Page 1 of 1

Login Script help!

Posted: Sat Apr 07, 2007 3:42 am
by thunderbox
hey i have written a script that a website requires... ive created the sign up with no troubles but it does not allow me to login.. this is the login code:

Code: Select all

include 'database_connect.php';

if(isset($_POST['login'])) {
	
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string($_POST['password']);
	
	$password = md5($password);
	
	$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
	$logincheck = mysql_num_rows($sql);
	
	if($logincheck > 0) {
		while($row = mysql_fetch_array($sql)) {
			foreach( $row AS $key => $val ) {
				$$key = stripslashes( $val );
			}
			// Session Data
			$_SESSION['username'] = $username;
			$_SESSION['userlevel'] = $userlevel;
			$_SESSION['auth'] = true;
			
			echo 'Login Successful!';
			echo "<br />You Are Currently Logged In As <b>$username</b>";
		}
	} else {
		echo "<b><font color = 'red'>Login Credentials Wrong</b></font>";
	}
}
every time i try log in it comes up with the same error. it comes up with he error "wrong login credentials" which i wrote myself.. so there has to be something wrong with the SQL query or what i thin which is the md5 encoding on the password.

thanks for all your help in advance

Posted: Sat Apr 07, 2007 3:49 am
by aaronhall
You shouldn't need to run mysql_real_escape_string on a string being hashed with md5(). Have you checked that your signup password hash is consistent with your login hash?

Posted: Sat Apr 07, 2007 3:51 am
by thunderbox
the sign up script also runs a mysql_real_escape_string and and md5.. should i remove the mysql_real_escape_string on both (both password fields i mean)?

Posted: Sat Apr 07, 2007 3:56 am
by aaronhall
I doubt it's causing the problem, but you don't need it as long as you're hashing with md5 before it's being inserted. Can you post the code used to insert new users?

Posted: Sat Apr 07, 2007 3:57 am
by thunderbox

Code: Select all

include 'database_connect.php';

if (isset($_POST['submit'])) {

// change the variables

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$password1 = mysql_real_escape_string($_POST['password1']);
$email = mysql_real_escape_string($_POST['email']);
$email1 = mysql_real_escape_string($_POST['email1']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$birthdate = mysql_real_escape_string($_POST['birthdate']);
$gender = mysql_real_escape_string($_POST['gender']);
$location = mysql_real_escape_string($_POST['location']);
$ip = $_SERVER['REMOTE_ADDR'];

// Check if there is existing user in the databse
$check1 = mysql_query("SELECT * FROM users WHERE username='$username'");


if (mysql_num_rows($check1) > 1) {
echo 'Someone has already Taken that username, please try another!';
}

// check if ALL the feilds have been filled out correctly

if ($username == '') { echo 'The username field is empty'; }
if ($password == '') { echo 'The password field is empty'; }
if ($password1 == '') { echo 'The repeat password field is empty'; }
if ($email == '') { echo 'The email field is empty'; }
if ($email1 == '') { echo 'The repeat email field is empty'; }
if ($firstname == '') { echo 'The first name field is empty'; }
if ($lastname == '') { echo 'The last name field is empty'; }
if ($birthdate == '') { echo 'The birthdate field is empty'; }
if ($gender == '') { echo 'The gender field is empty'; }
if ($location == '') { echo 'The location field is empty'; }

// check if the passwords matched

if ($password == $password1) {

// Encrypt the password

$password2 = md5($password);

// insert <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> into the database

$insert = mysql_query("INSERT INTO users (username, password, email, firstname, lastname, birthdate, gender, location, ip) VALUES ('$username','$password2','$email','$firstname','$lastname','$birthdate','$gender','$location','$ip')");

if (!$insert) {
mysql_error();
} else {
// Tell themn that eveything is cool!

echo 'You can now login!';

include 'login.php';

}
} else {
echo 'The passwords you enterd did not match';
}
}

Posted: Sat Apr 07, 2007 4:00 am
by aaronhall
I'd print out the hash you're getting on login and compare it to the one in the database with a database browser like phpmyadmin

Posted: Sat Apr 07, 2007 4:07 am
by thunderbox
md5 hash generated from login : 7694f4a66316e53c8cdd9d9954bd611d
md5 has in phpmyadmin : 7694f4a66316e53c8cdd9d995

ohh yea i see its missing the last characters
is this because i limited the password feild to 25 when i created the table?

... Solved ....

i changed the maximum values from 25 to 255 in the database and now everything is working fine
thanx for your help

Posted: Sat Apr 07, 2007 4:15 am
by aaronhall
de nada