Log in system help

password is always incorrect

Page 1 of 1

9 Replies - 808 Views - Last Post: 12 August 2010 - 06:39 PM Rate Topic: -----

#1 TechSupport  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 32
  • Joined: 09-May 09

Log in system help

Posted 10 August 2010 - 10:45 PM

Like i said the password is always incorrect, ive checked my code atleast 20 times and have no clue how to fix it, heres te code.

if(isset ($_POST['submit'])) {
					$username = $_POST['username'];
					$password = $_POST['password'];
					
					if ($username&&$password){
						
						require('includes/connect.php');
						$login_query = "SELECT * FROM profile WHERE username='$username'";
						$result = mysqli_query($cxn,$login_query) or die("Couldn't execute query.");
						$numrows = mysqli_num_rows($result);
						if($numrows!=0){

								while ($row = mysqli_fetch_assoc($result)) 
								{
									$dbusername = $row['username'];	
									$dbpassword = $row['password'];
									
									
									if ($username==$dbusername&&$password==$dbpassword){
										echo "You are now logged in!";
									} else {
										echo "Password does not exist.";
									}
								}
						} else {
							echo "This user doesn't exist.";
						}
					} else {
						die("You Must Enter both a username and password");
					}
			} else {
            	echo "<form action='login.php' method='post'>
                Username:<input type='text' name='username' /><br />
                Password:<input type='password' name='password' /><br />
                <button type='submit' name='submit'>Sumbit</button>
			</form>";
			}



Is This A Good Question/Topic? 0
  • +

Replies To: Log in system help

#2 no2pencil  Icon User is online

  • Admiral Fancy Pants
  • member icon

Reputation: 5394
  • View blog
  • Posts: 27,389
  • Joined: 10-May 07

Re: Log in system help

Posted 10 August 2010 - 10:55 PM

Try the following :

require('includes/connect.php');
if(isset($_POST['submit'])) {
	
	if(!empty($_POST['username'])) $username = $_POST['username'];
	if(!empty($_POST['password']))$password = $_POST['password'];
					
	$login_query = "SELECT * FROM profile WHERE username='$username'";
	$result = mysqli_query($cxn,$login_query);
	if(!$result) {
		die("The following SQL failed<br>".$login_query);
	}
	$numrows = mysqli_num_rows($result);
	if($numrows!=0){
		while ($row = mysqli_fetch_assoc($result)) {
			$dbusername = $row['username'];	
			$dbpassword = $row['password'];
			if ($username==$dbusername&&$password==$dbpassword){
				echo "You are now logged in!";
			} 
			else {
				echo "Password does not exist.";
			}
		}
	}
}
else {
	echo "<form action='login.php' method='post'>
	Username:<input type='text' name='username' /><br />
	Password:<input type='password' name='password' /><br />
	<button type='submit' name='submit'>Sumbit</button>
	</form>";
}




You should validate $result, if you are going to set it. Also, don't forget to check your variables before using them in SQL.
Was This Post Helpful? 0
  • +
  • -

#3 TechSupport  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 32
  • Joined: 09-May 09

Re: Log in system help

Posted 10 August 2010 - 10:59 PM

View Postno2pencil, on 10 August 2010 - 09:55 PM, said:

Try the following :

fdgsdgsdfgdf


You should validate $result, if you are going to set it. Also, don't forget to check your variables before using them in SQL.


Still invalid for some reason. im confident the problem is somewhere in this section on code

if ($username=$dbusername&&$password==$dbpassword){
										echo "You are now logged in!";
									} else {
										echo "Password does not exist.";
									}


Was This Post Helpful? 0
  • +
  • -

#4 no2pencil  Icon User is online

  • Admiral Fancy Pants
  • member icon

Reputation: 5394
  • View blog
  • Posts: 27,389
  • Joined: 10-May 07

Re: Log in system help

Posted 10 August 2010 - 11:06 PM

Then visually validate the variables :)

			if ($username==$dbusername&&$password==$dbpassword){
				echo "You are now logged in!";
			} 
			else {
				echo "<p>$username does not match $dbusername</p>";
				echo "<p>$password does not match$dbpassword</p>";
				echo "Password does not exist.";
			}

Was This Post Helpful? 0
  • +
  • -

#5 TechSupport  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 32
  • Joined: 09-May 09

Re: Log in system help

Posted 10 August 2010 - 11:13 PM

i wasnt encrypting it before seeing if it was equal to the databased encrypted version.
Was This Post Helpful? 0
  • +
  • -

#6 mahcuz  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 143
  • View blog
  • Posts: 213
  • Joined: 03-June 10

Re: Log in system help

Posted 11 August 2010 - 12:39 AM

View PostTechSupport, on 11 August 2010 - 05:13 AM, said:

i wasnt encrypting it before seeing if it was equal to the databased encrypted version.


