Incorrect Username/Password

  • (2 Pages)
  • +
  • 1
  • 2

15 Replies - 798 Views - Last Post: 31 August 2018 - 09:00 AM Rate Topic: *---- 1 Votes

#1 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Incorrect Username/Password

Posted 28 August 2018 - 02:24 PM

I'm trying to put a simple PHP login form together. Once I register with a username and password then try to login, I keep receiving errors even though I'm entering the correct credentials. When I register, the username and password(hashed) is showing up in the database, so I know it's somewhat working. Below is my code.

This is the login:
<?php
session_start();
require_once('../DatabaseConnection/dbconnect.php');
if(isset($_POST) & !empty($_POST)){
	$username = mysqli_real_escape_string($link, $_POST['username']);
	$password = md5($_POST['password']);

	$sql = "SELECT * FROM `users` WHERE username ='$username' AND password='$password'";
	$result = mysqli_query($link, $sql);
	$count = mysqli_num_rows($result);
	if($count == 1){
		$_SESSION['username'] = $username;
		header("location: catalogue.php");
	}else{
		$fmsg = "Invalid Username/Password";
	}
}
if(isset($_SESSION['username'])){
	$smsg = "User already logged in";
}


?>
<!DOCTYPE html>
<html>
<head>
	<title>User Login in PHP & MySQL</title>
	<!-- Latest compiled and minified CSS -->
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" >

	<!-- Latest compiled and minified Javascript -->
	<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" ></script>

	<link rel="stylesheet" type="text/css" href="styles.css">
</head>
<body>
<div class="container">
      <?php if(isset($smsg)){ ?><div class="alert alert-success" role="alert"> <?php echo $smsg; ?> </div><?php } ?>
      <?php if(isset($fmsg)){ ?><div class="alert alert-danger" role="alert"> <?php echo $fmsg; ?> </div><?php } ?>
      <form class="form-signin" method="POST">
        <h2 class="form-signin-heading">Login</h2>
        <div class="input-group">
		  <span class="input-group-addon" id="basic-addon1">@</span>
		  <input type="text" name="username" class="form-control" placeholder="Username" required>
		</div>
        <label for="inputPassword" class="sr-only">Password</label>
        <input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
        <a class="btn btn-lg btn-primary btn-block" href="register.php">Register</a>
      </form>
</div>
</body>
</html>


This is the register
<?php
require_once('../DatabaseConnection/dbconnect.php');
if(isset($_POST) & !empty($_POST)){
	$username = mysqli_real_escape_string($link, $_POST['username']);
//	$email = mysqli_real_escape_string($link, $_POST['email']);
	$password = md5($_POST['password']);

	$sql = "INSERT INTO `users` (username, password) VALUES ('$username', '$password')";
	$result = mysqli_query($link, $sql);
	if($result){
		$smsg = "User Registration successfull";
	}else{
		$fmsg = "User registration failed";
	}
}


?>
<!DOCTYPE html>
<html>
<head>
	<title>User Registration in PHP & MySQL</title>
	<!-- Latest compiled and minified CSS -->
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" >

	<!-- Latest compiled and minified Javascript -->
	<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" ></script>

	<link rel="stylesheet" type="text/css" href="styles.css">
</head>
<body>
<div class="container">
      <?php if(isset($smsg)){ ?><div class="alert alert-success" role="alert"> <?php echo $smsg; ?> </div><?php } ?>
      <?php if(isset($fmsg)){ ?><div class="alert alert-danger" role="alert"> <?php echo $fmsg; ?> </div><?php } ?>
      <form class="form-signin" method="POST">
        <h2 class="form-signin-heading">Please Register</h2>
        <div class="input-group">
		  <span class="input-group-addon" id="basic-addon1">@</span>
		  <input type="text" name="username" class="form-control" placeholder="Username" required>
		</div>
        <!--<label for="inputEmail" class="sr-only">Email address</label>
        <input type="email" name="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>-->
        <label for="inputPassword" class="sr-only">Password</label>
        <input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Register</button>
        <a class="btn btn-lg btn-primary btn-block" href="login.php">Login</a>
      </form>
</div>
</body>
</html>



Is This A Good Question/Topic? 0
  • +

Replies To: Incorrect Username/Password

#2 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2682
  • View blog
  • Posts: 10,736
  • Joined: 03-December 12

Re: Incorrect Username/Password

Posted 28 August 2018 - 02:46 PM

💩 That code isn't what you want to start with. Whatever you are following, not a good place to learn from.


