"incorrect password" error when password is Correct!! Help

mannyguy

Hi. I have google searched this error and I can't seems to get it fixed. I already have a functioning register page. I'm not working on the log in(THE LOG IN PHP IS BELOW).
I am 100 sure I enter the right password but I continously keep getting and error saying "incorrect password, please try again."

<?php
//connects to database
mysql_connect("host", "user", "pass") or die(mysql_error());
mysql_select_db("useraccounts2011") or die (mysql_error());

//checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs in and directs to members page
{
	$username = $_COOKIE['ID_my_site'];
	$userpassword = $_COOKIE['Key_my_site'];
	$check = mysql_query("SELECT * FROM users WHERE username = '$username'")
	or die(mysql_error());

while($info = mysql_fetch_array( $check ))
{
	if ($pass != $info['userpassword'])
		{
		}
	else
		{
		header(" testing_login.php");
		}
}
}
//if the log in form is submitted
if (isset($_POST['loginsubmit'])) { //if form has been submitted

//makes sure forms is filled in
if(!$_POST['username'] | !$_POST['userpassword']) {
		die('You did not fill in required fields.');
		}

//checks against database
if (!get_magic_quotes_gpc()) {
	$_POST['username'] = addslashes($_POST['username']);
	}

$check = mysql_query("SELECT * FROM users WHERE username = 
'".$_POST['username']."'")or die(mysql_error());

//gives error if user doesn't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
	die('Username does not exist. <a href="spartacu_joinsite.php">Register Here</a>');
	}
	while($info = mysql_fetch_array( $check))
	{
	$_POST['userpassword'] = stripslashes($_POST['userpassword']);
	$info['password'] = stripslashes($info['password']);
	$_POST['userpassword'] = md5($_POST['userpassword']);

//gives error if the password is wrong
	if ($_POST['userpassword'] != $info['password']) {
		die('Incorrect password, please try again.');
	}
	else
	{

//keeps username in form after 'Incorrect password' error
$_SESSION['username'] = $_POST['username'];


//if log in is ok we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;

setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['userpassword'], $hour);

//then redirect to members area

header("testing_login.php");
	}
	}
	}
	else
	{
	//if they are not logged in
	?>

bradgrafelman

Welcome to PHPBuilder! When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze. Also, you might want to remove/obfuscate your DB credentials next time.

As for your problem, here are several issues I see with your code above:

Note that many (including myself) would consider storing the user's password in plain text (i.e. unencrypted) in a cookie to be highly insecure and rather troubling.

Same goes for the database, too.
User-supplied data should never be placed directly into a SQL query, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man (for string data) or use prepared statements.

See this man page for more info: [man]security.database.sql-injection[/man].
Why have useless code like this:
```
        if ($pass != $info['userpassword']) 
            { 
            } 
        else 
            { 
            header(" testing_login.php"); 
            } 
```
with empty blocks of code? Save yourself some typing (and us some reading - please!) and instead simply invert the if() condition. That way there's no need to use an 'else' branch at all.
While the above is general coding advice, note that there's probably no need for this while() loop at all. Assuming usernames are to be unique (you do have some sort of UNIQUE/PRIMARY constraint on that column if this assumption is true, yes?), that means you'll only SELECT at most 1 row. Why, then, would you create a loop that can only run at most 1 times (which doesn't sound like a loop at all)?
In addition, why SELECT rows that might not even match all of your criteria? Include the password constraint in the WHERE condition and there will be no need to manually check it in PHP since MySQL won't waste the time returning a row that doesn't match all of your criteria (username and password match) rather than just part of it (username matches).
This:
```
header(" testing_login.php"); 
```
is not following valid HTTP header syntax, thus at best it's going to do nothing.

In addition, the rest of the code is still going to be executed even if that point is reached. Either add an [man]exit[/man] after that header call, or restructure the code so that the execution path doesn't cover all of the processing whether it's needed or not. (Or, better yet; do both.)
Things like this:
```
//makes sure forms is filled in 
if(!$_POST['username'] | !$_POST['userpassword']) { 
```
are, IMHO, a bit sloppy and hard to understand. "If the negated boolean value of $POST['username'] OR'd with the negated boolean value of $POST['userpasswrd'] is true" is how I would read that if() condition out loud; notice how it doesn't make any sense?

