Page 1 of 1

php not recognizing password

Posted: Tue Mar 30, 2010 5:48 pm
by Obadiah
Ive had to make a couple of changes to my database and ive had to implement these changes in my code. Now (for some reason) when I run my old working script it checks the database for the user name and password...passes for the username but has trouble resolving the password...i feel its a simple fix just need a fresh pair of eyes...when it runs it says that the username is correct but i have an incorrect password(even when i entered a new password or fresh record) many thanks in advance devnet!

the username field in sql is user_id
the password field in sql is user_pass

here is the array

Code: Select all

$fields_1 =   array("fusername" => "User Name",
                            "fpassword"  => "Password"
                   );
$length_1 =   array("fusername" => "10",
                             "fpassword" => "10"
                   );

here is the login script

Code: Select all

<?php
/* Program: Login.php
 */
  session_start();
  include("functions_main.inc");
  $table_name = "users";
  $next_program = "home.php";
  
  switch (@$_POST['Button'])
  {
    case "Login":
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='$_POST[fusername]'";
      $result = mysqli_query($cxn,$sql)
                  or die("Couldn't execute query 1");
      $num = mysqli_num_rows($result);
      if($num == 1)
      {
         $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='".mysqli_real_escape_string($cxn,$_POST['fusername'])."'
              AND user_pass=md5('$_POST[fpassword]')";
         $result2 = mysqli_query($cxn,$sql)
                   or die("Couldn't execute query 2.");  
         $row = mysqli_fetch_assoc($result2);
         if($row)
         {
           $_SESSION['auth']="yes";
           $_SESSION['logname'] = mysqli_real_escape_string($cxn,$_POST['fusername']);
           header("Location: $next_program");
         }
         else
         {
/*this is the message that keeps displaying even though the password is correct*/

           $message_1="The Login Name, '$_POST[fusername]' 
                   exists, but you have not entered the 
                   correct password! Please try again.<br>";
           extract($_POST);
           include("fields_login.inc");
           include("double_form.inc");
         }

      }
      elseif ($num == 0)  // login name not found
      {
         $message_1 = "The User Name you entered does not 
                       exist! Please try again.<br>";
         include("fields_login.inc");
         include("double_form.inc");
      }
    break;
    case "Register":
      /* Check for blanks */
      foreach($_POST as $field => $value)
      {
        if ($field != "fax")
        {
          if ($value == "")
          {
               $blanks[] = $field;
          }
        }
      }
      if(isset($blanks))
      {
          $message_2 = "The following fields are blank. 
                Please enter the required information:  ";
          foreach($blanks as $value)
          {
            $message_2 .="$value, ";
          }
          extract($_POST);
          include("fields_login.inc");
          include("double_form.inc");
          exit();
      }
      /* validate data */
      foreach($_POST as $field => $value)
      {
        if(!empty($value))
        {
          if(eregi("name",$field) and
             !eregi("user",$field) and !eregi("log",$field))
          {
             if (!ereg("^[A-Za-z' -]{1,50}$",$value)) 
             {
                $errors[] = "$value is not a valid name."; 
             }
          }
          if(eregi("street",$field)or eregi("addr",$field) or
             eregi("city",$field))
          {
             if(!ereg("^[A-Za-z0-9.,' -]{1,50}$",$value))
             {
                $errors[] = "$value is not a valid address
                              or city.";
             }
          }
          if(eregi("state",$field))
          {
             if(!ereg("[A-Za-z]",$value))
             {
                $errors[] = "$value is not a valid state.";
             }
          }
          if(eregi("email",$field))
          {
             if(!ereg("^.+@.+\\..+$",$value))
             {
                $errors[] = "$value is not a valid email
                             address.";
             }
          }
          if(eregi("zip",$field))
          {
             if(!ereg("^[0-9]{5,5}(\-[0-9]{4,4})?$",$value))
             {
                $errors[] = "$value is not a valid zipcode.";
             }
          }
          if(eregi("phone",$field) or eregi("fax",$field))
          {
             if(!ereg("^[0-9)(xX -]{7,20}$",$value))
             {
                $errors[] = "$value is not a valid phone 
                             number. ";
             }
          }
        }
      }
      foreach($_POST as $field => $value)
      {
        if($field != "Button")
        {
           if($field == "password")
           {
              $password = strip_tags(trim($value));
           }
           else
           {
              $fields[]=$field;
              $value = strip_tags(trim($value));
              $values[] = addslashes($value);
              $$field = $value;                 
           }
        }
      }
      if(@is_array($errors))
      {
        $message_2 = "";
        foreach($errors as $value)
        {
           $message_2 .= $value." Please try again<br />";
        }
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      } 
      $user_name = $_POST['user_name'];