MD5, not a viable security method. Not using prepared statements, big issue.
Was This Post Helpful? 2
  • +
  • -

#3 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Re: Incorrect Username/Password

Posted 30 August 2018 - 12:37 PM

I'm trying to create a simple username and password form with PHP and MySQL. When I create a username and password, it shows up in the database. When I try to login with that same username/password I get an error. I'm not sure why? Below is my code for the loginVerify.php file

<?php
session_start();

unset($_SESSION['badPass']);

//username and passowrd sent from form
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];

//Connect to server and select datbase
require_once '../DatabaseConnection/dbconnect.php';

//protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = $con->real_escape_string($myusername);
$mypassword = $con->real_escape_string($mypassword);

//hashing
$hashedPassword = hash("ripemd128", $mypassword);

$sql = "SELECT * FROM `users` WHERE `username`='$myusername' AND `password`='$hashedPassword'";

$result = $con->query($sql);

if (!$result) {
    $message = "whole query " . $sql;
    echo $message;
    die('Invalid query: ' . mysqli_errno($con));
}

//if result matched $mysername and $mypassword, table row must be 1 row
if (mysqli_num_rows($result) == 1) {
    $_SESSION['user'] = $myusername;
    $_SESSION['password'] = $hashedPassword;

    //Register $myusername, $mypassword and redirect to file "welcome.php"
    header("Location:welcome.php");   
} else {
    header("Location:login.php");
    $_SESSION['badPass']++;
    echo "Wrong Username or Password";
}
?>



This is the PHP code I have on the login.php file.

<td>Password</td>
                        <td>:</td>
                        <td><input name="mypassword" type="password" id="mypassword">
                           <?php
                            if (isset($_SESSION['badPass'])) {
                                echo "Wrong User Name or Password";
                                unset($_SESSION['badPass']);
                            }
                             ?>
                        </td>


Was This Post Helpful? 0
  • +
  • -

#4 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14502
  • View blog
  • Posts: 58,134
  • Joined: 12-June 08

Re: Incorrect Username/Password

Posted 30 August 2018 - 12:46 PM

It helps copy/pasting the error messages here.
Was This Post Helpful? 0
  • +
  • -

#5 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Re: Incorrect Username/Password

Posted 30 August 2018 - 12:48 PM

View Postmodi123_1, on 30 August 2018 - 12:46 PM, said:

It helps copy/pasting the error messages here.


Is there are way I can do that with a var dump? The only error message I recieve is from the one that is listed in the login.php file where it checks if 'badPass' was set.
Was This Post Helpful? 0
  • +
  • -

#6 Sheepings   User is offline

  • Senior Programmer
  • member icon

Reputation: 120
  • View blog
  • Posts: 852
  • Joined: 05-December 13

Re: Incorrect Username/Password

Posted 30 August 2018 - 01:32 PM

Duplicate problem from Topic

Reply where you were advised against using that code. I've looked at this with another person, and you never replied to them.
Was This Post Helpful? 0
  • +
  • -

#7 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Re: Incorrect Username/Password

Posted 30 August 2018 - 01:35 PM

View PostSheepings, on 30 August 2018 - 01:32 PM, said:

Duplicate problem from Topic

Reply where you were advised against using that code. I've looked at this with another person, and you never replied to them.


I may not have replied but I took into consideration what they said about using md5() for password hashing which I did not use here. Please read posts first before assuming and telling people what to do.

This post has been edited by DanZman: 30 August 2018 - 01:35 PM

Was This Post Helpful? 0
  • +
  • -

#8 Sheepings   User is offline

  • Senior Programmer
  • member icon

Reputation: 120
  • View blog
  • Posts: 852
  • Joined: 05-December 13

Re: Incorrect Username/Password

Posted 30 August 2018 - 01:39 PM

I replied here courteously, and was about to ask how much of your code you have changed. The mods will likely merge your topic once they see its the same person with the same problem + a chip on your shoulder. Why the negative rep?
Was This Post Helpful? 0
  • +
  • -

#9 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14502
  • View blog
  • Posts: 58,134
  • Joined: 12-June 08

Re: Incorrect Username/Password

Posted 30 August 2018 - 01:56 PM

Everyone chill out on the rep system.
Was This Post Helpful? 1
  • +
  • -

#10 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2162
  • View blog
  • Posts: 6,559
  • Joined: 15-January 14

Re: Incorrect Username/Password

Posted 30 August 2018 - 02:08 PM

If you're seeing that message in your file then this if statement is false:

mysqli_num_rows($result) == 1

So that query is either returning no records, or more than 1. That is the only thing which can be concluded based on the code and the information you've given. Since you're not using prepared statements, you can just print that query out to verify it and run it in something like phpMyAdmin to verify what it's returning and why.

As far as password hashing goes, why did you settle on RIPEMD-128 of all things? Is there a particular reason? PHP has an extension dedicated to password hashing and verification, why not use that instead?

http://php.net/manua...ssword-hash.php
http://php.net/manua...word-verify.php
Was This Post Helpful? 0
  • +
  • -

#11 Sheepings   User is offline

  • Senior Programmer
  • member icon

Reputation: 120
  • View blog
  • Posts: 852
  • Joined: 05-December 13

Re: Incorrect Username/Password

Posted 30 August 2018 - 02:24 PM

There are other problems with this code. Not just the fact that it has no proper structure and you're not utilizing the proper query building structures which you were also advised of on your other post.