Instead, either use something like [man]empty/man or perhaps [man]strlen/man (or whatever else you actually meant to do there) so that the code is more clear (and correct, as a bonus).
```
//checks against database 
if (!get_magic_quotes_gpc()) { 
    $_POST['username'] = addslashes($_POST['username']); 
    }
```
For one, [man]addslashes/man should never be used to prepare data for a MySQL query - it doesn't do the same job as the DBMS-specific escaping functions such as [man]mysql_real_escape_string/man.

For another, you should be checking the opposite condition and ensuring that the dreaded magic_quotes directive is disabled (and, if it isn't, get it disabled!). Otherwise, you'll have to first use [man]stripslashes/man to undo the damage magic_quotes_gpc has caused, but again that should be done only if the directive is indeed enabled.
Don't use 'SELECT *' queries at all (unless you actually mean to select every column in that table, now and in the future even if that table's schema changes - most likely you'll never actually mean this). Instead, only SELECT the columns from which you actually need data (or, if you're just checking for existence, SELECT some small constant value such as the integer 1).
Note that there's nothing wrong with re-using variables for new SQL queries, meaning there's no need to use [man]$check[/b], $check2, ..., $check9001, ... etc. when just $check will do.
It's a bit hard to follow the logical structure of your code due to the lack of consistent indentation/whitespace. Might want to be a bit more careful with that - it can help you just as much as it will us.
These two lines:
```
    setcookie(ID_my_site, $_POST['username'], $hour); 
    setcookie(Key_my_site, $_POST['userpassword'], $hour); 
```
should be generating error messages, unless you've defined ID_my_site and Key_my_site as [man]constant[/man]s somewhere that you haven't shown us. A [man]string[/man], don't forget, must be delimited in some way (most often using single or double quotes, for example).
Finally, can you show us the row from the DB that matches the account you're using when testing this script? More specifically, have you compared what the password looks like in the DB versus what you're using when attempting to login?

mannyguy

In the database the password shows up as a bunch of numbers. the actual password doesn't show up.

Also I need is help to be able to log in without the "incorrect password, please try again" error. More specifically is there something wrong with this:

//gives error if the password is wrong 
    if ($_POST['userpassword'] != $info['password']) { 
        die('Incorrect password, please try again.'); 
    } 
    else 
    {

bradgrafelman

What does the code look like that populates the database with the password in the first place?

mannyguy

This is what the register php looks like. I really know little about programming. I'm more of a webdesigner. I just wanted a simple log in feature that would allow users to access a couple pages of the site that I wanted to restrict to users only.

<?php 
 // Connects to your Database 

 mysql_connect("host", "user", "pass") or die(mysql_error()); 

 mysql_select_db("useraccounts2011") or die(mysql_error()); 


 //This code runs if the form has been submitted

 if (isset($_POST['submit'])) { 



 //This makes sure they did not leave any fields blank

 if (!$_POST['username'] | !$_POST['userpassword'] | !$_POST['userpasswordconfirm'] ) {

	die('You did not complete all of the required fields');

}


//For checkboxes
$readcombattips = $_POST['readcombattips'];
$accessdownloads = $_POST['accessdownloads'];
$supportrevolt = $_POST['supportrevolt'];
$testlogin = $_POST['testlogin'];
$noreason = $_POST['noreason'];



 // checks if the username is in use

if (!get_magic_quotes_gpc()) {

	$_POST['username'] = addslashes($_POST['username']);

}

 $usercheck = $_POST['username'];

 $check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 

or die(mysql_error());

 $check2 = mysql_num_rows($check);



 //if the name exists it gives an error

 if ($check2 != 0) {

	die('Sorry, the username '.$_POST['username'].' is already in use.');

			}


 // this makes sure both passwords entered match

if ($_POST['userpassword'] != $_POST['userpasswordconfirm']) {

	die('Your passwords did not match. ');

}



// here we encrypt the password and add slashes if needed

$_POST['userpassword'] = md5($_POST['userpasswordconfirm']);

if (!get_magic_quotes_gpc()) {

	$_POST['userpassword'] = addslashes($_POST['userpassword']);

	$_POST['username'] = addslashes($_POST['username']);

		}



 // now we insert it into the database

$insert = "INSERT INTO users (username, userpassword)

