Need help with login script please

AnnCP

Hi, I hope I can get some help here. I'm having a problem with a login script that is part of a package I downloaded. Basically it's not working. I can register a new user, and it enters the info into the database as far as I can tell, but when I try to login access is denied saying the username or password is wrong. (but it's not)

I was told I need to use a script like this (see below) for my login and change the columns and tables to my own. I guess the package is incomplete. But I'm stuck on that part. I don't know what to change, and what to switch it too.

Please don't tell me to "just learn php". I'm trying to learn, really I am, and I hate posting questions like this that are probably so simple for anyone that knows even half of what their doing....but I'm confused and I need some help.

What exactly do I change and what should I change it too? (I know you can't see my database, but can you tell me what I need to look for in there?)

<?php echo "<table align=\"center\" valign=\"top\" cellspacing=\"0\" cellpadding=\"0\" border=\"0\" width=\"100%\" height=\"35\">";
		echo "<form action=\"" . $_SERVER['PHP_SELF'] . "\" method=\"POST\">";
		echo "<tr>";
		echo "<td align=\"left\" width=\"20%\" height=\"35\">Username:  </td>";
		echo "<td align=\"left\" width=\"20%\" height=\"35\"><input type=\"text\" name=\"username\" size=\"10\"></td>";
		echo "<td align=\"left\" width=\"20%\" height=\"35\">Password:  </td>";
		echo "<td align=\"left\" width=\"20%\" height=\"35\"><input type=\"password\" name=\"password\" size=\"10\"></td>";
		echo "<td align=\"left\" width=\"20%\" height=\"35\">&nbsp;&nbsp;<input type=\"submit\" name=\"submit\" value=\"Login\"></td>";
		echo "</tr>";
		echo "</form>";
		echo "</table>";
?>

</php 
if (isset($_POST['username']) && isset($_POST['password'])) { // checks to see if the form was filled out

	eh(); // my DB function to connect to the DB...make your own connection here

	$chkuser = $_POST['username'];
	$chkpass = md5($_POST['password']);

	$check = mysql_query("SELECT uname, pass, adcheck, adstatus FROM users WHERE uname = '$chkuser' AND pass = '$chkpass'") or die("Problem in login function.");
	$row = mysql_fetch_array($check) or die("Could not fetch the row.");

	if ($chkuser == $row['uname'] && $chkpass == $row['pass']) { // compares the form's info to the info in the db and if it matches then it runs the code below:

		$chkuser = $_POST['username'];
		$sess = rand();
		$num = md5($sess);

		mysql_query("UPDATE users SET session = '$num' WHERE uname = '$chkuser' AND pass = '$chkpass'") or die("Could not update the login table.");

		setcookie("num", $num, time()+58060800, "/", $wbsite);
		setcookie("num", $num, time()+58060800, "/", $www);
		setcookie("user", $chkuser, time()+58060800, "/", $wbsite);
		setcookie("user", $chkuser, time()+58060800, "/", $www);




	}
?>

big_nerd

Are you using phpMyAdmin to make / view your databases?

If so, take a look at your database.

I know I made the mistake once with MD5 by having a varchar data type but restricted it to 25 char's (not thinking).

This cut off part of the password string.

If you can view it, do this:

(in a test.php)

<?php
         echo md5("yourtestpassword");  // well insert the password you set.
?>

Copy both strings (I use notepad) and do a visual comparison, are they the same?

Secondly.. the columns you mentioned.. if the data went in fine (and you are sure of it) the columns may be right..

did you use the same script set up the new account?

AnnCP

Yes, I'm using phpmyadmin.

I set up a test.php and it came back with this " 82a0525c7b94d57a1044cc5b4c71eb1a" which is not my password. Maybe because it's encrypted?

Secondly.. the columns you mentioned.. if the data went in fine (and you are sure of it) the columns may be right..

did you use the same script set up the new account?

The script I posted above is not from the package. I got it from somone who said I should use it instead. So it is not customized with my info yet. I haven't even tried to test it out because I don't know how to replace those fields with the correct info yet.

