb]

It looks like your password has been hashed in the database, so you need to hash it before the query.

$pwd = md5($pwd);
$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password ='$pwd'";

Doh! This is a problem:

    $newpass = substr(md5(time()),0,6);

because you're creating a random password based on the current time. How can you expect to recreate it on login?

[sakosky1]

I tried adding the md5 line, but it didn't do it.

Before doing that, I also tried bypassing the signup page, directly adding a user and password to the db, I tried several diviations, but that didn't work.

At this point, besides fixing this code, if anyone has a better way of doing this (loging in and creating a session based on sql database), I'm all ears.

Thanks

[CTphpnwb]

You're essentially using a random salt to hash the password when you store it. That makes it almost impossible to match it later on. Instead, you could do something like:

$newpass = rand(10000,99999);
echo "Your password is: ".$newpass."<br>";
$mysalt = "some text";
$hashed_pass = md5($mysalt.$newpass);
$uid = mysql_real_escape_string($_POST['newid']);
$name = mysql_real_escape_string($_POST['newname']);
$email = mysql_real_escape_string($_POST['newemail']);
$note = mysql_real_escape_string($_POST['newnotes']);
$sql = "INSERT INTO usrt SET
              userid = '$uid',
              password = '$hashed_pass',
              fullname = '$name',
              email = '$email',
              notes = '$note'";

Then when checking:

$mysalt = "some text";
$hashed_pass = md5($mysalt.$pwd);
$sql = "SELECT * FROM usrt WHERE
        userid = '$uid' AND password ='$hashed_pass'";

This post has been edited by CTphpnwb: 07 August 2010 - 09:10 AM

[sakosky1]

Ok, I tried the fix you gave, but it still says that I have the wrong username and password.

This post has been edited by sakosky1: 07 August 2010 - 09:24 AM

[CTphpnwb]

Did you try it from scratch? The password(s) you've created before this will be randomly hashed so you need to start over.

Where's your code? There's no way to tell what you've done wrong without seeing it.

[sakosky1]

I figured out the problem.

It apperently wasn't with the code, but the database. I didn't realize it until after I had added the new code, but whwn I made the table, I had reused an old script and inadvertantly left the password type as char(16), after altering that value to 50, the problem dissapeared.

Thank you for all of your help.
-Sakosky1