		VALUES ('".$_POST['username']."', '".$_POST['userpassword']."')";

$add_member = mysql_query($insert);

?>
 <!--You have registered div-->
 <div class="youhaveregistered"> <p>Thank you, YOU HAVE REGISTERED! You may now log in!</p></h4>
 <!--End You have registered div-->

 <?php 
 } 

 else 
 {	
 ?>


 <?php

mannyguy

ignore the //For checkboxes section. That should have been deleted. Also sorry that I included mysql info..there's no edit button so I can't change it.

bradgrafelman

Here:

$_POST['userpassword'] = md5($_POST['userpasswordconfirm']);

you're using the MD5 hash of the password, whereas in your login script you're simply comparing the submitted password directly to the value stored in the DB (rather than first hashing it).

mannyguy

Dumb it down for me. What do I need to do? What code should I change? Thanks. Much appreaciated.

traq

[font=monospace]$password[/font] is not the same as [font=monospace]md5($password)[/font].
try this and see:

$pw = "mypassword";
print $pw;   // prints: mypassword
print md5($pw);   // prints: 34819d7beeabb9260a5c854bc85b3e44

since the original password is hashed before being saved in the database, you need to hash the submitted password before comparing the two (otherwise, obviously, they will not be the same).

mannyguy

So I should replace this:

//gives error if the password is wrong 
    if ($_POST['userpassword'] != $info['password']) { 
        die('Incorrect password, please try again.'); 
    } 
    else 
    {

with this:

 $pw = "mypassword"; 
print $pw;   // prints: mypassword 
print md5($pw);   // prints: 34819d7beeabb9260a5c854bc85b3e44

mannyguy

So this is what i replaced the old code with:

//gives error if the password is wrong
$pw = "password"; 
print $pw;   // prints: mypassword 
print md5($pw);   // prints: 34819d7beeabb9260a5c854bc85b3e44 
	if ($_POST['userpassword'] != $info['userpassword']) { 
		die("<div id='welcomesign2'>Sorry, incorrect password, please retry.<br />  <a href='spartacus_home.php'> Try Again. </a></div>");
	}
	else
	{

it works except now I message/error at the top of the page that reads:

password5f4dcc3b5aa765d61d8327deb882cf99

Weedpacket

What do you think that will do? (I emphasise "think" because you and your computer have different strengths and weaknesses when it comes to doing something: it brings computational ability but the thinking is your job).

mannyguy

Weedpacket;10991834 wrote:
What do you think that will do? (I emphasise "think" because you and your computer have different strengths and weaknesses when it comes to doing something: it brings computational ability but the thinking is your job).

All I need is direction. you can tell me to change this or to hash that. I know very little about this stuff. I don't know the jargon associated with php. All I'm looking is for someone to help me fix this problem. If they see a solution I would appreciate direction or instructions. Telling me what the problem is and what the solution is doesn't help me if they don't show me how to fix it.

traq

mannyguy;10991835 wrote:
All I need is direction. you can tell me to change this or to hash that. I know very little about this stuff. I don't know the jargon associated with php. All I'm looking is for someone to help me fix this problem. If they see a solution I would appreciate direction or instructions. Telling me what the problem is and what the solution is doesn't help me if they don't show me how to fix it.

if you have no idea what any of the code does (which seems likely given how you're approaching the problem), then you need more than "direction."

bradgrafelman pointed out what the problem was - my code example was a further explanation, intended to help you "see" the difference that it made.

I also described what you needed to do to fix your problem, and it wasn't "copy and paste this code." I explained:

traq wrote:
since the original password is hashed before being saved in the database, you need to hash the submitted password before comparing the two.

the hashing function in this case is [font=monospace]md5()[/font].

If you want to fix it yourself, you'll have to learn at least the basics of php, so you can understand when people offer you help.
If you want someone to fix it for you, you should be looking for a developer to hire.

mannyguy

traq;10991837 wrote:
if you have no idea what any of the code does (which seems likely given how you're approaching the problem), then you need more than "direction."

bradgrafelman pointed out what the problem was - my code example was a further explanation, intended to help you "see" the difference that it made.

I also described what you needed to do to fix your problem, and it wasn't "copy and paste this code." I explained: the hashing function in this case is [font=monospace]md5()[/font].

