0

Anytime i try to login in with my login file it gives me the error which is set in the code, but i cannot figure out what is wrong with it.

Here's my code:

<?php
    include 'inc/dbc.php';
    include 'inc/functions.php';
?>
<?php
    function get_client_ip() {
        $ipaddress = '';
        if ($_SERVER['HTTP_CLIENT_IP']) {
            $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
        }
        else if($_SERVER['HTTP_X_FORWARDED_FOR']) {
            $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
        }
        else if($_SERVER['HTTP_X_FORWARDED']) {
            $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
        }
        else if($_SERVER['HTTP_FORWARDED_FOR']) {
            $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
        }
        else if($_SERVER['HTTP_FORWARDED']) {
            $ipaddress = $_SERVER['HTTP_FORWARDED'];
        }
        else if($_SERVER['REMOTE_ADDR']) {
            $ipaddress = $_SERVER['REMOTE_ADDR'];
        }
        else {
            $ipaddress = 'UNKNOWN';
        }
       return $ipaddress;
    }
?>
<?php
if(isset($_GET['user']) && !empty($_GET['user'])) {
    $username = $_GET['user'];
} else {
    $username = $_SESSION['username'];
}
    $my_name = $_SESSION['username'];
    $firstname = getuser($username, 'firstname');
    $middlename = getuser($username, 'middlename');
    $lastname = getuser($username, 'lastname');
    $aboutme = getuser($username, 'aboutme');
    $email = getuser($username, 'email');
    $dob = getuser($username, 'dob');
    $address = getuser($username, 'address');
    $website = getuser($username, 'website');
    $country = getuser($username, 'country');
    $city = getuser($username, 'city');
    $state = getuser($username, 'state');
    $phone = getuser($username, 'phone');
    $gender = getuser($username, 'gender');
    $rank = getuser($username, 'rank');
    $avatar = getuser($username, 'aavtar');
?>
<!DOCTYPE html>
<html>
    <head>
        <title>EWC Login</title>
        <link rel="stylesheet" type="text/css" href="css/login.css">
        <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css">
    </head>

    <body>
        <div class='main'>
            <div class='body'>
                <div class="loginf">
                    <?php
                        if (loggedIn() == true) {
                    ?>
                        <div class='logged'>
                            <div class='logwrapper'>
                                <div class='top'>
                                    <p>Is this you? <a href="home.php">Home</a></p>
                                </div>
                                <div class='img'>
                                    <img src="images/users/<?php echo $avatar;?>">
                                </div>
                                <div class='info'>
                                    <h3><?php echo $firstname . ' ' . $middlename . ' ' . $lastname;?></h3>
                                    <div class='subinfo'>
                                        <?php echo $gender;?>
                                        <?php echo $dob;?>
                                        <?php echo $rank;?>
                                        <?php echo $country . ', ' . $city . ' ' . $state; ?>
                                    </div>
                                </div>
                                <div class='bottom'>
                                    <p>You are already logged in. Click here to <a href="logout.php">logout.</a></p>
                                </div>
                            </div>
                        </div>
                    <?php
                        } else {
                    ?>
                    <form method="post">
                            <?php
                                if (isset($_POST['submit'])) {
                                    $username = stripcslashes(mysqli_real_escape_string($mysqli, $_POST['username']));
                                    $password = stripcslashes(mysqli_real_escape_string($mysqli, $_POST['password']));
                                    $pw = sha1($password);

                                    if (empty($username) && empty($password)) {
                                        echo 'Username and Password cannot be empty';
                                    } else {
                                        $check_login = mysqli_query($mysqli, "SELECT * FROM users WHERE username = '$username' AND password = '$pw' LIMIT 1") or die(mysqli_error($mysqli));
                                        $rows = mysqli_num_rows($check_login);
                                        if ($rows == 1) {
                                            mysqli_query($mysqli, "UPDATE users SET login_ip = '$ipaddress' WHERE username = '$username' ") or die(mysqli_error($mysqli));
                                            $_SESSION['username'] = $username;
                                            header('location: home.php');
                                        } else {
                                            echo 'Your entries are Invalid';
                                        }
                                    }
                                }
                            ?>
                        <div class="input-group margin-bottom-sm">
                          <span class="input-group-addon"><i class="fa fa-user fa-fw"></i></span>
                          <input class="form-control" name='username' type="text" placeholder="Username...">&nbsp;&nbsp;<a href="forgot.php?forgot=username">Forgot Username?</a>
                        </div>
                        <div class="input-group">
                          <span class="input-group-addon"><i class="fa fa-key fa-fw"></i></span>
                          <input class="form-control" name='username' type="password" placeholder="Password...">&nbsp;&nbsp;<a href="forgot.php?forgot=password">Forgot Passowrd?</a>
                        </div>
                        <div class="input-group">
                            <input class="form-control" name="submit" type="submit" value="Login">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="register.php">Don't have an account?</a>
                        </div>
                    </form>
                    <?php
                        }
                    ?>
                    <script>
                    function clearAutofill() {
                        if ( navigator.userAgent.toLowerCase().indexOf('chrome') >= 0 ) {
                            $('input[autocomplete="off"]').each( function(){
                                $(this).val('');
                            });
                        }
                    }

                    setTimeout(clearAutofill,500);
                    </script>
                </div>
            </div>
        </div>
    </body>
</html>

PS: session_start(); is in the functions file! Also if you need more code please ask! Thanks in advance.

Clement Abel
  • 49
  • 5

1 Answers1

3

You have two inputs bearing the same name attribute name='username'

<input class="form-control" name='username' type="text" placeholder="Username...">
<input class="form-control" name='username' type="password" placeholder="Password...">

Your password input should be named "password" and not "username".

Sidenotes:

  • It's best to add exit; after your header, otherwise your code may want to continue executing.

  • Regarding the use of stripcslashes(); I cannot say for certain, but it may/could be doing some harm and stripping possible valid characters, especially for hashes. If you're still experiencing difficulties, try to remove it from your code.

Regarding password storage

I noticed you are using sha1 for password storage. It's not the best nowadays.
Consult my footnotes about this.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.

For PHP < 5.5 use the password_hash() compatibility pack.

Pulled from ircmaxell's answer https://stackoverflow.com/a/29778421/ which uses PDO with prepared statements and password_hash().

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Footnotes:

Here are a few articles on sha1 that you may want to read:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thanks i'm so dumb, how could i not see that >.>. Also what's with the change of hash, first when i started i used `md5` (not sage anymore) then `sha1` (now it's not the best now `password_hash`. And i am not really good with `PDO` and thanks for the links i will look into them. :D – Clement Abel May 01 '15 at 02:40
  • No problem. Also i need one more thing, my `$ipaddress` keeps coming out as ::1 in the database, could you please help me figure out how to make it say the real IPv4 of the user? thanks in advance! – Clement Abel May 01 '15 at 02:50
  • @ClementAbel `::1` is localhost and since your php was probably build with ipv6 you got in this format – Rizier123 May 01 '15 at 07:57