Page 1 of 1

verifying login

Posted: Sat Apr 16, 2016 3:29 pm
by cjkeane
Hi everyone. I'm creating a login script for a project. The code works to login except I want it to say invalid password if the password is not correct. Right now, it ts says 'Your username and password are incorrect as soon as the page is accessed. I only want that to displayed if it is in fact incorrect after the submit button is pressed. I also want the username and password fields cleared if the password is incorrect. I've struggled with this for quite a few hours. Does anyone see where my issues are? Any assistance would be helpful. Thanks.

EDIT: I now have the coding working with the captcha and gives me the error message I wanted. How do you recommend I encrypt a password instead of md5 hash?

Code: Select all

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link href="login-styles.css" rel="stylesheet" type="text/css" />
<link href="loginmodule.css" rel="stylesheet" type="text/css" />
<script src='https://www.google.com/recaptcha/api.js'></script>
</head>
<body>
    <div class="container">
	<div id="login-form">
		<p><img src="images/logo.png" width="310" height="91" /><br /></p>
		<h3>ADMINISTRATOR Login</h3>
   		<fieldset>
    	  	<form id="loginForm" name="loginForm" method="post" action="">
      			<?php
				if(!isset($_SESSION)) { session_start(); } 
					include("connection.php");
					error_reporting(0);
					$username = trim($_POST['username']);
					$password = trim($_POST['password']);
					if(isset($_POST['g-recaptcha-response']))	{$captcha=$_POST['g-recaptcha-response']; }	
					if(isset($_POST['submit']) && !empty($_POST['submit'])) {
						$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=6LfqjRUTAAAAAMmVW4roXj5QIBlYETR5VNEbSE33&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
						if($response.success==false) {	
							echo "invalid captcha";
						} else {
							if (!empty($_POST['password'])) 	{ $password = stripslashes($_POST['password']) ;} 
							if (!empty($_POST['username'])) 	{ $username = stripslashes($_POST['username']) ;} 
							$username = mysqli_real_escape_string($db, $username);
							$password = mysqli_real_escape_string($db, $password);
							$password = md5($password);	
							$sql="SELECT uid FROM users WHERE username='$username' and password='$password'";
							$result=mysqli_query($db,$sql);
							$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
							if(mysqli_num_rows($result) == 1 && !empty($captcha)) {
								$_SESSION['username'] = $username; 
								header("location: edit-index.php"); 
							} else {
								echo "<div style='color:red;'>Invalid username and password combination or missing captcha. Please try again</div>";
								$password = "";
							} 
						}
					}
				?>
				<input type="username" name="username" placeholder="username" id="username" value="<?php echo $username; ?>" required  > 
				<input type="password" name="password" placeholder="password" id="password" value="<?php echo $password; ?>" required  > 
				<input type="submit" name="submit" id="submit" value="Login">
				<div style="color: #000;" class="clearfix">
				<div class="g-recaptcha" data-sitekey="6LfqjRUTAAAAAI-G3YjUZXZeyQWwVmv2lXvVzbya"></div>
				<div style="text-align:left; padding-top:10px;"><strong>General Log In Notes: </strong><br /><br /> Passwords are case sensitive.<br />Usernames are not case sensitive.      </div>
				</div>
			</form>
		</fieldset>
	</div> 
</div>
</body>
</html>
	


Re: verifying login

Posted: Sat Apr 16, 2016 3:56 pm
by Celauran

Code: Select all

$password = md5($password);
It's 2016. You really shouldn't be doing this.

That said

Code: Select all

        if(isset($_POST['submit'])) {
//stuff here
                }       else {
                echo "<div style='color:red;'>Your username and password are incorrect, please try again.</div>";
If the form is submitted, process the form. Otherwise display an error.

You don't want to process anything until the form has been submitted. No success message, no error message, nothing. Just display the form.

Re: verifying login

Posted: Sat Apr 16, 2016 5:53 pm
by cjkeane
I have added to my code so not only does it perform an md5 check but also a captcha check. how else would you do this? I was thinking of using bcrypt.
Celauran wrote:

Code: Select all

$password = md5($password);
It's 2016. You really shouldn't be doing this.

That said

Code: Select all

        if(isset($_POST['submit'])) {
//stuff here
                }       else {
                echo "<div style='color:red;'>Your username and password are incorrect, please try again.</div>";
If the form is submitted, process the form. Otherwise display an error.

You don't want to process anything until the form has been submitted. No success message, no error message, nothing. Just display the form.

Re: verifying login

Posted: Sat Apr 16, 2016 5:57 pm
by Celauran

Re: verifying login

Posted: Sat Apr 16, 2016 5:58 pm
by Celauran
password_hash currently uses bcrypt under the hood, but will be fairly simple to swap out the underlying algorithm should the need arise.