-1

My username & password is correct but when i run this script and when i test my login i keep getting = "The password is incorrect but the user exists". Can anyone help?

Here is my Script;

<?php
include ("db.php");

if (isset($_SESSION['loggedin']) == "1") {
    echo "You are already logged in. <a href=\"index.php\">Go home</a>";
} else {
    if (isset($_POST['login'])) {
        $username = strip_tags(mysql_real_escape_string($_POST['username']));
        $password = md5(strip_tags(mysql_real_escape_string($_POST['password'])));
        if (empty($username) || empty($password)) {
            echo "Enter both fields.";
        } else {
            $userQ = mysql_query("SELECT * FROM users WHERE `username` = '{$username}'");
            if (mysql_num_rows($userQ) == 0) {
                echo "This user does not exist.";
            } else {
                $userA = mysql_fetch_array($userQ);
                if ($password !== $userA["password"]) {
                    echo "The password is incorrect but the user exists.";
                } else {
                    $_SESSION['loggedin'] = "1";
                    header("Location: index.php");
                    exit;
                }
            }
        }
    }
?>
<form method="post">
    Username: <input type="text" name="username" maxlength="25" /><br />
    Password: <input type="password" name="password" maxlength="20" /><br />
    <input type="submit" name="login" value="Login" />
</form>
 <?php
}
?>

Any Help would be great, i have just started to learn php and not sure if this code is correct.

Shub
  • 2,686
  • 17
  • 26
G-Moffat
  • 29
  • 2
  • 1
    Debug and check using `var_dump($password);` & `var_dump($userA["password"]);` and see what is the difference. – Rikesh May 29 '14 at 10:33
  • 3
    do not use `md5` on escaped string with `mysql_real_escape_string` – Deadooshka May 29 '14 at 10:33
  • 1
    your problem is that you use `mysql_fetch_array` - it returns non associate array, and variable `$userA["password"]` is not set. Use `mysql_fetch_assoc` instead. Also I assume that this script is just for learning purposes, but mysql_* functions are deprecated. You should learn about mysqli_ or pdo – MSadura May 29 '14 at 10:36
  • before the line, `echo "The password is incorrect but the user exists.";`, put this `var_dump(array($password, $userA["password"]));` and tell us result – Hüseyin BABAL May 29 '14 at 10:37
  • You need to return assoc array and iterate through results. See my anser [here](http://stackoverflow.com/questions/23931238/php-login-script-the-password-is-incorrect-but-the-user-exists/23931516#23931516) – Hüseyin BABAL May 29 '14 at 10:45
  • Please be aware that the mysql extension (supplying the mysql_ functions) has been deprecated since 2012, in favor of the mysqli and PDO extensions. It's use is highly discouraged. See http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – Oldskool May 29 '14 at 12:16

2 Answers2

0

$userA = mysql_fetch_array( $userQ ); this will return array. You need to iterate it and return associative array to check each record like;

.....
while ($row = mysql_fetch_assoc( $userQ)) {
    $userA = $row["password"];
}

if ( $password !== $userA["password"] ) {
    echo "The password is incorrect but the user exists.";
}
.....

There is iteration in above code, but it will always have one result, because username is unique(I think)

Hüseyin BABAL
  • 15,400
  • 4
  • 51
  • 73
  • mysql_fetch_array will not return non-associative array unless you explicitly specify it. By default it returns both types of array. https://php.net/manual/en/function.mysql-fetch-array.php – Ghost-Man May 29 '14 at 10:58
0

I think you may have multiple users with the same username. Check your database for this. If not, then try to remove mysql_real_escape_string() before using md5 on it.

On a side note, if you are starting to leran PHP then don't use mysql functions anymore. Try to use mysqli or PDO extensions. Mysql functions are deprecated as of PHP 5.5.

Ghost-Man
  • 2,179
  • 1
  • 21
  • 25