Am I making any sense? I registered the new account with the original script and that's where the problems occur with not getting access. So someone said "here use this", but because I'm so dense regarding php I dont' know how to use it. If I can make the whole thing work without useing it that's fine too.

AnnCP

I think I found the login script that came with the program. Can anyone tell me if something looks off?

This is the one I used to register the new account and attempt to login.

<?php // accesscontrol.php

include ("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");

session_start();

if (isset($_POST['uid'])) {
 $uid = $_POST['uid'];
} else {
 $uid = $_SESSION['uid'];
}
if (isset($_POST['pwd'])) {
 $pwd = md5($_POST['pwd']);
} else {
 $pwd = $_SESSION['pwd'];
}


if(!isset($uid) || !isset($pwd) )
{
  ?>
  <html>
  <head>
  <title> Please Log In for Access </title>
  </head>
<body>
  <table align=center width=300 border=0 cellspacing=0 cellpadding=0 bgcolor="#2f4f4f">
  <tr><td>
   <table border=0 width=100% cellspacing=1 cellpadding=1>
    <form action="<?=$_SERVER['PHP_SELF']?>" method=POST>
    <tr><td BGCOLOR="#2f4f4f"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif" COLOR="#FFFFFF">
    <B>Please Log In For Access:</B>
    </td></tr>
    <tr><td BGCOLOR="#c7c7c7"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">
You must log in to access this area of the site.
     </td></tr>
    <tr>
     <td BGCOLOR="#fffff0">
      <table width=100% border=0 cellspacing=0 cellpadding=0>
    <tr>
     <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Email Address:</td>
     <td><input type=text name="uid" size="20" value=""></td>
    </tr>
        <tr>
     <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Password:</td>
     <td><input type=password name="pwd" size="20"></td>
    </tr>
    <tr>
     <td colspan=2 align=center>
      <input type=submit name="Login" value="Login">
     </td>
    </tr>
    </form>
      </table>
     </td>
    </tr>
   </table>
  </td></tr>
 </table>
  </body>
  </html>
  <?php
  exit;
}
//Clean the input submitted to mysql
$uid=addslashes($uid);
$pwd=addslashes($pwd);

//this puts the variable into the session

$_SESSION['uid'] = $uid; 
$_SESSION['pwd'] = $pwd;

$sql = "SELECT * FROM users WHERE email = '$uid' AND passwd = '$pwd' ";

$result = mysql_query($sql);

if (!$result) {
echo "A database error occurred while checking your login details";
}
//if bad user/pass combo access denied
if (mysql_num_rows($result) == 0) {

  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <html>
  <head>
  <title> Access Denied </title>
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>There are several reasons this may be happening:<BR>
  <UL><LI>Your username or password is incorrect</LI>
  <LI>You have forgotten your login information. <a href="/phprentals/html/lostpwd.php">Lost Password</a></LI></UL>
  To return to our login page, <a href="index.php">click here</a>.</p>
  </body>
  </html>
    <?php
  exit;
}

?>

AnnCP

I'm still having issues with this. Can anyone take a look at the last script I posted and see if anything is missing?

zingbats

I recommend you follow a tutorial rather than a script. Not only does this provide code, but it explains it too

http://www.tutorialized.com/tutorial/PHP-Simple-login-script/9963

AnnCP

But I already have this script, I just need to figure out what's wrong with it. Wouldn't it be easier to do that then to create a new one?

Can no one spot anything in there that's gone wrong?

leatherback

Hi Ann,

Yes. you do have this script, and you should fairly easil;y be able to get it to work. that being said.. Zingbats comment makes sense from the point of understanding what is going on.

I looked at the first script tha somebody gave to you. There is one line in the script which is completely useless. If the second script came with your package, I'd recomment you using that script.

Unfortunately I cannot see anything obviousl wrong with it.

