Page 1 of 1

Help With Login Script?

Posted: Tue Apr 10, 2007 1:22 pm
by tkolbeck
Hello everyone, :D

I have a login system/class but I am having problems with my login part. I have a registration and I added users and when I login it says that the usernames and passwords are wrong when I am 100% sure that they are right.

Here is the login script.

Code: Select all

login.php:

<? 
session_start();
if(isset($_GET['reg'])){
$reg=$_GET['reg'];
}else{
$reg="";
}
if($reg==1){
$msg1="<font color=\"#FF0000\"><b>Your details have been added, please login</b></font>";
}elseif($reg==2){
$msg1="<font color=\"#FF0000\"><b>You have been successfully logged out.</b></font>";
}

if(isset($_POST['submit'])){
if( empty($_POST['uname']) && (empty($_POST['upass']))){
header( "Location:Messages.php?msg=1" ); 
exit();
}
//transfer to shorter var
$n=$_POST['uname'];
$p=$_POST['upass'];

//connect to db


include('config.php');
$query="select * from user where uname='$n'  and pw='$p' ";
$result=mysql_query($query);

$num=mysql_num_rows($result);
if($num>0 ){

//put in session vars

$mytime=time();
$mytime=date("H:i:s A",$mytime);
$_SESSION['time'] = $mytime;
$_SESSION['status'] = 'logged';
$_SESSION['username'] = $n;
//goto next page
header("location:welcome.php");
exit;


}else{
$_SESSION['status'] = 'not logged';

header( "Location:Messages.php?msg=2" ); 
exit();

}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Auth.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Login</title>
<!-- InstanceEndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="styleLog.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="100%"  border="0" cellspacing="7" cellpadding="0">
  <tr class="temptitle">
    <td><!-- InstanceBeginEditable name="EditRegion4" -->Login<!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><!-- InstanceBeginEditable name="EditRegion3" -->
      <form name="form1" method="post" action="login.php">
        <table width="81%"  border="0" align="center" cellpadding="0" cellspacing="3">
          <tr class="listtop">
            <td colspan="3">Login Status:<? if(isset($msg1)){
			echo "$msg1";
			}?></td>
          </tr>
          <tr>
            <td width="9%">Username</td>
            <td width="41%"><input name="uname" type="text" id="uname" size="50"></td>
           
          </tr>
          <tr>
            <td>Password</td>
            <td><input name="upass" type="text" id="upass" size="50"></td>
           
          </tr>
          <tr>
            <td colspan="2"><div align="center"><a href="password.php">Forgotten your password?</a>|<a href="register.php">Register</a> </div></td>
         
          </tr>
          <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" value="Login"></td>
           
          </tr>
        </table>
      </form>
    <!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><div align="center">Copyright 2005 </div></td>
  </tr>
</table>
</body>
<!-- InstanceEnd --></html>

and here is the php code that handles the errors

Messages.php:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Auth.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Messages</title>
<!-- InstanceEndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="styleLog.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="100%"  border="0" cellspacing="7" cellpadding="0">
  <tr class="temptitle">
    <td><!-- InstanceBeginEditable name="EditRegion4" -->Message<!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><!-- InstanceBeginEditable name="EditRegion3" --><?php 
	$msg=$_GET['msg'];
	switch($msg){
	
	case 1:
	
	echo "Please enter your username and password.";
	break;
	case 2:
	echo "Your username and password do not match, please try again.";
	break;
	case 3:
	echo "Please enter your username and password";
	break;
	case 4:
	echo "Please enter your password";
	break;
	case 5:
	echo "Your confirmation password has been mistyped or is empty,please try again";
	break;
	case 6:
	echo "The username you have choosen is already taken, Please choose a new one";
	break;
	case 7:
	echo "Please fill in ALL the fields";
	break;
	case 8:
	echo "Your username is either spelled incorrect or does not exist, please try again";
	break;
	case 9:
	$em=$_GET['email'];
	echo "Your password has been sent to <b>$em</b>" ;
	break;
	case 10:
	echo "There was a error while trying to send the message, please check your mail settings.";
	break;
	}
	
	
	?> <!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><div align="center">Copyright 2005 </div></td>
  </tr>
</table>
</body>
<!-- InstanceEnd --></html>



Thanks For Your Time :D

This is kinda urgent :(

Posted: Tue Apr 10, 2007 1:49 pm
by RobertGonzalez
Would you mind properly tabbing your initial PHP code? That would make it a world easier to read. Also, you have no error checking. Have you tried any error checking or echoing of vars to make sure you are passing the right information around?

