login/authentication

Mr_Chew

I have a registration script which successfully assigns usernames and passwords for people. I have a login script that I've been stuck on for too long now that doesn't successfully log people in.

<form name="form1" method="post" action="login.php">
                      <table width="100%" border="0" cellspacing="2" cellpadding="0">
                        <tr>
                          <td class="text">Username:</td>
                        </tr>
                        <tr>
                          <td>
                            <div align="left">
                              <input name="username" type="text" class="boxes" id="username">
                            </div></td>
                        </tr>
                        <tr>
                          <td class="text">Password:</td>
                        </tr>
                        <tr>
                          <td>
                            <div align="left">
                              <input name="password" type="password" class="boxes" id="pass">
                            </div></td>
                        </tr>
                        <tr>
                          <td><div align="center">
                            <input name="Submit" type="submit" class="boxes" value="Submit">
                            <input name="Reset" type="reset" class="boxes" value="Reset">
                          </div></td>
                        </tr>
                        <tr>
                          <td><div align="center"><a href="http://www.domain.net/index.php?id=signup" class="text">Register</a></div></td>
                        </tr>
                      </table>
                      </form>

<?php
session_start();
$user=$_POST['username'];
$pass=$_POST['password'];

$user=strip_tags($user);
$pass=strip_tags($pass);

$user=str_replace(" ", "",$user);
$pass=str_replace(" ","",$pass);
$user=str_replace("%20", "",$user);
$pass=str_replace("%20", "",$pass);

$connection=mysql_connect("localhost", "", "");
$db=mysql_select_db("");

$pass=md5($pass);
echo 'username = ' . $user . ' password = ' . $pass ; 

$results = mysql_query("SELECT * FROM login WHERE password='$pass' AND username='$user'");
$num= mysql_num_rows($results);
if($num == 1)
{
	echo"User logged in";
	$_SESSION['user']=$user;
	$_SESSION['auth']=true;
}
else
{
	echo"The Username or Password you have entered is invalid. Please go back and try again or procede to our <a href=\"signup.php\">registration</a> page.";
	$_SESSION['auth']=false;
}
?>

When I go to login, I always get my error message from the script: The Username or Password you have entered is invalid....

Roger_Ramjet

Eh?? Lots of unneccessary processing there, and none of the neccessary processing either.

Have you MD5'd the password into the db in the first place?
Usernames and password are supposed to be entered exactly as first created, so why all the string replacement? If they can't enter them correctly then they should not be able to login.
On the other hand, you definitely MUST use mysql_real_escape_string on the user input to stop sql injection attacks. Read the manual for all the info you need on this.

Mr_Chew

I'm not really sure what I should do at this point. Can you help me out with editing my script and explaining what I did wrong so I can understand possibly?

Roger_Ramjet

OK, you need something like this

First, a function to render user input safe from sql injection attacks. Keep it in your common functions file.


function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

Now for your login script


<?php
require_once 'common.php';

session_start();

//--- LOG OUT button clicked - destroy session	
if (isset($_REQUEST['log_out'])) {  

  	$_SESSION = array();
  	session_destroy;
}

//--- LOGIN CHECK - has the user filled in username and password
//				    or is the user already logged in?
$user = isset($_POST['username']) ? $_POST['username'] : $_SESSION['user'];
$pass = isset($_POST['password']) ? $_POST['password'] : $_SESSION['pass'];

//--- NOT LOGGED IN - display login page
if(!isset($user)) {

?>

</head>
<body>
	<script language="javascript">
		window.location = "http://yourdomain.com/login.php"
	</script>
</body>
</html>

<?
	exit;
}

//--- CHECK LOGIN CREDENTIALS
$connection=mysql_connect("localhost", "", "");
$db=mysql_select_db("");

$md5pass=md5($pass);
echo 'username = ' . $user . ' password = ' . $pass ; 

// build safe query
$logincheck = sprintf("SELECT * FROM login WHERE password=%s AND username=%s",
			quote_smart($md5pass), quote_smart($user));

// run safe query
$loginresult = mysql_query($logincheck);

// test results
$num= mysql_num_rows($loginresult);
if($num == 1)
{
    echo"User logged in";
    $_SESSION['user']=$user;
    $_SESSION['pass']=$pass;
    $_SESSION['auth']=true;
}
else
{
    echo"The Username or Password you have entered is invalid. Please go back and try again or procede to our <a href=\"signup.php\">registration</a> page.";
    $_SESSION['auth']=false;
}
?>

That should just about do it - but read my signature 😉