If you want to fix it yourself, you'll have to learn at least the basics of php, so you can understand when people offer you help.
If you want someone to fix it for you, you should be looking for a developer to hire.

If its as easy as someone just providing me the right code I wouldn't see why anyone wouldn't do that. If its a complicated issue that needs alot of time and attention than I wouldn't expect anyone to try to fix it.

If someone has the right code to "has the password" i would appreciate it, if I cant get that in these forums then please just let me know so I can take my issues somewhere else. Thank you all for your help.

Weedpacket

mannyguy wrote:
If its as easy as someone just providing me the right code I wouldn't see why anyone wouldn't do that. If its a complicated issue that needs alot of time and attention than I wouldn't expect anyone to try to fix it.

No, you've got that backwards. If it was a really easy fix you'd be expected to be capable of doing it yourself - not just now, but in the future (it's called debugging, and it's a skill that anyone with any intentions of programming needs to have); if it is a complicated issue then there is help available on the forums.

For the sake of argument, have a look at what you're actually comparing and see why they don't match. Change the error message so that it gives you a bit more information:

    if ($_POST['userpassword'] != $info['password']) {
           die('"' . $_POST['userpassword'] . '" does not match "' . $info['password'] . '"');
//        die('Incorrect password, please try again.');

mannyguy

Weedpacket;10991843 wrote:
No, you've got that backwards. If it was a really easy fix you'd be expected to be capable of doing it yourself - not just now, but in the future (it's called debugging, and it's a skill that anyone with any intentions of programming needs to have); if it is a complicated issue then there is help available on the forums.

For the sake of argument, have a look at what you're actually comparing and see why they don't match. Change the error message so that it gives you a bit more information:
    if ($_POST['userpassword'] != $info['password']) {
           die('"' . $_POST['userpassword'] . '" does not match "' . $info['password'] . '"');
//        die('Incorrect password, please try again.');

Difficulty is relative. I came here because I thought it would be a simple issue that people on these boards could fix. Its hard for me, but I assume not hard for many people here. I don't plan to go into programming. I don't plan to do anything outside of a a relatively simple log in in php. I'm doing this thru a tutorial I found online. I have no idea what any of the code means. I'm learning as I go. I have tried many different things to try and fix the problem before and after this thread. I see that people are trying to help me find the right answer. But everyone here is assuming that I know enough to figure it out. If I did I wouldn't have posted on this forum to begin with. If I thought it was simple I would have fixed it instead of wasting so much time. I understand the problem now. I see why the passwords don't match. I see that I needed to hash it. I just need the code to do so, because I've tried to figure it out and so far I've been unsuccessful.

johanafm

# Let's say the PLAIN TEXT password is "mypass"
# What you store in the database is md5("mypass")
# What the user enters when they want to login is still "mypass"

# Now, consider this line
if ($_POST['userpassword'] != $info['password'])

# $_POST['userpassword'] is data coming from the form, i.e. what the user entered.
# Assuming the correct information is entered, that would be "mypass"
# $info['password'] comes from the database. As pointed out above, that would be
# md5("mypass")
# As said by some other poster, there is a difference between the two which you can
# inspect by eye by using
echo $_POST['userpassword'] . ' / ' . $info['password'];
# And since we know what those two variables contain, it's evident that they
# are equivalent to writing
echo "mypass" . ' / ' . md5("mypass");
# which you can now see are not at all the same

# and that is the reason why your if check doesn't work, since that also
# is equivalent to
if ("mypass" == md5("mypass"))

So, is there anything you can do to the left hand side of the comparison to make it match the right hand side? Hint: look at what's different on the two sides.

An additional thing that you need to know but may not allready know is that a hashing function is a one way transformation of data which always yields the same result. That is, every time you md5("mypass") you will get the exact same result. There is however no way (more or less accurate) to transform md5("mypass") back into "mypass".

Weedpacket

mannyguy wrote:
I'm learning as I go.

Usually that would also include learning how to solve such problems as these, which is what we've been trying to teach here; but

I don't plan to go into programming.

if you're not planning on doing any programming in the future I guess it's redundant.

But everyone here is assuming that I know enough to figure it out.

That might be a consequence of your posting in this particular forum, rather than the Newbie's forum, where that assumption would not have been made.