Username &amp; Password check

Username & Password check

KeyIDentity

My problem NOW, is I am running a username and password check, I know the PW im putting in is correct and i am not being returned any error msgs... Rather when I put in the username and password, im getting then else statement " incorrect password" AGAIN I am def putting in the right password...

<?php

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&$password) 
{


$connect = mysql_connect("localhost","root","") or die("couldn't connect!");
mysql_select_db("keyidentity") or die ("couldn't find DB");

$query = mysql_query("SELECT * FROM users WHERE username='$username'");

$numrow = mysql_num_rows ($query);

if ($numrow!=0)
{

while ($row = mysql_fetch_assoc($query))
{
	$dbusername = $row['username'];
	$dppassword = $row['password'];
}

//check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
	echo "You are logged in";
}
else
	echo "Incorrect Password";

}
else
	die("That user doesn't exist");


}
else
	die("please enter a username and password");

?>

laserlight

The problem is likely with the while loop in which you use mysql_fetch_assoc: when the loop ends, $row would contain the value false, not the array that you expect it to contain. In fact, you do not need the loop at all:

<?php

if (isset($_POST['username'], $_POST['password']))
{
    $connect = mysql_connect("localhost","root","") or die("couldn't connect!");
    mysql_select_db("keyidentity") or die("couldn't find DB");

$query = mysql_query("SELECT `password` FROM users WHERE username='%s'",
    mysql_real_escape_string($_POST['username']))
    or die("couldn't run query");

if (mysql_num_rows($query) != 0)
{
    $row = mysql_fetch_assoc($query);
    if ($row['password'] == $_POST['password'])
    {
        echo "You are logged in";
    }
    else
    {
        echo "Incorrect Password";
    }
}
else
{
    echo "That user doesn't exist");
}
}
else
{
    echo "please enter a username and password";
}

Notice that I:

Check that the incoming variables exist with isset (you can assign them to other variables if you want, but I have chosen not to do so).
Use mysql_real_escape_string (otherwise you are immediately vulnerable to SQL injection; but consider switching to the MySQLi or PDO extensions and using prepared statements).
Indent the code (and posted it in [noparse]
[/noparse] bbcode tags so the indentation becomes useful even when posted.
Change the die to echo in several places as you want to handle those situations gracefully. In fact, later you should remove those other instances of die in order to handle those errors gracefully, though for now die is a good debugging tool.

Furthermore, I select the password and then compare it. For the user's safety in case he/she reuses passwords and your database is compromised, you should combine the user's password with a salt value specific to the user, then apply a cryptographic hash by using [man]sha1/man or an appropriate algorithm with [man]hash/man. This salt would be stored, hence you would retrieve it along with the password (or rather, password hash), use the salt with the password given on login, hash and then compare the result with the password hash retrieved.

Oh, and one more thing: it is not always wise to allow the user to know precisely if the username was incorrect or if the password was incorrect, since an attacker could then deduce that he/she has the name of a valid user, and it is a matter of figuring out the password. Typically, mechanisms are used to delay the use of brute force, e.g., a small random delay upon a failed login, or a temporary suspension (e.g., a few minutes) of login upon too many consecutive failed logins.