Login system not working...?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Ibanez
Forum Newbie
Posts: 5
Joined: Fri Jul 03, 2009 7:09 am

Login system not working...?

Post by Ibanez »

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


Hey everybody!

Im having a little problem with my login system, that is, its just not working....

Its probably just something small that I missed, but could somebody please point me in the right direction?

Thank you in advance!

Here is my code:

index.php:

Code: Select all

<h1>Multiflora Admin</h1>
        <h2>Please enter your login details below:</h2>
        <h2 class="error"><?php if ($_GET["error"]!=""); echo ("$_GET[error]")?></h2>
        <form action="login.php" name="adminloginform" id="adminloginform" method="post">
            <table width="195" cellpadding="2" cellspacing="0" border="0">
                <tr><td><label for="username">Username</label></td><td align="right"><input name="adminuser" type="text" id="adminuser" size="15" /></td></tr>
                <tr><td><label for="password">Password</label></td><td align="right"><input name="adminpass" type="password" id="adminpass" size="15" /></td></tr>
                <tr><td colspan="2" id="buttons"><input type="submit" value="Login" name="login" id="login" /><input type="reset" value="Reset" name="reset" id="reset" /></td></tr>
            </table>
        </form>
login.php:

Code: Select all

<?
$host="localhost";
$username="root";
$password="";
$db_name="multiflora";
$tbl_name="admin";
 
$con=mysql_connect("$host","$username","$password")
or die("Cannot connect"); 
mysql_select_db("$db_name")
or die("Cannot Select Database");
 
$adminuser=$_POST['adminuser']; 
$adminpass=$_POST['adminpass'];
 
$adminuser = stripslashes($adminuser);
$adminpass = stripslashes($adminpass);
$adminuser = mysql_real_escape_string($username);
$adminpass = mysql_real_escape_string($adminpass);
 
$sql="SELECT * FROM $tbl_name WHERE username='$adminuser' and password='$adminpass'";
$result=mysql_query($sql);
 
$count=mysql_num_rows($result);
 
if($count==1){
session_register("adminuser");
session_register("adminpass");
header("location:success.php");
}
else {
header("location:index.php?error=Incorrect Username Or Password, Please Try Again");
}
 
mysql_close($con);
?>
success.php:

Code: Select all

<? 
session_start();
if(!session_is_registered(adminuser)){
header("location:adminlogin.php");
}
 

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Login system not working...?

Post by pickle »

We're going to need more than "its just not working".

What exactly isn't working? How have you narrowed down the problem?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login system not working...?

Post by kaisellgren »

Did you know that your index.php file is vulnerable to XSS attacks?

Your code doesn't work, because of the lines 18-19 where you set the login credentials to database account credentials.
Ibanez
Forum Newbie
Posts: 5
Joined: Fri Jul 03, 2009 7:09 am

Re: Login system not working...?

Post by Ibanez »

Pickle: Sorry for not using the correct tags... :oops:
What I meant with not working is that, every time I try to login, I receive my error message "Incorrect Username Or Password, Please Try Again" - even if I use the correct credentials...
I hate calling myself a "Newbie", but, this is my first PHP project... :banghead:

Kaisellgren: No, I dint know that... Security is very important - obviously - could you please explain how I can make my systems more secure in the future?

Thank you in advance!
Ibanez
Forum Newbie
Posts: 5
Joined: Fri Jul 03, 2009 7:09 am

Re: Login system not working...?

Post by Ibanez »

Thank you Kai!

I changed the login credentials and now its working!

I really want to learn how to do this properly, and I thought it would work, but could you please tell me what I did wrong, and why?

Thank you!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login system not working...?

Post by kaisellgren »

Your database credentials

Code: Select all

[color=#FF8000]$username[/color]="root";
$password="";

Code: Select all

$adminuser = mysql_real_escape_string([color=#FF8000]$username[/color]);
$adminpass = mysql_real_escape_string($adminpass);
were used for the user account credentials and that's why the following query failed:
 

Code: Select all

$sql="SELECT * FROM $tbl_name WHERE username='$adminuser' and password='$adminpass'";
Post Reply