php login not working!

tuckenator · 3 May 2007 at 03:32

Hi, i am trying to login and redirect the successful login to main.php, but everytime i try the below 'logincheck.php' code, i receive the error code, even though i know the username and password details are correct.

Code:

Code:

<? //logincheck.php
//start the session
session_start(); 
//include java error file
include 'common.php'; 
//include connection file
include 'db.php';

// Connect to database 'sms'
dbConnect('epicfx00_sms');

// username and password sent from signup form 
$username = $_POST['uname'];
$password = $_POST['upassword'];
$password=md5($password); 

$sql="SELECT * FROM user WHERE userid='$username' and password='$password'"; 
$result=mysql_query($sql) or die(mysql_error());

// Mysql_num_row is counting table row 
$count=mysql_num_rows($result); 
// If result matched $myusername and $mypassword and $myemail, table row must be 1 row 

if($count==1){ 
// Register $myusername, $mypassword, $myemail and redirect to file "login_success.php" 
session_register("username"); 
session_register("password");  
header("Location:main.php"); 
} 
else { 
error('Either your username or password were incorrect, please go back and try again');
} 
?>

help will be much appreciated.

Tucks

paulsheffII · 3 May 2007 at 05:01

Echo out the $sql just to make sure it looks right and also echo out the $count

tuckenator · 3 May 2007 at 05:33

the $sql is echo'ing fine, and the count is echo'ing as 0. this is my current code.

Code:

<? //logincheck.php
//start the session
session_start(); 
//include java error file
include 'common.php'; 
//include connection file
include 'db.php';

// Connect to database 'sms'
dbConnect('epicfx00_sms');

// username and password sent from signup form 
$username = $_POST['uname'];
$password = $_POST['upassword'];
$password=md5($password); 

echo $sql="SELECT * FROM user WHERE userid='$username' and password='$password'"; 
$result=mysql_query($sql) or die(mysql_error()); 
// Check result 
// This shows the actual query sent to MySQL, and the error. Useful for debugging. 
if (!$result) { 
    $message  = 'Invalid query: ' . mysql_error() . "\n"; 
    $message .= 'Whole query: ' . $query; 
    die($message); 
}
// Mysql_num_row is counting table row 
echo $count=mysql_num_rows($result); 
// If result matched $myusername and $mypassword and $myemail, table row must be 1 row 
if($count==1){ 
// Register $myusername, $mypassword, $myemail and redirect to file "login_success.php" 
$_SESSION['username']=$username;
$_SESSION['password']=$password;
echo('finally'); 
} 
else { 
echo('Either your username or password were incorrect, please go back and try again');
} 
?>

off to bed, good luck, ha.

Beansprout · 3 May 2007 at 10:15

What does mysql_error() show?

Jaffa_Cake · 3 May 2007 at 10:27

You have some very bad coding practies in there.

<? should always be <?php as <? will become obselite soon.

Your script is also open to SQL Injection, I don't know if you care about that but its good practice to fix it.

Try this:

PHP:

<?php

// Connect to database 'sms'
dbConnect('epicfx00_sms');

$sql = "SELECT * FROM `user` WHERE userid = " . SQLSafe($_POST['uname']); 
$result = mysql_query($sql) OR die(mysql_error()); 
// Check result 
// This shows the actual query sent to MySQL, and the error. Useful for debugging. 
if (!$result) { 
    $message  = 'Invalid query: ' . mysql_error() . "\n"; 
    $message .= 'Whole query: ' . $query; 
    die($message); 
}
$row = mysql_fetch_array($result, MYSQL_ASSOC);
	if ($row['password'] == md5($_POST['upassword'])) {
		$_SESSION['username'] = $row['userid'];
		$_SESSION['password'] = $row['password'];
		die('Login worked'); 
	} else { 
		die('Either your username or password were incorrect, please go back and try again');
	}

function SQLSafe($value) {
	    // Stripslashes
	    if (get_magic_quotes_gpc()) {
	        $value = stripslashes($value);
	    }
	    // Quote if not a number or a numeric string
	    if (!is_numeric($value)) {
	        $value = "'" . mysql_real_escape_string($value) . "'";
	    }
	    return $value;
}
?>

Did you know that your original code has the line WHERE userid='$username' is this meant to be WHERE `username` instead? Just an idea if my code doesn't sort it.

Dj_Jestar · 3 May 2007 at 10:52

Yours is equally as poor given that you are declaring global $config; but never use it, anywhere; and you should always escape inputs - is_numeric() allows hexadecimal values, which can also cause problems.

