2

Good evening,

I have XAMPP setup on my home PC and i am learning to build my own websites. I have setup php scripting for user accounts.

I have come accross a problem of which i have no idea how to solve. I will always attempt to solve issues on my own but i cant fathom what this is....

I have my login/register php scripts all setup.

I can register absolutely fine and my SQL database is updated with the registration details (username, password, email, phone, town).

My issue is that when i try and login to the user account that i register with it sends me to my login_fail.php page and i cant understand why its doing this. I think it may be due to my ELSE statement at the bottom of the checklogin?

My checklogin.php script is shown below:

<?php
// setting the variables
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="test"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection 
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file main login
session_start();
$_SESSION["loggedin"] = 'true';
header("location: main_login.php");
die();
}

else {
header("location: login_fail.php");
die();
}
?>

My register.php is below:

<?php  
// Connects to your Database   
mysql_connect("localhost", "root", "") or 
die(mysql_error());   
mysql_select_db("test") or die(mysql_error());
//This code runs if the form has been submitted  
if (isset($_POST['submit']))     
 //This makes sure they did not leave any fields blank  
if (!$_POST['username'] | !$_POST['password'] | !$_POST['email'] | !$_POST['phone'] | !$_POST['town'] ) {  
header("location: login_fail.php");  
die();
}    
// checks if the email is in use  
if (!get_magic_quotes_gpc()) {  
$_POST['email'] = addslashes($_POST['email']);  
}  
$emailcheck = $_POST['email'];  
$check = mysql_query("SELECT email FROM members WHERE email = '$emailcheck'")   
or die(mysql_error());  
$check2 = mysql_num_rows($check);    
//if the name exists it gives an error  
if ($check2 != 0) {  
header("location: login_fail.php");  
die(); 
}   
// here we encrypt the password and add slashes if needed  
$_POST['password'] = md5($_POST['password']);  
if (!get_magic_quotes_gpc()) {  
$_POST['password'] = addslashes($_POST['password']);  
$_POST['username'] = addslashes($_POST['username']);  
}    
// now we insert it into the database  
$insert = "INSERT INTO members (username, password, email, phone, town)  
VALUES ('".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['phone']."', '".$_POST['town']."')";  
$add_member = mysql_query($insert); 
header("location: register_success.php");
die();
?>

My login table (dont know if its of any use?

            <table width="300" border="0" margin-bottom= "5%" align="left" cellpadding="0" cellspacing="1" bgcolor="none">
                        <tr>
                            <form name="form1" method="post" action="checklogin.php">
                                    <td>
                                        <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
                                        <tr>
                                        <td colspan="3"><strong>Member Login </strong></td>
                                        </tr>
                                        <tr>
                                        <td width="78">Username</td>
                                        <td width="6">:</td>
                                        <td width="294"><input name="myusername" type="text" id="myusername"></td>
                                        </tr>
                                        <tr>
                                        <td>Password</td>
                                        <td>:</td>
                                        <td><input name="mypassword" type="text" id="mypassword"></td>
                                        </tr>
                                        <tr>
                                        <td>&nbsp;</td>
                                        <td>&nbsp;</td>
                                        <td><input type="submit" name="Submit" value="Login"></td>
                                        </tr>
                                        </table>
                                    </td>
                            </form>
                    </tr>
            </table>

In my SQL database the passwords are encrypted still.

If i change a user password in mySQL i can login fine, but just after registration (using the original credentials) i cant login...

Any ideas?

Much appreciated.