This is the appropriate way it should be. Yet, you were advised about using your code... Look at for better practices.
if ($result=mysqli_query($con,$sql))
  {
  //This only returns the rows and nothing else, and use proper construction when building your enquiries. 
  $rowcount=mysqli_num_rows($result);
  printf("Result, has %d rows.\n",  $rowcount);

  mysqli_free_result($result); //Ref: http://php.net/manual/en/mysqli-result.free.php
  }



I'd rip that code apart and build it from scratch. Your syntax is also wrong throughout various places.
Was This Post Helpful? 0
  • +
  • -

#12 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2682
  • View blog
  • Posts: 10,736
  • Joined: 03-December 12

Re: Incorrect Username/Password

Posted 31 August 2018 - 07:29 AM

Are you getting this from a book or tutorial? School maybe?

All of this is bad and I will explain why.

<?php
session_start();

// You are unsetting a value regardless then adding to it later
unset($_SESSION['badPass']); 


// Unnecessary variable.
//username and passowrd sent from form
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];

//Connect to server and select datbase
require_once '../DatabaseConnection/dbconnect.php';


// Outdated and didn't work well then. Use prepared statements.
//protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = $con->real_escape_string($myusername);
$mypassword = $con->real_escape_string($mypassword);

// password_hash() as you were already advised
//hashing
$hashedPassword = hash("ripemd128", $mypassword);

// Prime example of how SQL injection attacks happen. You NEVER put user entered values directly in a query
$sql = "SELECT * FROM `users` WHERE `username`='$myusername' AND `password`='$hashedPassword'";

$result = $con->query($sql);

if (!$result) {
    $message = "whole query " . $sql;
    echo $message;
    die('Invalid query: ' . mysqli_errno($con));
}

//if result matched $mysername and $mypassword, table row must be 1 row
if (mysqli_num_rows($result) == 1) {
    $_SESSION['user'] = $myusername;
    $_SESSION['password'] = $hashedPassword; // you shouldn't store a password, in the session

    //Register $myusername, $mypassword and redirect to file "welcome.php"
    header("Location:welcome.php");   
} else {
    header("Location:login.php");
    $_SESSION['badPass']++; // you redirected. why are you trying to increment a value that doesn't exist anyway?
    echo "Wrong Username or Password"; 
// Redirected to login.php why are you showing a message for that and how will they get it?
}
?> <----- Unless there is html below, this will cause issues. 



Commentary added to the code
Was This Post Helpful? 1
  • +
  • -

#13 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Re: Incorrect Username/Password

Posted 31 August 2018 - 07:32 AM

View Postastonecipher, on 31 August 2018 - 07:29 AM, said:

Are you getting this from a book or tutorial? School maybe?

All of this is bad and I will explain why.

<?php
session_start();

// You are unsetting a value regardless then adding to it later
unset($_SESSION['badPass']); 


// Unnecessary variable.
//username and passowrd sent from form
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];

//Connect to server and select datbase
require_once '../DatabaseConnection/dbconnect.php';


// Outdated and didn't work well then. Use prepared statements.
//protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = $con->real_escape_string($myusername);
$mypassword = $con->real_escape_string($mypassword);

// password_hash() as you were already advised
//hashing
$hashedPassword = hash("ripemd128", $mypassword);

// Prime example of how SQL injection attacks happen. You NEVER put user entered values directly in a query
$sql = "SELECT * FROM `users` WHERE `username`='$myusername' AND `password`='$hashedPassword'";

$result = $con->query($sql);

if (!$result) {
    $message = "whole query " . $sql;
    echo $message;
    die('Invalid query: ' . mysqli_errno($con));
}

//if result matched $mysername and $mypassword, table row must be 1 row
if (mysqli_num_rows($result) == 1) {
    $_SESSION['user'] = $myusername;
    $_SESSION['password'] = $hashedPassword; // you shouldn't store a password, in the session

    //Register $myusername, $mypassword and redirect to file "welcome.php"
    header("Location:welcome.php");   
} else {
    header("Location:login.php");
    $_SESSION['badPass']++; // you redirected. why are you trying to increment a value that doesn't exist anyway?
    echo "Wrong Username or Password"; 
// Redirected to login.php why are you showing a message for that and how will they get it?
}
?> <----- Unless there is html below, this will cause issues. 



Commentary added to the code


Yes, it's from the Learn PHP, MySQL and Javascript book for my CSIS 2440 class.
Was This Post Helpful? 0
  • +
  • -

#14 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2682
  • View blog
  • Posts: 10,736
  • Joined: 03-December 12

Re: Incorrect Username/Password

Posted 31 August 2018 - 08:43 AM

It's a 2xxx level class?

Well crap. You are in a predicament, you are learning VERY BAD and OLD ways to do something that is far different now.
Was This Post Helpful? 0
  • +
  • -

#15 DanZman   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 36
  • Joined: 24-January 18

Re: Incorrect Username/Password

Posted 31 August 2018 - 08:48 AM

View Postastonecipher, on 31 August 2018 - 08:43 AM, said:

It's a 2xxx level class?

Well crap. You are in a predicament, you are learning VERY BAD and OLD ways to do something that is far different now.


Do you have recommendations on books that are up to date with best practices? I will use what you mentioned in the code comments.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2