      /* check to see if user name already exists */
      $cxn = Connect_to_db("Vars.inc");
      $sql = "SELECT user_id FROM $table_name 
                WHERE user_id='$user_name'";
      $result = mysqli_query($cxn,$sql)
                or die("Couldn't execute query.");
      $num = mysqli_num_rows($result);
      if ($num > 0)
      {
        $message_2 = "$user_name already used. Select another
                         User Name.";
        include("fields_login.inc");
        include("double_form.inc");
        exit();
      }
      else
      {   
        $today = date("Y-m-d");
        $fields_str = implode(",",$fields);
        $values_str = implode('","',$values);
        $fields_str .=",create_date";
        $values_str .='"'.",".'"'.$today;
        $fields_str .=",password";
        $values_str .= '"'.","."md5"."('".$password."')";
        $sql = "INSERT INTO $table_name ";
        $sql .= "(".$fields_str.")";
        $sql .= " VALUES ";
        $sql .= "(".'"'.$values_str.")";
        mysqli_query($cxn,$sql) or die(mysqli_error($cxn));
        $_SESSION['auth']="yes";
        $_SESSION['logname'] = $user_name;
        /* send email to new Customer */
        $emess = "You have successfully registered. ";
        $emess .= "Your new user name and password are: ";
        $emess .= "\n\n\t$user_name\n\t";
        $emess .= "password\n\n";
        $emess .= "We appreciate your interest. \n\n";
        $emess .= "If you have any questions or problems,";
        $emess .= " email service@ourstore.com";
        $subj = "Your new customer registration";
        #$mailsend=mail("$email","$subj","$emess");
        header("Location: $next_program?user='.$user_name");
      }
    break;

    default:
           include("fields_login.inc");
           include("double_form.inc");
  }
?>

Re: php not recognizing password

Posted: Wed Mar 31, 2010 12:54 am
by Obadiah
i fixed it guys...i had the password field declared as a varchar instead of a char....ajnd i feel like a big NOOBHEAD! :oops: ...thanks devnet

Re: php not recognizing password

Posted: Wed Mar 31, 2010 11:28 am
by Weiry
can i give you a suggestion?
Change

Code: Select all

 $sql = "SELECT user_id FROM $table_name 
              WHERE user_id='$_POST[fusername]'";
into:

Code: Select all

$sql = sprintf("SELECT `user_id` FROM `%s` WHERE user_id='%s'",
              mysql_real_escape_string($table_name),
              mysql_real_escape_string($_POST['fusername'])
);
You should always escape anything going into a query as it helps prevent SQL injection.
Also try to use

Code: Select all

` `
around table names and field names.. ive seen problems where people didnt have them and couldnt execute an sql script.
Make sure you always use ' ' around items in an array. (yes $_POST is an array)
So.. $_POST['fusername'];
Array do's and don'ts - Why is $foo[bar] wrong?

Re: php not recognizing password

Posted: Wed Mar 31, 2010 11:42 am
by pickle
As far as error messages go, you shouldn't specify if the username was right and the password was wrong. Have only 1 error message saying "Username or password were wrong". This makes it harder for people to figure out valid usernames and guess passwords from there.

Re: php not recognizing password

Posted: Wed Mar 31, 2010 11:22 pm
by Obadiah
thanks bro...i will implement that!