My login code isn't working

gguppies

Hi guys,
For some reason my login code doesn't work. It is able to check the database and everything, but when the password is correct it does not log the user in. I don't know where the error could be, but probably somewhere in the part where it checks to see if the password matches the username. Here's the code:

<?php 

// Connects to your Database 

mysql_connect("", "", "") or die(mysql_error()); 

mysql_select_db("") or die(mysql_error()); 


//Checks if there is a login cookie

 if(isset($_COOKIE['ID_my_site']))


 //if there is, it logs you in and directes you to the members page

 { 
   $username = $_COOKIE['ID_my_site']; 

   $pass = $_COOKIE['Key_my_site'];

    $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

while($info = mysql_fetch_array( $check ))    

   {

   if ($pass != $info['password']) 

     {

                }

   else

      {

      header("Location: index.php");



      }

   }

 }


 //if the login form is submitted 

if (isset($_POST['submit'])) { // if form has been submitted



 // makes sure they filled it in

if(!$_POST['username'] | !$_POST['pass']) {

   function validate(){

 if(username == ''){
 echo('• You need to fill in your username.');
 ?>


<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td>

<input type="password" name="pass2" maxlength="50" /></td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"><br/> 

<a href="forgot1.php" class="forgot">Forgot your username?</a><br/>
 <a href="forgot2.php" class="forgot">Forgot your password?</a>

 </td></tr> 

</table> 

</form> 

<?php
 }
 if(pass == ''){
 echo('• Please fill in a password.');
 ?>
  <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td> 

<input type="password" name="pass" maxlength="50"> 

</td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"><br/> 

<a href="forgot1.php" class="forgot">Forgot your username?</a><br/>
 <a href="forgot2.php" class="forgot">Forgot your password?</a>

 </td></tr> 

</table> 

</form> 

<?php
 }
 } 

   }

// checks it against the database



if (!get_magic_quotes_gpc()) {

   $_POST['email'] = addslashes($_POST['email']);

}

$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());



 //Gives error if user dosen't exist

 $check2 = mysql_num_rows($check);

 if ($check2 == 0) {
  echo('• That user does not exist in our database. <a href="register.php">Click Here to Register</a>, or try again below.');

 ?>
 <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td> 

<input type="password" name="pass" maxlength="50"> 

</td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"><br/> 

<a href="forgot1.php" class="forgot">Forgot your username?</a><br/>
 <a href="forgot2.php" class="forgot">Forgot your password?</a>

 </td></tr> 

</table> 

</form> 
<?php

         }

 while($info = mysql_fetch_array( $check ))    

 {

 $_POST['pass'] = stripslashes($_POST['pass']);

$info['password'] = stripslashes($info['password']);

$_POST['pass'] = md5($_POST['pass']);



 //gives error if the password is wrong

if ($_POST['pass'] != $info['password']) {

  echo('• Incorrect password, please try again.');

  ?>
    <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td> 

<input type="password" name="pass" maxlength="50"> 

</td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"><br/> 

<a href="forgot1.php" class="forgot">Forgot your username?</a><br/>
 <a href="forgot2.php" class="forgot">Forgot your password?</a>

 </td></tr> 

</table> 

</form> 


<?php
    }

   else 

{ 


// if login is ok then we add a cookie 
     session_start();
      $_SESSION['userID'] = $info['userID']; 
     $_SESSION['userID'] = 1;

 $_POST['username'] = stripslashes($_POST['username']); 

$hour = time() + 3600; 

setcookie(ID_my_site, $_POST['username'], $hour); 

setcookie(Key_my_site, $_POST['pass'], $hour);    



//then redirect them to the members area 

header("Location: index.php"); 

} 

} 

} 

else 

{    



// if they are not logged in 

?> 

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

<table border="0"> 

<tr><td colspan=2><h1>Login</h1></td></tr> 

<tr><td>Username:</td><td> 

<input type="text" name="username" maxlength="40"> 

</td></tr> 

<tr><td>Password:</td><td> 

<input type="password" name="pass" maxlength="50"> 

</td></tr> 

<tr><td colspan="2" align="right"> 

<input type="submit" name="submit" value="Login"><br/> 

<a href="forgot1.php" class="forgot">Forgot your username?</a><br/>
 <a href="forgot2.php" class="forgot">Forgot your password?</a>

 </td></tr> 

</table> 

</form> 

<?php 

} 



?>

This is a lot of code, but idk exactly where the problem is. Thanks for the help 🙂!

sneakyimp

This code is really confusing. You have numerous forms in there and we have no idea whether it all lives in one file and, if so, what the filename is.

