Why isn't this login working?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DevonL
Forum Newbie
Posts: 6
Joined: Sat Feb 11, 2012 6:13 pm

Why isn't this login working?

Post by DevonL »

Code: Select all

<?php
	// Start session
	session_start();
	
	// Include database connection details
	include "config.php";
	include "functions.php";
	
	// Validation error flag
	$errflag = false;
	
	// Strip the POST values of any potential SQL injections
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string($_POST['password']);
	$cryptpass = crypt($password);
	
	// Did we get a user and or pass?
	if($username == '') {
		errormsg(1);
		$error = true;
	}
	if($password == '') {
		errormsg(2);
		$error = true;
	}
	
	// If the user/pass fails, back to index.php
	if($error) {
		session_write_close();
		header("location: index.php");
		exit();
	}
	
	// Query the DB
	$qry = "SELECT * FROM users WHERE username='$username' AND password='$cryptpass'";
	$result = mysql_query($qry);
	
	// Check whether the query was successful or not
	if ($result){
		if (mysql_num_rows($result) == 1){
			// Login Successful
			session_regenerate_id();
			$member = mysql_fetch_assoc($result);
			$_SESSION['FNAME_NAME'] = $member['fname'];
			session_write_close();
			header("location: home.php");
			exit();
		}else {
			// Login failed
			echo "Username or Password was incorrect.<br>";
			echo $username;
			echo "<br>";
			echo $cryptpass;
			exit();
		}
	}else {
		die("Query failed");
	}
?>
I appreciate any insight here! The prompt keeps coming up, but it wont bring me to home.php!

EDIT: With the outputted variables, the password shows that it changes every time I try to login, so it will not match what is in the database.

To insert my username/pass into the DB what I had done was created a simple script:

Code: Select all

<?
include "config.php";

$username = "Devon";
$password = crypt('pass');
$fname = "Devon";
$lname = "L";
$email = "mine@gmail.com";

$query = "INSERT INTO users(`username`, `password`, `fname`, `lname`, `email`) 
	VALUES('$username', '$password', '$fname', '$lname', '$email')";
mysql_query($query);
?>
Last edited by DevonL on Mon Feb 13, 2012 9:45 am, edited 1 time in total.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Why isn't this login working?

Post by Eric! »

I assume you've deleted code there to try to make it easier to read. I suggest you echo out your $PHP variables and $password to see what you're really searching for. You might also want to echo out mysql_error() as part of your debugging.
DevonL
Forum Newbie
Posts: 6
Joined: Sat Feb 11, 2012 6:13 pm

Re: Why isn't this login working?

Post by DevonL »

No, that's the entire script, the connection to MySQL is made in the config file. I'll give a try echoing to see what the variables are outputting. Also, mysql_error() is included already, not returning anything.

This is a script that worked with an older version of PHP, but I have made some modifications to it now to make it more secure.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Why isn't this login working?

Post by Celauran »

You're not passing a salt to crypt(), so it's choosing a random one which will be different every time.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Why isn't this login working?

Post by Eric! »

Also I don't even see where you define $PHP_AUTH_PW, $PHP_AUTH_USER or $password. If they are session data, you have to read them from the $_SESSION array.
DevonL wrote:...I have made some modifications to it now to make it more secure.
Definitely. Now no one can get in. Sorry, bad joke.
DevonL
Forum Newbie
Posts: 6
Joined: Sat Feb 11, 2012 6:13 pm

Re: Why isn't this login working?

Post by DevonL »

Eric! wrote:Also I don't even see where you define $PHP_AUTH_PW, $PHP_AUTH_USER or $password. If they are session data, you have to read them from the $_SESSION array.
DevonL wrote:...I have made some modifications to it now to make it more secure.
Definitely. Now no one can get in. Sorry, bad joke.
I ended up changing the entire script, basing it slightly off of a tutorial I had found, also making it a bit cleaner.

Heh, a bad joke .. but true.

The new script is edited into the original post above.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Why isn't this login working?

Post by Celauran »

Looks like you're still not salting crypt() so you're going to run into the same problem.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Why isn't this login working?

Post by Eric! »

The call to crypt should look like crypt($password,$salt_value). Without a salt the manual has this appropriate comment: "An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results." I.e. random hash results will almost never be the same twice so no one can log in. See Mordred's post on picking a good sized salt for your hash viewtopic.php?f=34&t=127891

And why are you doing a session_start() and then using $_POST data? Have you echoed back out those variables to make sure you're setting them properly?
DevonL
Forum Newbie
Posts: 6
Joined: Sat Feb 11, 2012 6:13 pm

Re: Why isn't this login working?

Post by DevonL »

Yeah I echoed the variables and they are indeed returning properly. I read up more on the PHP manual in regard to crypt() and am reading Mordred's post now as well. I should be able to get it running, the last time I did this md5() was the chosen way to encrypt passwords!

I appreciate the help/link.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Why isn't this login working?

Post by Eric! »

Since your using $_POST and if you are not using session variables you don't need session_start().

Crypt() is the same as MD5, just with better algorithms and requires a salt to improve randomness. You could also salt MD5(), but not a lot of people did it.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Why isn't this login working?

Post by Celauran »

If you're already reading up about crypt() and hashing algorithms, take five minutes and give this a read: Use bcrypt().
Post Reply