Login Script helo

iM0d_

I always recieve the error message I have. Any help? I've checked to see that there are indeed users in the DB (which there are).

<?php
require_once '/includes/config.php'; // All of the settings for the site
require_once '/includes/dbconfig.php'; // Database Configuration
?>
<?php
	session_start();
	if($_POST) {
		$username = $_POST['username'];
		$password = $_POST['password'];		
		$conn = mysql_connect($dbhost,$dbuser,$dbpass)
			or die ('Error connecting to mysql');
		mysql_select_db($dbname);
		$query = sprintf("SELECT COUNT(id) FROM users WHERE UPPER(username) = UPPER('%s') AND password='%s'",
			mysql_real_escape_string($username),
			mysql_real_escape_string(md5($password)));
		$result = mysql_query($query);
		if($result == false) // something wrong with query
{
   user_error(mysql_error()."<br />\n$query");
   die("Database error");
} 
		list($count) = mysql_fetch_row($result);
		if($count == 1) {
			$_SESSION['authenticated'] = true;
			$_SESSION['username'] = $username;
			$query = sprintf("UPDATE users SET last_login = NOW() WHERE UPPER(username) = UPPER('%s') AND password = '%s'",
				mysql_real_escape_string($username),
				mysql_real_escape_string(md5($password)));
			mysql_query($query);
			$query = sprintf("SELECT is_admin FROM users WHERE UPPER(username) = UPPER('%s') AND password='%s'",
				mysql_real_escape_string($username),
				mysql_real_escape_string(md5($password)));
			$result = mysql_query($query);
			list($is_admin) = mysql_fetch_row($result);
			if($is_admin == 1) {
				header('Location:admin.php');			
			} else {
				header('Location:support.php');				
			}
		} else {	
$error = "Error: that username and password combination does not match any currently within our database.";
		}
	}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head><title><?php echo "$pageTitle"; ?> - Login</title></head>
<body>
<form action='login.php' method='post'>
Username: <input type='text' name='username' /><br />
Password: <input type='password' name='password' /><br />
<input type='submit' value='Login' />
</form>
<?php echo "$error"; ?>
</body>
</html>

iM0d_

Sorry wrong code, here it is

<?php
require_once '/includes/config.php'; // All of the settings for the site
require_once '/includes/dbconfig.php'; // Database Configuration
?>
<?php
	session_start();
	if($_POST) {
		$username = $_POST['username'];
		$password = $_POST['password'];		
		$conn = mysql_connect($dbhost,$dbuser,$dbpass)
			or die ('Error connecting to mysql');
		mysql_select_db($dbname);
		$query = sprintf("SELECT COUNT(id) FROM users WHERE UPPER(username) = UPPER('&#37;s') AND password='%s'",
			mysql_real_escape_string($username),
			mysql_real_escape_string(md5($password)));
		$result = mysql_query($query);
		if($result == false) // something wrong with query
{
   user_error(mysql_error()."<br />\n$query");
   die("Database error");
} 
		list($count) = mysql_fetch_row($result);
		if($count == 1) {
			$_SESSION['authenticated'] = true;
			$_SESSION['username'] = $username;
			$query = sprintf("UPDATE users SET last_login = NOW() WHERE UPPER(username) = UPPER('%s') AND password = '%s'",
				mysql_real_escape_string($username),
				mysql_real_escape_string(md5($password)));
			mysql_query($query);
			$query = sprintf("SELECT is_admin FROM users WHERE UPPER(username) = UPPER('%s') AND password='%s'",
				mysql_real_escape_string($username),
				mysql_real_escape_string(md5($password)));
			$result = mysql_query($query);
			list($is_admin) = mysql_fetch_row($result);
			if($is_admin == 1) {
				header('Location:admin.php');			
			} else {
				header('Location:support.php');				
			}
		} else {	
$error = "Error: that username and password combination does not match any currently within our database.";
		}
	}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head><title><?php echo "$pageTitle"; ?> - Login</title></head>
<body>
<form action='login.php' method='post'>
Username: <input type='text' name='username' /><br />
Password: <input type='password' name='password' /><br />
<input type='submit' value='Login' />
</form>
<?php echo "$error"; ?>
</body>
</html>

NogDog

What is the error message?

iM0d_

Error: that username and password combination does not match any currently within our database.

NogDog

Nothing obvious jumps out at me, but it might be revealing to echo out $count where that error message appears (in case, for example, it's matching more than one record), and also $query (to make sure the SQL looks like what you think it should).

zypher11

Echo out the md5($password) that was submitted and check it against the account your trying to log in as. Its possible that they arent the same due to an accidental CAPS or something.

Lots of things that could be clashing there. In your query instead of using UPPER(username) just type USERNAME, if that's in fact the name of the column. Also take the mysql_real_escape_string off of your password that's being encrypted. MD5 won't let there be any special characters in it anyways. Use: $password = strtoupper($_POST['password']); instead of poping it to upper in the sql statement. Just try all the little things you can think of that could be causing the conflict because there doesnt seem to be anything wrong with how its written.

bradgrafelman

zypher11 wrote:
n your query instead of using UPPER(username) just type USERNAME, if that's in fact the name of the column.

Erm, the UPPER() function has nothing to do with the column name, rather its value... :p

zypher11 wrote:
Use: $password = strtoupper($_POST['password']); instead of poping it to upper in the sql statement.

The OP never converts the password to upper case in his original code (nor should he, since that can very likely reduce the complexity of the password).

Regardless, the real solution to the whole uppercase issue isn't converting anything to uppercase. Instead, iM0d., you should be using a case-insensitive collation (either on this column or even the entire table), e.g. any collation that ends in "_ci". Using such a collation means that there is no need to convert two strings to the same case in order for them to be equal, e.g. "JohnDoe" will be considered equal to "johndoe".

iM0d_

The $password had an extra 0 added onto it when I echo'd it out. Could this be the problem?

NogDog

iM0d.;10954875 wrote:
The $password had an extra 0 added onto it when I echo'd it out. Could this be the problem?

Are you talking about the hashed version (md5)? If so, could it be that the password field in your database table is to small? (It needs to be at least 32 characters long.)

iM0d_

Thanks! That was the problem

zypher11

bradgrafelman;10954853 wrote:
Erm, the UPPER() function has nothing to do with the column name, rather its value... :p

The OP never converts the password to upper case in his original code (nor should he, since that can very likely reduce the complexity of the password).

Regardless, the real solution to the whole uppercase issue isn't converting anything to uppercase. Instead, iM-d., you should be using a case-insensitive collation (either on this column or even the entire table), e.g. any collation that ends in "_ci". Using such a collation means that there is no need to convert two strings to the same case in order for them to be equal, e.g. "JohnDoe" will be considered equal to "johndoe".

Ya that was me having a massive brain fart haha. I meant to reference his UPPER('%s') to convert the username being submitted. Was just thinking of the small possibilities that could be causing it. :p