[RESOLVED] Can't seem to log in...

cornick

I'm running MySQL (version I am unaware of.).

I've created a registration page, that works fine and encrypts my password in the database.

When I go to login, I always get the same message.
'Incorrect password, please try again.'

I believe when I'm sending my password to the database to check it, it's not getting encrypted. I don't know enough about encryption to figure out why it's doing this.

Any chance someone can take a minute to look at my code?

Registration page: (which works fine but thought I would give this information as well.

<?php
// Include file has the database connection information.
include('includes/connection.inc');

// Runs if the form has been submitted.
if (isset($_POST['submit'])) {

// Makes sure the user did not leave any fields blank.
if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2']
| !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['address1']
| !$_POST['city'] | !$_POST['state'] | !$_POST['zip'] | !$_POST['phone']
| !$_POST['email']) {
die('You did not complete all of the required fields');
}

// Checks if the username is already taken.
if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$ucheck = mysql_query("SELECT username FROM users WHERE username = '$usercheck'")
or die(mysql_error());
$ucheck2 = mysql_num_rows($ucheck);

// If the username already exists it gives an error.
if ($ucheck2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}

// Checks if the email is in already taken.  Using this as a reminder if 
// someone already has an account with us.
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$emailcheck = $_POST['email'];
$echeck = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'")
or die(mysql_error());
$echeck2 = mysql_num_rows($echeck);

// If the email already exists it gives an error
if ($echeck2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already in use.');
}

// Makes sure both passwords entered match
if ($_POST['pass'] != $_POST['pass2']) {
die('Your passwords did not match.');
}

// Encrypt the password and add slashes if needed
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = addslashes($_POST['pass']);
}

// Here we are inserting all of the information into the database
$insert = "INSERT INTO users (userid, username, password, firstname, lastname, 
address1, address2, city, state, zip, phone, email)
VALUES (' ', '".$_POST['username']."', '".$_POST['pass']."', 
'".$_POST['firstname']."', '".$_POST['lastname']."', '".$_POST['address1']."', 
'".$_POST['address2']."', '".$_POST['city']."', '".$_POST['state']."', 
'".$_POST['zip']."', '".$_POST['phone']."', '".$_POST['email']."')";
$add_member = mysql_query($insert)
or die(mysql_error());
?>

<h1>Registered</h1>
<p>Thank you for registering!</p>
<p>You may now <a href="login.php">login</a></p>

<?php
}
else
{
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table border="0">
<tr>
	<td>Username:</td>
	<td><input type="text" name="username" maxlength="30"></td>
</tr>
<tr>
	<td>Password:</td>
	<td><input type="password" name="pass" maxlength="30"></td>
</tr>
<tr>
	<td>Confirm Password:</td>
	<td><input type="password" name="pass2" maxlength="30"></td>
</tr>
<tr>
	<td>First Name:</td>
	<td><input type="firstname" name="firstname" maxlength="255"></td>
</tr>
<tr>
	<td>Last Name:</td>
	<td><input type="lastname" name="lastname" maxlength="255"></td>
</tr>
<tr>
	<td>Address 1:</td>
	<td><input type="address1" name="address1" maxlength="255"></td>
</tr>
<tr>
	<td>Address 2:</td>
	<td><input type="address2" nane="address2" maxlength="255"></td>
</tr>
	<td>City:</td>
	<td><input type="city" name="city" maxlength="255"></td>
</tr>
<tr>
	<td>State:</td>
	<td><input type="state" name="state" maxlength="2"></td>
</tr>
<tr>
	<td>Zip:</td>
	<td><input type="zip" name="zip" maxlength="5"></td>
</tr>
<tr>
	<td>Phone:</td>
	<td><input type="phone" name="phone" maxlength="10"></td>
</tr>
<tr>
	<td>Email:</td>
	<td><input type="email" name="email" maxlength="255"></td>
</tr>
<tr>
	<th colspan=2><input type="submit" name="submit" value="Register"></th>
</tr> 
</table>
</form>

<?php
}
?>

<?php
// Include file has the database connection information.
include('includes/connection.inc');

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: files/members.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.<a href=files/registration.php>Click Here to Register</a>');
    }
    while($info = mysql_fetch_array( $check ))
    {
    $_POST['pass'] = stripslashes($_POST['pass']);
    $info['password'] = stripslashes($info['password']);
    $_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
}

else
{

// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);

//then redirect them to the members area
header("Location: files/members.php");
}
}
}
else
{

// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}

?>

If anyone is able to find my mistakes or what I need to add/delete that is greatly appreciated, I'm running out of hair to pull. 🙂

cornick

I used
print_r($_POST);
print_r($info);

And the password isn't getting encrypted on it's way to the database....

bradgrafelman

Change this:

    if ($_POST['pass'] != $info['password']) {
    die('Incorrect password, please try again.');
    }

to this:

    if ($_POST['pass'] != $info['password']) {
    echo '-- DEBUG -- posted value = ' . $_POST['pass'] . ' || retrieved value = ' . $info['password'] . '<br/>';
    die('Incorrect password, please try again.');
    }

What is the result?

cornick

Hey, thanks.

The result is:
-- DEBUG -- posted value = a3aaebf4cc03fba31c311cf01bf1bdfd || retrieved value = a3aaebf4cc03fba31c311cf01bf1bd
Incorrect password, please try again.

There are 3 extra characters on the end of the first string. dfd

bradgrafelman

Your password column in your database is most likely a VARCHAR(30) when it needs to be a VARCHAR(32) as MD5 hash strings are 32 characters in length.

You'll have to alter your table and fix this, as well as update all of the existing rows with the correct hash values.

cornick

HA!
You were right!

Did it and it worked right away. You should get a raise man!

bradgrafelman

cornick wrote:
You should get a raise man!

You're the second person to say that.

I'll have to forward that along to JPnyc 😉

EDIT: By the way, don't forget to mark this thread resolved.

Weedpacket

bradgrafelman wrote:
I'll have to forward that along to JPnyc

I've just had it confirmed that you're getting a 25% bonus. Act surprised.