Maybe you should start with something simple and add onto it bit by bit?

gguppies

Hi Sneakyimp,
Sorry about the long and confusing code. I changed it a bit though, made it more compact. Now it looks like this:

<?php
			   mysql_connect("lago.startlogicmysql.com", "gguppies", "12345678") or die(mysql_error()); 

 mysql_select_db("tutorescue") or die(mysql_error()); 

		   function is_valid_user()
		   {
				  if(isset($_SESSION['userID']))
				{
  					echo "<a href='members.php'>" .$row['firstname']. "</a>";
				}
				if(!isset($_SESSION['userID']))
				{
  					echo "<a href='login.php' class='login'>Login</a>";
				}
		   }
		   $query = mysql_query("SELECT * FROM users WHERE userID = '".$_POST['userID']."'")or die(mysql_error());
		   $row = mysql_fetch_array($query);

 //Checks if there is a login cookie
 $errors=0;

 if(isset($_COOKIE['ID_my_site']))


 //if there is, it logs you in and directes you to the members page

 { 
 	$username = $_COOKIE['ID_my_site']; 

$pass = $_COOKIE['Key_my_site'];

 	$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

while($info = mysql_fetch_array( $check )) 	

	{

	if ($pass != $info['password']) 

		{

		 			}

	else

		{

		header("Location: index.php");



		}

	}

 }


 //if the login form is submitted 

 if (isset($_POST['submit']) && !empty($_POST['submit'])) { // if form has been submitted



 // makes sure they filled it in

if(!$_POST['username'] | !$_POST['pass']) {

	function validate(){

 if(username == ''){
 echo('• You need to fill in your username.');
 $errors++;
 }
 if(pass == ''){
 echo('• Please fill in a password.');
 $errors++;
 }
 } 

}

// checks it against the database



if (!get_magic_quotes_gpc()) {

	$_POST['email'] = addslashes($_POST['email']);

}

$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());



 //Gives error if user dosen't exist

 $check2 = mysql_num_rows($check);

 if ($check2 == 0) {
  echo('• That user does not exist in our database. <a href="register.php">Click Here to Register</a>, or try again below.');
  $errors++;
				}

 while($info = mysql_fetch_array( $check )) 	

 {

 $_POST['pass'] = stripslashes($_POST['pass']);

$info['password'] = stripslashes($info['password']);

$_POST['pass'] = md5($_POST['pass']);



 //gives error if the password is wrong

if ($_POST['pass'] != $info['password']) {

	echo('• Incorrect password, please try again.');
	$errors++;
}

else 

 { 


 // if login is ok then we add a cookie 
 	  session_start();
      $_SESSION['userID'] = $info['userID']; 
	  $_SESSION['userID'] = 1;

 $_POST['username'] = stripslashes($_POST['username']); 

 $hour = time() + 3600; 

 setcookie(ID_my_site, $_POST['username'], $hour); 

 setcookie(Key_my_site, $_POST['pass'], $hour);	 



 //then redirect them to the members area 

 header("Location: index.php"); 

 } 

 } 

 }  

 ?>

The form is at the center of the page and not included in the code above.
Even though I changed the code, it continues to give me the same error and not allowing the users to login even when the password entered matches the one in the database. I think the error might be somewhere in here:

$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());



 //Gives error if user dosen't exist

 $check2 = mysql_num_rows($check);

 if ($check2 == 0) {
  echo('• That user does not exist in our database. <a href="register.php">Click Here to Register</a>, or try again below.');
  $errors++;
            }

 while($info = mysql_fetch_array( $check ))    

 {

 $_POST['pass'] = stripslashes($_POST['pass']);

$info['password'] = stripslashes($info['password']);

$_POST['pass'] = md5($_POST['pass']);



 //gives error if the password is wrong

if ($_POST['pass'] != $info['password']) {

  echo('• Incorrect password, please try again.');
  $errors++;
}

I am not 100% sure though. Thanks for your help 🙂.

sneakyimp

You should edit this post and remove the passwords.

sneakyimp

Let me first say that your code is completely disorganized. I'd recommend that you consider starting over again and really think about what you are doing first. For starters, you have posted what appear to be two different scripts without telling me what their names are.

In the first script you connect to the database and run a query that uses $_POST data without even checking:

mysql_connect("lago.startlogicmysql.com", "gguppies", "12345678") or die(mysql_error());
mysql_select_db("tutorescue") or die(mysql_error());

function is_valid_user()
{
	if(isset($_SESSION['userID']))
	{
		echo "<a href='members.php'>" .$row['firstname']. "</a>";
	}
	if(!isset($_SESSION['userID']))
	{
		echo "<a href='login.php' class='login'>Login</a>";
	}
}
$query = mysql_query("SELECT * FROM users WHERE userID = '".$_POST['userID']."'")or die(mysql_error());
$row = mysql_fetch_array($query);

If the user hasn't submitted anything to this script, that is probably going to return an error and die. Whether they have submitted or not, it runs a query and returns $row and then does nothing with the var $row.

Then you perform a cookie check and have some other stuff happen if the cookie is defined. It looks like you are looking for a username and password in the cookie. It's a really bad idea to store usernames and passwords in a cookie:

if(isset($_COOKIE['ID_my_site']))


//if there is, it logs you in and directes you to the members page

{
	$username = $_COOKIE['ID_my_site'];

$pass = $_COOKIE['Key_my_site'];

$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

while($info = mysql_fetch_array( $check ))

{

	if ($pass != $info['password'])

	{

	}

	else

	{

		header("Location: index.php");



	}

}

}

And that's just for starters. Your code is also poorly formatted. I'm not sure what you're trying to do here, but I think you should start over and keep it simple. Let's build up from simple rather than trying to fix this long, confused bunch of code.