Jaffa_Cake · 3 May 2007 at 11:02

Dj_Jestar said:
Yours is equally as poor given that you are declaring global $config; but never use it, anywhere; and you should always escape inputs - is_numeric() allows hexadecimal values, which can also cause problems.

Apologies for the $config, took that function directly out of something of mine

The function has worked perfectly for me.

The hexadecimal in a SQL Query will make no difference I think. Not certain open to suggestions.

tuckenator · 3 May 2007 at 13:04

Finally i have got it working by adding the
PHP Code:

PHP:

$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid']; 
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

statement from a previous login, though now i cannot get the password to md5 or the page to redirect after it is successful.

working code:

PHP Code:

PHP:

<? //logincheck.php 
//start the session 
session_start(); 
//include java error file 
include_once 'common.php'; 
include_once 'db.php'; 

// Connect to database 'sms' 
dbConnect('epicfx00_sms'); 

$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid']; 
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd']; 

// username and password sent from signup form 

$sql = "SELECT * FROM user WHERE 
        userid = '$uid' AND password = PASSWORD('$pwd')"; 
$result = mysql_query($sql); 
// Check result 
// This shows the actual query sent to MySQL, and the error. Useful for debugging. 
if (!$result) { 
    $message  = 'Invalid query: ' . mysql_error() . "\n"; 
    $message .= 'Whole query: ' . $query; 
    die($message); 
} 
// Mysql_num_row is counting table row 
$count=mysql_num_rows($result); 
// If result matched $myusername and $mypassword and $myemail, table row must be 1 row 
if($count==1){ 
// Register $myusername, $mypassword, $myemail and redirect to file "login_success.php" 
$_SESSION['username']=$username; 
$_SESSION['password']=$password; 
echo('you are now logged in'); 
} 
else { 
echo('Either your username or password were incorrect, please go back and try again'); 
} 
?>

any ideas?

cheers tucks

robswan · 4 May 2007 at 11:36

A few things to try

Ignoring the SQL injection issues for now:

When you set your session data you're setting $_SESSION['username'] and $_SESSION['password'], but you're then using $_SESSION['uid'] and $_SESSION['pwd'] when you're retrieving the session data. That'll be causing a problem.

There's nothing there to initiate a page redirect after echoing the success message... so that's why it's not redirecting...

I'd personally use PHP to md5 encrypt the data from the post, store the encrypted data in the session, and then avoid using the MySQL PASSWORD function entirely. The MySQL hashing function tend to cause more problems than they ever solve. You might find using MD5() instead of PASSWORD() in your SQL fixes that problem...? Depends how you're hashing the password that's stored in the database.

Let me know if you want further explanation on anything

toosepin · 4 May 2007 at 16:06

As long as you MD5 your passwords into your database, all you'll need SQL wise is to set the the password column as a varchar(32) and you'll be ok.

toosepin · 4 May 2007 at 16:08

Here's one of my login scripts. Please feel free to pick it apart - I wouldn't mind tweaking it for the better if needs be.

Code:

<?php

session_start();

if (isset($_POST['username']) && isset($_POST['password'])) {

	include('lib/db_connect.php');

	function quote_smart($username)
	{
		if (get_magic_quotes_gpc()) {
			$username = stripslashes($username);
		}
		if (!is_numeric($username)) {
			$username = mysql_real_escape_string($username);
		}
		return $username;
	}

	$username = quote_smart($_POST['username']);
	$password = md5($_POST['password']);

	$sql = "SELECT * FROM users WHERE user_name = '$username' AND user_pass = '$password' LIMIT 1";

	$result = mysql_query($sql) or die(mysql_error());

	if (mysql_num_rows($result)!= 1) {

		$error = "<span>Incorrect Username/Password</span>";
		
		include('index.php');
		exit;
	
	}

	else {

		$_SESSION['admin_access'] = true;
		$_SESSION['user_name'] = $username;
		$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
		$_SESSION['user_logged'] = date('Ymd');	

		header('Location: dash');

	}

	include('lib/db_disconnect.php');
}

else {

	header("Location: index");

}

?>

tuckenator · 4 May 2007 at 17:18

cheers for the help, i figured out my MD5 problem was due to my registration form entering the passwords as PASSWORD instead of MD5. somehow i seems i tried everything except looking inside my reg form.

Cheers for the help and scripts.