Jump to content

login form

mforan

By mforan
in PHP Coding Help

 Share

Recommended Posts

mforan Member

mforan

Posted
Posted

User fills log in form on another page, but is then presented with "Your username cannot be found or password doesnt match" untill they press F5.... any ideas anyone?

 
<?php
mysql_connect("localhost","ambroid_mike","347610");
@mysql_select_db("ambroid_findapart") or die( "Unable to select database");

$user = $_POST['user'];
$pass = $_POST['pass'];

$mysqluser = ereg_replace("_", "\_", $user);
$query = "SELECT password FROM users WHERE username LIKE BINARY '$mysqluser'";
$result = mysql_query($query) or die("Error: ".mysql_error());
$row = mysql_fetch_array($result, MYSQL_NUM);
$foundpass = $row[0];


if ($foundpass == $pass) {
setcookie("FAPusername", $user);
setcookie("FAPpassword", sha1($foundpass));
$user = $_COOKIE['FAPusername'];
$pass = $_COOKIE['FAPpassword'];
}

$query = "SELECT * FROM users WHERE username='$user'";
$result = mysql_query($query) or die("Error: ".mysql_error());
$info = array();
$info = mysql_fetch_array($result, MYSQL_NUM);
$original = array();
$original = $info;

if (sha1($info[2]) != $pass) {
    mysql_close();
    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");
}

?>

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Cookie data isn't available until the next page load, so this block of code that assigns the values to the variables based on the cookie values will assign empty or null values the first time around. When the page is refreshed with F5, the values are available, assigned and the script functions as expected.

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$user = $_COOKIE['FAPusername'];$pass = $_COOKIE['FAPpassword'];}

 

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Sure, just assign the variables their values the same way you're assigning the values to the cookies, since the end result is they'll have the same values anyhow. Actually, since $user already has a value, there's no need to reassign it a value . . .

 

Also note that storing password data in a cookie isn't necessarily the best thing you can do security-wise. You'd be better off to either store it in a SESSION var, or just query the db for it in the event it's needed again (probably the best option).

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$pass = sha1($foundpass);}

 

Link to comment
Share on other sites
Miss_Rebelx Newbie

Miss_Rebelx

Posted
Posted

I noticed that at the end, your comparison seems to be wrong:

 

 

if (sha1($info[2]) != $pass) {    mysql_close();    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");}

 

 

You never transformed $pass with sha1(), so how is the comparison going to work? If you had originally encrypted the value before putting it in the database with sha1(), as far as I can tell and test, doing sha1() to it again, like you're doing, won't decrypt it. Best to compare it by encrypting $pass and then seeing if they equate.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Storing fixed/static values in cookies for login purposes is not secure. Once someone gets a hold of those values, the can send those to your server and appear to be the actual person they belong to as long as they remain the same fixed/static values.

 

You should generate a unique id (see: uniqid) per visitor and save it in the cookie and in their row in your user table. The cookie will only identify the visitor. Its existence alone won't cause that visitor to be logged in. You would then only store a value on the server that determines if the matching visitor is logged in or not.

Link to comment
Share on other sites
mforan Member

mforan

Posted
  • Author
Posted

I noticed that at the end, your comparison seems to be wrong:

 

 

if (sha1($info[2]) != $pass) {    mysql_close();    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");}

 

 

You never transformed $pass with sha1(), so how is the comparison going to work? If you had originally encrypted the value before putting it in the database with sha1(), as far as I can tell and test, doing sha1() to it again, like you're doing, won't decrypt it. Best to compare it by encrypting $pass and then seeing if they equate.

 

 

not sure what you mean??

Link to comment
Share on other sites
mforan Member

mforan

Posted
  • Author
Posted

Sure, just assign the variables their values the same way you're assigning the values to the cookies, since the end result is they'll have the same values anyhow. Actually, since $user already has a value, there's no need to reassign it a value . . .

 

Also note that storing password data in a cookie isn't necessarily the best thing you can do security-wise. You'd be better off to either store it in a SESSION var, or just query the db for it in the event it's needed again (probably the best option).

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$pass = sha1($foundpass);}

 

 

 

do sessions work if the person simply presses "go" on their browser again (not f5), will it keep them logged in???

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.