HELP NEEDED WITH LOGIN SCRIPT


#1

When i try to log in with a correct username and password i get the error message “Wrong username & password” displayed. can anyone help me :frowning: :frowning: :frowning: :frowning:
[php]

<?php require_once('mysql_connect.php'); // username and password sent from form $user=$_POST['myusername']; $pass=$_POST['mypassword']; // To clean values from form to prevent mysql interjection $user = mysql_real_escape_string(stripslashes($user)); $pass = mysql_real_escape_string(stripslashes($pass)); if($pass && $user){ $sql="SELECT * FROM user WHERE username='$user' AND password=PASSWORD('$pass')"; $result=@mysql_query($sql); $row = mysql_num_rows($result); if ($row) { setcookie("auth",$user, time()+3600); header("location:secureUser/myHome.php"); echo "CORRECT"; } else { header('refresh: 3; url=login.php'); echo "Wrong Username or Password"; } } else { header('refresh: 3; url=login.php'); echo "Please enter values"; } ?>

[/php]


#2
Hello paulbayo2002, use below code [php] <?php require_once('mysql_connect.php'); // username and password sent from form $user=$_POST['myusername']; $pass=$_POST['mypassword']; // To clean values from form to prevent mysql interjection $user = mysql_real_escape_string(stripslashes($user)); $pass = mysql_real_escape_string(stripslashes($pass)); if(!empty($pass) && !empty($user)) { #Note: is PASSWORD('$pass') is must be required in your query than use below code( two line) /*$usepassword = PASSWORD('$pass'); $sql="SELECT * FROM user WHERE username='$user' AND password='$pass'";*/
# Note: PASSWORD() is not requaird than use below two line. (i using blow sql because i do not know qhy your using PASSWORD() in your query.)
$sql="SELECT * FROM user WHERE username='$user' AND password='$pass'";


$result=@mysql_query($sql);
$row = mysql_num_rows($result);
if ($row > 0) 
{
	setcookie("auth",$user, time()+3600);
	header("location:secureUser/myHome.php");
	echo "CORRECT";
}
else 
{
	header('refresh: 3; url=login.php');
	echo "Wrong Username or Password";
}

}
else
{
header(‘refresh: 3; url=login.php’);
echo “Please enter values”;
}
?>

[/php]
i hope this will helpful for you.
Reply your feedback
SR


#3

Like Sarthank Patel, pointed out in the code, the query line [size=12pt]password=PASSWORD(’$pass’)[/size] is flat out wrong. So it should be, password=’$pass’

Also, this is just a suggestion, in

[php]setcookie(“auth”,$user, time()+3600);
header(“location:secureUser/myHome.php”);
echo “CORRECT”;[/php] you can get rid of echo “CORRECT”; because it will never be printed regardless since it is preceded by the header location function. So if the user inputs the correct name and password CORRECT will never be printed to screen, and instead you will be re-directed to myHome.php

If you want to print this message after correct login info has been entered, then you can use the header refresh function as you use later in the code:

[php]setcookie(“auth”,$user, time()+3600);
header(‘refresh: 3; url=myHome.php’);
echo “CORRECT”;[/php]

So here the message will be displayed for 3 seconds, then the page is re-directed to myHome.php


#4

Hi, thank you both for the replies. I have changed my code to this
[php]

<?php require_once('mysql_connect.php'); // username and password sent from form $user=$_POST['myusername']; $pass=$_POST['mypassword']; // To clean values from form to prevent mysql interjection $user = mysql_real_escape_string(stripslashes($user)); $pass = mysql_real_escape_string(stripslashes($pass)); if(!empty($pass) && !empty($user)){ $sql="SELECT * FROM user WHERE username='$user' AND password='$pass'"; $result=@mysql_query($sql); $row = mysql_num_rows($result); if ($row>0) { setcookie("auth",$user, time()+3600); header("location:secureUser/myHome.php"); } else { header('refresh: 3; url=login.php'); echo "Wrong Username or Password"; } } else { header('refresh: 3; url=login.php'); echo "Please enter values username & password"; } ?>

[/php]
But now i am getting the message “Wrong Username or Password” when i enter a correct one. could it have anything to do with the encryption on the password field in the database??


#5

Well if you have an encrypted field in the database, then you also need to pass that throughthe PHP code. First, you have not specified what kind of encryption you are using… Is md5() or sha1(), etc.

If you are using any encrypted function, say md5()to input the text in the database, then you need to use it to login as well:
[php]
if(md5($_POST[‘password’]) == $user[‘password’]){
echo ‘Login Succesful!’;

		$_SESSION['user']= $user['username'];//Pull Username
				
		$_SESSION['first']= $user['firstname']; //Pull first name
		$_SESSION['last']= $user['lastname']; //Pull last name
		header("location:index.php");
		}  [/php]

I think this is where the issue is.


#6

Shouldn’t this :

if ($row>0) {

Be this:

if(mysql_num_rows($row)>0) {

???


#7

Yeah, Ernie, that could also be the problem.


#8

Hi, i have not used an encryption function, but in the password table of the mySQL database the passwords show like this “*611EF5ACB2869143A21B97027580BEF7EED080F”

I also tried making the change that Ernie suggested but that gave me this error when i attempted to log in:

Warning: mysql_num_rows() expects parameter 1 to be resource, integer given in"


#9

Thanks for the help, i found the problem.
i changed this:
[php]$sql=“SELECT * FROM user WHERE username=’$user’ AND password=’$pass’”;[/php]
to this:
[php]$sql=“SELECT * FROM user WHERE username=’$user’ AND password=$pass”;[/php]
then it worked fine, though i do not understand why. if anyone could explain that would be helpful


#10

Sorry on my comment, I have had a rough week!

$result=@mysql_query($sql);
$row = mysql_num_rows($result);

if ($row>0) {

I didn’t see the setting of $row… Most programmers set the $row to the actual row of data from fetch_array. It is kinda the default for all samples. So, I skipped right down to the condition in the IF…

Sorry…


#11
hello paulbayo2002, Modification done by you in query and it's working fine for you now because of you define password as integer in database and your treating this field as varchar in your old query. your new modify query $sql="SELECT * FROM user WHERE username='$user' AND password=$pass"; your old query $sql="SELECT * FROM user WHERE username='$user' AND password=$pass";

i hope this will helpful and improve your query related knowledge.
SR


#12

By just taking a look at your password, It looks that yes, you are using an encryption. But that you are using in during the insert using a form:

[php]$query = mysql_query(“INSERT INTO user SET id = null, username =’$user’, password =’.md5(”$userPassword")’." or die (mysql_error());[/php]

Again, I assume you are NOT entering the password manually in your code, and rather from a form when inserting into the database. But if you do, and your password is *611EF5ACB2869143A21B97027580BEF7EED080F, then that’s exactly what you have to type in the login form or you will NEVER get access.

As I said before, if you use an INSERT form with query similar to the above, then you a SELECT query that retrives the password using the md5 or sha1 hash functions Like:

[php]if(md5($_POST[‘password’]) == $passowrd[‘password’])
{
echo ‘Login Succesful!’;[/url]
}[/php]

You Said that it’s all working for you. If that’s the case, fine. Then if not, shoot back!


#13

But this is all in thoughts that he is using php hashing functions.
But what if the original script was correct, and he is using the mysql hashing function?
than all these offshoots of using php hashing functions are useless.

You have to show code excerpts of the INSERT of the user record into the database.
this will give us more info on what route to take rather than trying to figure it out from our own preferances.