php not recognizing password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

php not recognizing password

Post by Obadiah »

Ive had to make a couple of changes to my database and ive had to implement these changes in my code. Now (for some reason) when I run my old working script it checks the database for the user name and password...passes for the username but has trouble resolving the password...i feel its a simple fix just need a fresh pair of eyes...when it runs it says that the username is correct but i have an incorrect password(even when i entered a new password or fresh record) many thanks in advance devnet!

the username field in sql is user_id
the password field in sql is user_pass

here is the array

Code: Select all

$fields_1 =   array("fusername" => "User Name",
                            "fpassword"  => "Password"
                   );
$length_1 =   array("fusername" => "10",
                             "fpassword" => "10"
                   );

here is the login script

Code: Select all

<?php
/* Program: Login.php
 */
  session_start();
  include("functions_main.inc");
  $table_name = "users";
  $next_program = "home.php";
  
  switch (@$_POST['Button'])
  {
    case "Login":
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='$_POST[fusername]'";
      $result = mysqli_query($cxn,$sql)
                  or die("Couldn't execute query 1");
      $num = mysqli_num_rows($result);
      if($num == 1)
      {
         $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='".mysqli_real_escape_string($cxn,$_POST['fusername'])."'
              AND user_pass=md5('$_POST[fpassword]')";
         $result2 = mysqli_query($cxn,$sql)
                   or die("Couldn't execute query 2.");  
         $row = mysqli_fetch_assoc($result2);
         if($row)
         {
           $_SESSION['auth']="yes";
           $_SESSION['logname'] = mysqli_real_escape_string($cxn,$_POST['fusername']);
           header("Location: $next_program");
         }
         else
         {
/*this is the message that keeps displaying even though the password is correct*/

           $message_1="The Login Name, '$_POST[fusername]' 
                   exists, but you have not entered the 
                   correct password! Please try again.<br>";
           extract($_POST);
           include("fields_login.inc");
           include("double_form.inc");
         }

      }
      elseif ($num == 0)  // login name not found
      {
         $message_1 = "The User Name you entered does not 
                       exist! Please try again.<br>";
         include("fields_login.inc");
         include("double_form.inc");
      }
    break;
    case "Register":
      /* Check for blanks */
      foreach($_POST as $field => $value)
      {
        if ($field != "fax")
        {
          if ($value == "")
          {
               $blanks[] = $field;
          }
        }
      }
      if(isset($blanks))
      {
          $message_2 = "The following fields are blank. 
                Please enter the required information:  ";
          foreach($blanks as $value)
          {
            $message_2 .="$value, ";
          }
          extract($_POST);
          include("fields_login.inc");
          include("double_form.inc");
          exit();
      }
      /* validate data */
      foreach($_POST as $field => $value)
      {
        if(!empty($value))
        {
          if(eregi("name",$field) and
             !eregi("user",$field) and !eregi("log",$field))
          {
             if (!ereg("^[A-Za-z' -]{1,50}$",$value)) 
             {
                $errors[] = "$value is not a valid name."; 
             }
          }
          if(eregi("street",$field)or eregi("addr",$field) or
             eregi("city",$field))
          {
             if(!ereg("^[A-Za-z0-9.,' -]{1,50}$",$value))
             {
                $errors[] = "$value is not a valid address
                              or city.";
             }
          }
          if(eregi("state",$field))
          {
             if(!ereg("[A-Za-z]",$value))
             {
                $errors[] = "$value is not a valid state.";
             }
          }
          if(eregi("email",$field))
          {
             if(!ereg("^.+@.+\\..+$",$value))
             {
                $errors[] = "$value is not a valid email
                             address.";
             }
          }
          if(eregi("zip",$field))
          {
             if(!ereg("^[0-9]{5,5}(\-[0-9]{4,4})?$",$value))
             {
                $errors[] = "$value is not a valid zipcode.";
             }
          }
          if(eregi("phone",$field) or eregi("fax",$field))
          {
             if(!ereg("^[0-9)(xX -]{7,20}$",$value))
             {
                $errors[] = "$value is not a valid phone 
                             number. ";
             }
          }
        }
      }
      foreach($_POST as $field => $value)
      {
        if($field != "Button")
        {
           if($field == "password")
           {
              $password = strip_tags(trim($value));
           }
           else
           {
              $fields[]=$field;
              $value = strip_tags(trim($value));
              $values[] = addslashes($value);
              $$field = $value;                 
           }
        }
      }
      if(@is_array($errors))
      {
        $message_2 = "";
        foreach($errors as $value)
        {
           $message_2 .= $value." Please try again<br />";
        }
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      } 
      $user_name = $_POST['user_name'];

      /* check to see if user name already exists */
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
                WHERE user_id='$user_name'";
      $result = mysqli_query($cxn,$sql)
                or die("Couldn't execute query.");
      $num = mysqli_num_rows($result);
      if ($num > 0)
      {
        $message_2 = "$user_name already used. Select another
                         User Name.";
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      }
      else
      {   
        $today = date("Y-m-d");
        $fields_str = implode(",",$fields);
        $values_str = implode('","',$values);
        $fields_str .=",create_date";
        $values_str .='"'.",".'"'.$today;
        $fields_str .=",password";
        $values_str .= '"'.","."md5"."('".$password."')";
        $sql = "INSERT INTO $table_name ";
        $sql .= "(".$fields_str.")";
        $sql .= " VALUES ";
        $sql .= "(".'"'.$values_str.")";
        mysqli_query($cxn,$sql) or die(mysqli_error($cxn));
        $_SESSION['auth']="yes";
        $_SESSION['logname'] = $user_name;
        /* send email to new Customer */
        $emess = "You have successfully registered. ";
        $emess .= "Your new user name and password are: ";
        $emess .= "\n\n\t$user_name\n\t";
        $emess .= "password\n\n";
        $emess .= "We appreciate your interest. \n\n";
        $emess .= "If you have any questions or problems,";
        $emess .= " email service@ourstore.com";
        $subj = "Your new customer registration";
        #$mailsend=mail("$email","$subj","$emess");
        header("Location: $next_program?user='.$user_name");
      }
    break;

    default:
           include("fields_login.inc");
           include("double_form.inc");
  }
?>
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Re: php not recognizing password

Post by Obadiah »

i fixed it guys...i had the password field declared as a varchar instead of a char....ajnd i feel like a big NOOBHEAD! :oops: ...thanks devnet
User avatar
Weiry
Forum Contributor
Posts: 323
Joined: Wed Sep 09, 2009 5:55 am
Location: Australia

Re: php not recognizing password

Post by Weiry »

can i give you a suggestion?
Change

Code: Select all

 $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='$_POST[fusername]'";
into:

Code: Select all

$sql = sprintf("SELECT `user_id` FROM `%s` WHERE user_id='%s'",
              mysql_real_escape_string($table_name),
              mysql_real_escape_string($_POST['fusername'])
);
You should always escape anything going into a query as it helps prevent SQL injection.
Also try to use

Code: Select all

` `
around table names and field names.. ive seen problems where people didnt have them and couldnt execute an sql script.
Make sure you always use ' ' around items in an array. (yes $_POST is an array)
So.. $_POST['fusername'];
Array do's and don'ts - Why is $foo[bar] wrong?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: php not recognizing password

Post by pickle »

As far as error messages go, you shouldn't specify if the username was right and the password was wrong. Have only 1 error message saying "Username or password were wrong". This makes it harder for people to figure out valid usernames and guess passwords from there.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Re: php not recognizing password

Post by Obadiah »

thanks bro...i will implement that!
Post Reply