Password is always incorrect?

analusia

I haven't coded with PHP and SQL in a few years and I'm starting to experiment and gain my old knowledge back from it. I've been playing around with this simple login code and for some reason the password is always incorrect. The "all forms are not filled in" works, and "this user does not exist" works, but no matter the password I enter, it is always incorrect. can anyone help?

<?php
include ('header.php');
include ('connect.php');

if($loggedin == '0')
{
if(isset($_POST['submit']))
{

if((!isset($POST['username'])) || (!isset($POST['pass']))
|| ($POST['username'] == '') || ($POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=default.php>Continue</a>");

$player = @("SELECT id, username, password, lastlogin FROM users WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);

if($player['id'] == false)
die("Sorry, that user does not exist!<br><br>
<a href=default.php>Back</a>");
else if($player['password'] != md5($_POST['pass']))
die("Wrong password!<br><br>
<a href=default.php>Back</a>");

$SESSION['id'] = $player['id'];
$SESSION['username'] = $player['username'];
$_SESSION['password'] = $player['password'];

$date = date("m/d/y");

$update = @("UPDATE users SET lastlogin = '$date' WHERE id = '".$SESSION['id']."'");
echo 'You are now logged in!';
}
else
{
echo 'You are not logged in. <br><br>
<form action=default.php method=post>
<table width=300><tr>
<th colspan=2>Login!</th></tr>
<tr><td width=30%>Username:</td>
<td><input type=text name=username></td></tr>
<tr><td width=30%>Password:</td>
<td><input type=password name=pass></td></tr>
<tr><th colspan=2>
<input type=submit name=submit value=Submit><br>
Not registered yet? <a href="register.php">Sign up!</a></th></tr>
</table><br><br>
</form>';
}
}
else
{
echo 'You are logged in!
Welcome, '.$SESSION['username'].'!
<br><br>
<a href=logout.php>Click Here to Logout</a>';
}
include "footer.php";
?>

(note: header is my css stylesheet, connect is database connection/information/password/etc and footer is data/time)

and my SQL database looks like this
http://i44.tinypic.com/2qkqe4l.png

cretaceous

echo these values to screen and check if they are the same at the point you do the comparison

echo $player['password'] ;
echo md5($_POST['pass']);

analusia

I did that in a separate file (still including connect) and it came out as d41d8cd98f00b204e9800998ecf8427e.

analusia

I think I found more of the problem. See, I also have a register script which looks like this

<?php
include('connect.php');
include "header.php";

if($loggedin == '1')
die("You can't register another account while you're logged in.");

if(isset($_POST['submit']))
{

$uname = trim($_POST['username']);

if((!isset($POST['username'])) || (!isset($POST['pass']))
|| ($uname == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=register.php>Continue</a>");

$check = @("SELECT id FROM users WHERE username = '$uname'");
$check = @mysql_num_rows($check);

if($check > 0)
die("Sorry, that username has already been taken. Please try again.
<br><br>
<a href=register.php>Continue</a>");

$pass = md5($_POST['pass']);

$date = date("m/d/y");

$newPlayer = @("INSERT INTO users (username, password, registered) VALUES ('$uname', '$pass', '$date')") or die("Error: ".mysql_error());

echo 'You have been registered! You may now <a href=default.php>Log in</a>.';

}
else
{

echo'
<form action=register.php method=post>
<table><tr><th colspan=2>
Register</tr></th><tr>
<td>Username:</td><td>
<input type=text name=username>
</td></tr>
<tr><td>
Password:</td><td>
<input type=password name=pass>
</td></tr><tr><th colspan=2>
<input type=submit name=submit value=Submit>
</tr></th>
</table>
</form>';

}

include "footer.php";
?>

And when I went on my site, I tried registering with the username 'apples' and the password 'banana'. And once again, trying to sign in with this failed. When i went into my database i saw that it successfully registered the username 'apples' but the password is 72b302bf297a228a75730123efef7c41, the md5 hash for banana.

Weedpacket

I suggest not trying to fix this right now, because it's going to need a lot of work done to it before it's safe to expose to the outside world. And while fixing that, this problem could be sorted out as a side-effect.

johanafm

And never ever use @ operator to supress errors.