Page 1 of 1

Password Confirmation HELP

Posted: Wed Jun 16, 2010 8:28 pm
by Tenaciousmug
Ok this is my whole code to the login/registration. I have finally got the real_escape_string's to work finally, but I have a username, Dyl, in the database with the password assigned to it. Well everytime I log in with it, it is saying "Dyl is an existing username, but the password is not correct" when it is.. So obviously there is a simple error SOMEWHERE. And I just cant' find it. Hopefully someone can help me with this.

Code: Select all

<?php
session_start();
switch (@$_POST['Button'])
{
	case "Log in":
	include("haha.php");
	$cxn = mysqli_connect($host,$user,$password,$database);
	$fusername = $cxn->real_escape_string($_POST['fusername']);
	$sql = "SELECT `username` FROM `Member` WHERE `username`='$fusername'";
	$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
	$num = mysqli_num_rows($result);
	if($num > 0)
	//username was found
	{
		$fpassword = $cxn->real_escape_string($_POST['fpassword']);
		$sql = "SELECT `username` FROM `Member` WHERE `username`='$fusername' AND `password`=md5('$fpassword')";
		$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
		$num = mysqli_num_rows($result2);
		if($num > 0) //password matches
		{
			$_SESSION['auth']="yes";
			$_SESSION['username'] = $fusername;
			$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
			$result = mysqli_query($cxn,$sql) or die("Query died: insert");
			header("Location: testing.php");
		}
		else
		{
			$message_1="The username, '$fusername' exists. However you have not entered the correct password! Please try again.";
			$fusername=strip_tags(trim($fusername));
			include("login_form2.php");
		}
	}
	else // username was not found
	{
		$message_1 = "The username you entered does not exist! Please try again.";
		include("login_form2.php");
	}
	break;

	case "Register":
	/* Check for blanks */
	foreach($_POST as $field => $value)
	{
		if(empty($value))
		{
			$blanks[] = $field;
		}
		else
		{
			$good_data[$field] = strip_tags(trim($value));
		}
	}
	if(isset($blanks))
	{
		$message_2 = "The following fields are blank. Please enter the required information: ";
		foreach($blanks as $value)
		{
		$message_2 .="$value, ";
		}
		extract($good_data);
		include("login_form2.php");
		exit();
	}
	/* validate data */
	foreach($_POST as $field => $value)
	{
		if(!empty($value))
		{
			if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
			{
				if(!preg_match("/^[A-Za-z' -]{1,15}$/",$value))
				{
					$errors[] = "$value is not a valid name. ";
				}
			}
			if(preg_match("/email/i",$field))
			{
				if(!preg_match("/^.+@.+\\..+$/",$value))
				{
					$errors[]="$value is not a valid email address.";
				}
			}
		} // end if not empty
	}
	foreach($_POST as $field => $value)
	{
		$$field = strip_tags(trim($value));
	}
	if(@is_array($errors))
	{
		$message_2 = "";
		foreach($errors as $value)
		{
			$message_2 .= $value." Please try again";
		}
		include("login_form2.php");
		exit();
	} //end if errors are found

	/* check to see if username already exists */
	include("haha.php");
	$cxn = mysqli_connect($host,$user,$password,$database) or die("Couldn't connect to server");
	$username = $cxn->real_escape_string($username);
	$sql = "SELECT `username` FROM `Member` WHERE `username`='$username'";
	$result = mysqli_query($cxn,$sql) or die("Query died: username.");
	$num = mysqli_num_rows($result);
	if($num > 0)
	{
		$message_2 = "$username already exists. Select another username.";
		include("login_form2.php");
		exit();
	} // end if username already exists
	else // add new member to database
	{
		$sql = "INSERT INTO Member (username,createDate,password,firstName,email) VALUES ('$username',NOW(),md5('$password'),'$firstName','$email')";
		mysqli_query($cxn,$sql);
		$_SESSION['auth']="yes";
		$_SESSION['username'] = $username;
		header("Location: testing.php");
	}
	break;

	default:
	include("login_form2.php");
}
?>

Re: Password Confirmation HELP

Posted: Wed Jun 16, 2010 8:34 pm
by PHPHorizons
Hello Tenaciousmug,

I don't see anything right off the bat. Have you tried to do something like echoing out the md5 hash of your password and comparing that to what is stored in the db? Doing that will tell us right away if the problem is on the registration or login side of things.

You can make a script and hard code your password so that you can see what it is hashed:

Code: Select all

<?php
echo md5('my_password');
Cheers

Re: Password Confirmation HELP

Posted: Wed Jun 16, 2010 8:48 pm
by Tenaciousmug
Umm... I'm REALLY confused on what you are saying, but I hope whatever you're saying works. But I don't really know where to begin since I don't really understand what you're saying.
But thank you for being so nice. I really do appreciate that. I have people helping me that are VERY rude..

Re: Password Confirmation HELP

Posted: Thu Jun 17, 2010 7:24 am
by PHPHorizons
Make a new PHP script with the following code:

Code: Select all

<?php
echo md5('my_password');
Replace 'my_password' with your actual password.

Run the script.

See the result of the script. You will see a 32 character length string appear on the page. Copy that result and paste it into an empty text file.

Open up your database using phpMyAdmin or whatever program you use to view your database with.

Run the following query: SELECT `password` FROM `Member`

You may get multiple results. Compare the 32 character length string you copied in the text file to the results from that query. See if you find any matches.

Cheers