Posted: Tue Apr 10, 2007 7:32 pm
by tkolbeck
what do you mean by var passing? or error checking? If error checking is what I think it is im not getting any mysql errors. Also when I try to login it shows the message "the username and password do not match"

Posted: Tue Apr 10, 2007 8:09 pm
by iknownothing
It looks ok looking over it quickly, but do you have any password encoding (eg md5) when registering, because you'll need to incorporate it into the login page so it can read the encoded password coming from the database. In other words, the plain text you type in as a password will be different to that of the password in the database with md5 encoding.

Posted: Tue Apr 10, 2007 8:11 pm
by Begby
Please tab your code....

By passing a var he means setting a variable to a value then using it another function or another place in your code.

Try doing this to make sure your query and your variables are getting set right.

Code: Select all

echo $n.'<br />';
echo $p.'<br />';
$query="select * from user where uname='$n'  and pw='$p' ";
echo $query ;

And do this for error checking

Code: Select all

$result = mysql_query($query) or die(mysql_error()) ;
P.S. Your code is open to hacking via sql injection. You need to read up on mysql_real_escape_string().

Posted: Tue Apr 10, 2007 8:57 pm
by tkolbeck
Ok so how would I code it so it reads the login var as Md5 encryption when I use the login.

Thanks For the tip about injection attacks I forgot about that. :D

Posted: Tue Apr 10, 2007 9:09 pm
by iknownothing
This may work...

Code: Select all

$p = md5($_POST['upass']);  //replace $p = $_POST['upass']; on login page
else do it this way...

Code: Select all

$p = $_POST['upass'];  
$p = md5($p); //add this below the above line on login page
I'm guessing the registration page uses md5, if not, using md5 on your login page without having it in the database (and registration page) will just make another problem.

Posted: Wed Apr 11, 2007 11:03 am
by RobertGonzalez
When I said proper tabbing, error checking and car echoing, I meant this (my opinion is you have an error in your SQL syntax or the values don't match the data so numrows is returning 0)...

Code: Select all

<?php
// login.php
session_start();
$reg = ''; // Default value for $reg
if (isset($_GET['reg'])) {
    $reg = $_GET['reg'];
}

// This only works if there was querystring var called reg that was either 1 or 2
if ($reg == 1) {
    $msg1 = '<font color="#FF0000"><b>Your details have been added, please login</b></font>';
} elseif ($reg == 2) {
    $msg1 = '<font color="#FF0000"><b>You have been successfully logged out.</b></font>';
}

// This fires if the submit button was clicked, sometimes IE doesn't send this
if (isset($_POST['submit'])) {
    if ( empty($_POST['uname']) && (empty($_POST['upass']))) {
        // This should be a full URI per the HTTP spec
        header('Location: Messages.php?msg=1');
        exit();
    }
    
    // Everah: Begin output of variables for checking
    // Becuase of the use of header, we are going to store this all for now
    // And echo later
    $test_output = 'Raw post data: UNAME is ' . $_POST['uname'] . ' and UPASS is ' . $_POST['upass'] . '<br />';
    
    // transfer to shorter var
    // Why are you doing this if you are not going to be cleaning it?
    $n = $_POST['uname'];
    $p = $_POST['upass'];
    
    // Everah: more test output
    $test_output .= 'Conversion to shorter vars (?!?!?): n is ' . $n . '  and p is ' . $ . '<br />';

    //connect to db
    include('config.php');
    $query = "select * from user where uname='$n'  and pw='$p' ";
    
    // Everah: more test output
    $test_output .= 'The query that was sent was ' . $query . '<br />';

    // How about some error checking?
    $result = mysql_query($query) or die('Could not run the query: ' . mysql_error());

    $num = mysql_num_rows($result);
    