Stan.

chris85
  • 23,846
  • 7
  • 34
  • 51
Stan Howe
  • 116
  • 2
  • 11
  • 1
    In register u are saving password with md5 than u must need to use md5 in login alsi – devpro Dec 23 '15 at 21:26
  • 2
    It's time to step into *The 21st Century*. A LOT of water's gone under the bridge in over 30 years. I hope this isn't intended to be a live site. – Funk Forty Niner Dec 23 '15 at 21:29
  • Make sure your password column can store the length of the **encrypted** password, not just the **unencrypted** password. Had to help someone with that here: http://stackoverflow.com/questions/27207046/trying-to-retrieve-password-from-database/27207464#27207464, that is once you start comparing encrypted to encrypted, not sure if that would even be an issue with md5 I was using SHA – Chris Trudeau Dec 23 '15 at 21:30
  • `sed 's/encrypt/hash/g'` on this whole Q/A – Dan Dec 23 '15 at 21:37
  • what everyone failed to notice is their use of a single pipe `|` on the conditionals (probably irrelevant to the login though), and this conditional statement failure `if (isset($_POST['submit']))` and also not using proper bracing techniques. I can't possibly see how that even works to start with. The whole thing should be abandoned and using something more efficient and again, ***of THIS century***. Personally, I think this question's a waste of everyone's time. – Funk Forty Niner Dec 23 '15 at 21:42
  • @Fred thanks for the feedback but did you not fail to notice I stated i am learning to make websites and write php, not all of us are experts :) – Stan Howe Dec 23 '15 at 22:03
  • The end of all your worries, are [right here...](http://stackoverflow.com/a/29778421/) – Funk Forty Niner Dec 23 '15 at 22:06
  • Thank you I will check this out – Stan Howe Dec 23 '15 at 22:14

4 Answers4

1

You say that your database is storing passwords encrypted, but you're not checking an encrypted password.

You're getting the password:

$mypassword=$_POST['mypassword']; 
$mypassword = stripslashes($mypassword);

and checking that directly.

You need to encrypt the password submitted via login first, then check the encrypted version against the one stored in the DB.

Essentially, use the same code you use in registering.

Darren Wainwright
  • 30,247
  • 21
  • 76
  • 127
  • Nice one agreed if you want to use encrypted password than use in both locations else not use in both – devpro Dec 23 '15 at 21:37
  • Ok so in the login script I need to use md5 instead of the stripslashes ? Or do I use both md5 and strip slashes together ? Any chance of a demo line I can work with that – Stan Howe Dec 23 '15 at 21:38
  • Stripslash is a security check and md5 is for yur encrypted value as I mentioned in my example – devpro Dec 23 '15 at 21:41
  • 1
    @StanHowe You shouldn't use the `*slash` functions for DB security. You should update your driver and use parameterized queries. From the manual `Please note that use of addslashes() for database parameter escaping can be cause of security issues on most databases.` -http://php.net/manual/en/function.addslashes.php – chris85 Dec 23 '15 at 21:42
  • I'd have a second (long) look at their code and [a comment I left](http://stackoverflow.com/questions/34443888/i-cant-login-with-my-sql-credentials-used-when-registering#comment56630065_34443888) about it under the guy's question. I'm having a fire going right now... – Funk Forty Niner Dec 23 '15 at 21:54
1

Use md5() function when you are login like that:

$mypassword = mysql_real_escape_string($mypassword); 
$mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

Because you are saving password field as md5() in registration

devpro
  • 16,184
  • 3
  • 27
  • 38
  • @stan-howe: good to know now one more thing chose the best answer and mark as accepted because it will help to others ..... congratulations – devpro Dec 23 '15 at 23:19
0

Replace $mypassword = stripslashes($mypassword); with $mypassword = md5($mypassword);

aw31n
  • 161
  • 1
  • 3
0

On login you should be doing this:

$mypassword=md5($_POST['mypassword']);

Can you please also upgrade your code to MySQLi_* functions as MySQL_* functions are depreciated.

Also, I would like to mention the security of using the MD5 hash. MD5($password) isn't deemed to be a secure way of hashing passwords anymore as it's quite easy to crack these hashes, especially without any salt appended to them. There are databases of billions of MD5 hashes to compare to online, please don't use the MD5 hash function for passwords. Look into the password_hash function.

Matt
  • 2,851
  • 1
  • 13
  • 27