And by "encrypting" you mean "hashing", right? I hope.
Was This Post Helpful? 0
  • +
  • -

#7 TechSupport  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 32
  • Joined: 09-May 09

Re: Log in system help

Posted 11 August 2010 - 02:21 AM

View Postmahcuz, on 10 August 2010 - 11:39 PM, said:

View PostTechSupport, on 11 August 2010 - 05:13 AM, said:

i wasnt encrypting it before seeing if it was equal to the databased encrypted version.


And by "encrypting" you mean "hashing", right? I hope.


yes, you mind helping me with one more?
Was This Post Helpful? 0
  • +
  • -

#8 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3730
  • View blog
  • Posts: 6,017
  • Joined: 08-June 10

Re: Log in system help

Posted 11 August 2010 - 04:29 AM

You might want to consider another method. If your passwords are hashed (which they should be), or you don't have binary logging enabled, you don't have to retrieve the password and have PHP check it. You can just have MySQL compare the passwords in the SQL query and then count the return rows.

If the passwords are stored in plain-text, then this is obviously not the best idea. But then again, storing passwords as plain-text isn't exactly a good idea either :)

Consider this. Hopefully the commends explain what I'm doing.
<?php
# It's best to avoid using the submit button to check if a form has been submitted.
# A form can be submitted without using the submit button. (E.g. by pressing enter, 
# in certain browsers.)
if(!empty($_POST['username']) && !empty($_POST['password'])) 
{
	# Never use data in a SQL query without sanitizing it!
	# The mysqli_real_escape_string function/method makes sure there data 
	# can not be used to attack your database. (Check out "SQL Injection")
	$username = mysqli_real_escape_string($cxn, $_POST['username']);
	$password = mysqli_real_escape_string($cxn, $_POST['password']);
	
	# If you hash the password, you should add that here.
	$password = hash('sha1', $password);
	
	# You don't have to fetch the password an compare it with PHP. You
	# can just have MySQL return TRUE for every row where both the username
	# and password are correct, and then count the rows. If it's valid, the
	# query will return exactly one row. If it returns something else there
	# is a problem and you should deny login.
	$sql = "SELECT  TRUE 
			FROM	`profile`
			WHERE  	`username` = '{$username}'
			AND		`password` = '{$password}'";
	$result = mysqli_query($cxn, $sql) or die(mysqli_error($cxn));
	
	if($result && $result->num_rows == 1) {
		echo "Login successful!";
	}
	else {
		echo "Login failed!";
	}
}
else {
    echo "No data to verify!";
}
?>

Was This Post Helpful? 0
  • +
  • -

#9 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3100
  • View blog
  • Posts: 10,889
  • Joined: 08-August 08

Re: Log in system help

Posted 11 August 2010 - 12:46 PM

I wouldn't have the password in my query. Instead, I'd use the username/id (after scrubbing) and then I'd grab the salt from the record and hash the supplied password with it:
$hashed_password = md5($row['salt'].$_POST['password']);
if($hashed_password == $row['pwd'])
{
 // login successful
} else
{
 // error logging in
}

This way every user can have a different salt so that two users with the same password would still have different hashes. You can even use multiple salts and send the user one of them to use in their first login (verifying email addresses!) and hacking is made much harder.The only downside is that usernames/ids must be unique.
Was This Post Helpful? 0
  • +
  • -

#10 no2pencil  Icon User is online

  • Admiral Fancy Pants
  • member icon

Reputation: 5394
  • View blog
  • Posts: 27,389
  • Joined: 10-May 07

Re: Log in system help

Posted 12 August 2010 - 06:39 PM

View PostCTphpnwb, on 11 August 2010 - 01:46 PM, said:

The only downside is that usernames/ids must be unique.

I would upper case the username, to assure any character differences, so the usernames are not quite so unique & only the password field is case sensitive.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1