LOGIN HELP

MySQL database
#1

HELP ME PLEASE…
EVEN IF I ENTER THE TRUE PASSWORD AND USERNAME THE OUTPUT STILL Your password is incorrect

THIS IS MY CODE:

<?php error_reporting(0); session_start(); $userid = $_SESSION['userid']; $username = $_SESSION['username']; $type = $_SESSION['type']; If ($username && $userid && $type){ echo "Welcome $username
"; echo "You are Logged in as $type"; } else { $username=$_POST['username']; $password=$_POST['password']; if ($username&&$password) { $connect=mysql_Connect("localhost","root","password")or die("Couldn't connect to the database"); mysql_select_db("system")or die("Couldn't connect to the database"); $query=mysql_query("SELECT * FROM users WHERE username='$username'"); $numrows=mysql_num_rows($query); If ($numrows!==0) { While ($row=mysql_fetch_assoc($query)){ $dbusername = $row['username']; $dbpassword = $row['password']; $dbid = $row['id']; $dbtype = $row['type']; } If ($username==$dbusername&&md5($password)==$dbpassword) { $_SESSION['username'] = $dbusername; $_SESSION['userid'] = $dbid; $_SESSION['type'] = $dbtype; echo "Welcome $username"; echo "You are Logged in as $type"; } else { echo "Your password is incorrect"; } } else { echo "That username doesn't exists"; } } else { echo "Please enter username and password"; } } ?>
#2

The code seem to work fine for me, could you show a screenshot of how the users table look?

You say you always get “Your password is incorrect”, this means that this condition always fail:
[php]If ($username==$dbusername&&md5($password)==$dbpassword)[/php]

You need to figure out why this doesn’t validate. You could do something like this:
[php]var_dump($username == $dbusername);
var_dump(md5($password) == $dbpassword);
var_dump($username == $dbusername && md5($password) == $dbpassword);[/php]

if you now get “bool(true) bool(false) bool(false)” then you know the second condition is wrong. md5($password) is not equal to $dbpassword. Then you should dump out these two and visually compare them.
[php]var_dump($md5($password));
var_dump($dbpassword);[/php]

It should give you a good idea of what’s wrong.

This would of course be easier with debugging in an IDE, then you wouldn’t have to do this manual echo/print_r/var_dumping.

[hr]

ps: when adding code to the forum please add it inside code or php tags, for readability.

[code ]this is some generic code[/code ]

[php ]<?php $string = ‘this is php’;[/php ]

The tags should be without spaces, had to add them so the forum wouldn’t parse the tags :slight_smile:

This would show up as:

var string = 'this is some generic code';

[php]<?php $string = ‘this is php’;[/php]

[hr]

Some issues you should consider:

Your code is terribly formatted
Consider using an IDE, it will automatically format the code as you type.
You can also have the IDE reformat the code to your coding standards
in Netbeans: right-click -> Format, or ALT-SHIFT-F)

mysql_* functions are deprecated, unsafe and should not be used.
Use PDO or mysqli instead!

SQL injection
When inserting parameters directly into SQL queries, you are vulnerable to sql injection. Not an issue with parameterized queries with PDO/mysqli.

Password handling
MD5 is not considered safe for storing passwords, consider changing to Bcrypt or pbkdf2.

Error messages
You should not inform users about incorrect username/passwords, this can be used to brute force accounts. Both “Your password is incorrect” and “That username doesn’t exists” should be changed to “Your login credentials are incorrect.” At least in a production environment.

Error reporting
When in a dev-enviroment, leave error reporting on. This way you know what goes wrong. Start your files with:
[php]<?php
ini_set(‘error_reporting’, E_ALL);[/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service