The best way to proceed with these things is to place a series of echo statements in the code at different locations, so you can follow up to which point the correct values are set.
I usually place:
=> An echo for each variable used in an IF / WHILE / FOR statements, right before the statement, and echo some string (e.g., echo "passed p1"😉 to see whether it did or did not pass that section. You can then compare the echoed values to the ones in the script, and perhaps understand where it gets off-track.
accesscontrol.php

<?php
// make it require instead. It will tell you if something is wrong here
require_once("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");

// start a session
session_start();

//debugging:  Show all the posted data: 
print_r($_POST);

if (isset($_POST['uid'])) {
 $uid = $_POST['uid'];
} else {
// debugging:
echo 'using session vars';
 $uid = $_SESSION['uid'];
}
if (isset($_POST['pwd'])) {
 $pwd = md5($_POST['pwd']);
} else {

// debugging:
echo 'using session vars';
 $pwd = $_SESSION['pwd'];
}

// debugging:
echo $uid."<-->";
echo $pwd;
if(!isset($uid) || !isset($pwd) )
{
echo "test";

// and so on till you find the culprit
  ?>
  <html>
  <head>
  <title> Please Log In for Access </title>
  </head>
<body>
  <table align=center width=300 border=0 cellspacing=0 cellpadding=0 bgcolor="#2f4f4f">
  <tr><td>
   <table border=0 width=100% cellspacing=1 cellpadding=1>
    <form action="<?=$_SERVER['PHP_SELF']?>" method=POST>
    <tr><td BGCOLOR="#2f4f4f"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif" COLOR="#FFFFFF">
    <B>Please Log In For Access:</B>
    </td></tr>
    <tr><td BGCOLOR="#c7c7c7"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">
You must log in to access this area of the site.
     </td></tr>
    <tr>
     <td BGCOLOR="#fffff0">
      <table width=100% border=0 cellspacing=0 cellpadding=0>
    <tr>
     <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Email Address:</td>
     <td><input type=text name="uid" size="20" value=""></td>
    </tr>
        <tr>
     <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Password:</td>
     <td><input type=password name="pwd" size="20"></td>
    </tr>
    <tr>
     <td colspan=2 align=center>
      <input type=submit name="Login" value="Login">
     </td>
    </tr>
    </form>
      </table>
     </td>
    </tr>
   </table>
  </td></tr>
 </table>
  </body>
  </html>
  <?php
  exit;
}
//Clean the input submitted to mysql
$uid=addslashes($uid);
$pwd=addslashes($pwd);

//this puts the variable into the session

$_SESSION['uid'] = $uid; 
$_SESSION['pwd'] = $pwd;

$sql = "SELECT * FROM users WHERE email = '$uid' AND passwd = '$pwd' ";

$result = mysql_query($sql);

if (!$result) {
echo "A database error occurred while checking your login details";
}
//if bad user/pass combo access denied
if (mysql_num_rows($result) == 0) {

  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <html>
  <head>
  <title> Access Denied </title>
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>There are several reasons this may be happening:<BR>
  <UL><LI>Your username or password is incorrect</LI>
  <LI>You have forgotten your login information. <a href="/phprentals/html/lostpwd.php">Lost Password</a></LI></UL>
  To return to our login page, <a href="index.php">click here</a>.</p>
  </body>
  </html>
    <?php
  exit;
}

Please note that just adding slashed to your variables when you do not know how yor server is set, can cause you trouble, especially if you have 'special' characters in your name/pass.

AnnCP

Okay, this may be a completly beginer question, but is it strange that it only tells what to do when there is a bad username/password combo (access denied) and no where does it say what to do when you enter the correct username and password?

Should there be something in there to redirect you to the proper page?

AnnCP

I just removed the "addslashes" part and it works now! Thank you so much!

Can you tell me why exactly that would cause such a problem? So I can avoid this in the future.

bradgrafelman

Removing the addslashes() call is not a solution - it still leaves you vulnerable to SQL injection attacks.

leatherback's comment on checking how your server is set is key here: if magic_quotes_gpc is enabled, addslashes() will only duplicate slashes. As such, the common way to detect this and take appropriate action is:

if(get_magic_quotes_gpc()) {
    $uid = mysql_real_escape_string( stripslasshes($uid) );
    // etc. for all vars used in SQL query
} else {
    $uid = mysql_real_escape_string($uid);
    // etc. for all vars used in SQL query
}