    // Everah: more test output
    $test_output .= 'Numrows, which dictates redirects, is ' . $num . '<br />';

    // Everah: This is design to halt the script right here since you are redirecting
    // This is done so you can see what PHP and MySQL are seeing
    echo $test_output;
    exit;
    
    /************************************************************
     * NONE OF THE REST OF THE SCRIPT WILL EXECUTE UNTIL THE ABOVE 
     * EXIT CALL IS REMOVED. WHEN YOU DO THAT MAKE SURE TO KILL THE 
     * OUTPUT ABOVE IT OR YOU WILL GET HEADERS ALREADY SENT ERRORS
     * **********************************************************/         
    if ($num > 0 ) {
        //put in session vars
        // THere is no need do this next line
        //$mytime = time();
        $mytime = date('H:i:s A');
        $_SESSION['time'] = $mytime;
        $_SESSION['status'] = 'logged';
        $_SESSION['username'] = $n;
        //goto next page
        // Again, full URI per HTTP spec
        header('location: welcome.php');
        exit;
    } else {
        $_SESSION['status'] = 'not logged';
        // Again, full URI per HTTP spec
        header('Location: Messages.php?msg=2');
        exit();
    }
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Auth.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Login</title>
<!-- InstanceEndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="styleLog.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="100%"  border="0" cellspacing="7" cellpadding="0">
  <tr class="temptitle">
    <td><!-- InstanceBeginEditable name="EditRegion4" -->Login<!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><!-- InstanceBeginEditable name="EditRegion3" -->
      <form name="form1" method="post" action="login.php">
        <table width="81%"  border="0" align="center" cellpadding="0" cellspacing="3">
          <tr class="listtop">
            <td colspan="3">Login Status: <?php if (isset($msg1)) echo $msg1; ?></td>
          </tr>
          <tr>
            <td width="9%">Username</td>
            <td width="41%"><input name="uname" type="text" id="uname" size="50"></td>
           
          </tr>
          <tr>
            <td>Password</td>
            <td><input name="upass" type="text" id="upass" size="50"></td>
           
          </tr>
          <tr>
            <td colspan="2"><div align="center"><a href="password.php">Forgotten your password?</a>|<a href="register.php">Register</a> </div></td>
         
          </tr>
          <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" value="Login"></td>
           
          </tr>
        </table>
      </form>
    <!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><div align="center">Copyright 2005 </div></td>
  </tr>
</table>
</body>
<!-- InstanceEnd --></html>
And this

Code: Select all

<?php
// messages.php
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Auth.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Messages</title>
<!-- InstanceEndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="styleLog.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="100%"  border="0" cellspacing="7" cellpadding="0">
  <tr class="temptitle">
    <td><!-- InstanceBeginEditable name="EditRegion4" -->Message<!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><!-- InstanceBeginEditable name="EditRegion3" --><?php
        if (isset($_GET['msg'])) {
        // If you are not going to use the $msg var for anything why set it?
            $msg=$_GET['msg'];
            
            echo 'The message that was passed was ' . $msg . '<br />';
            switch ($msg) {
                case 1:
                    echo "Please enter your username and password.";
                    break;
            
                case 2:
                    echo "Your username and password do not match, please try again.";
                    break;
                    
                case 3:
                    echo "Please enter your username and password";
                    break;
                    
                case 4:
                    echo "Please enter your password";
                    break;
                    
                case 5:
                    echo "Your confirmation password has been mistyped or is empty,please try again";
                    break;
            
                case 6:
                    echo "The username you have choosen is already taken, Please choose a new one";
                    break;
            
                case 7:
                    echo "Please fill in ALL the fields";
                    break;
                
                case 8:
                    echo "Your username is either spelled incorrect or does not exist, please try again";
                    break;
            
                case 9:
                    $em=$_GET['email'];
                    echo "Your password has been sent to <b>$em</b>" ;
                    break;
            
                case 10:
                    echo "There was a error while trying to send the message, please check your mail settings.";
                    break;
            }
        }
        ?> <!-- InstanceEndEditable --></td>
  </tr>
  <tr>
    <td><div align="center">Copyright 2005 </div></td>
  </tr>
</table>
</body>
<!-- InstanceEnd --></html>