Jump to content

User signup is inserting to MySQL but the passwords coming up wrong, any advice?

j.smith1981

By j.smith1981
in PHP Coding Help

 Share

Recommended Posts

j.smith1981 Regular Member

j.smith1981

Posted
Posted

Hi there I have a problem here, I think I may know what it is but just wanted some guidance on this issue.

 

I took the logic from a previous help from the people on this forum and here is my landing page:

 

<?php
// ini_set("display_errors", 1);

// randomly starts a session!

session_name("jeremyBasicLogin");
session_start();

if(isset($_SESSION['username']))  {

// display whatever when the user is logged in:

echo <<<ADDENTRY

	<html>
		<head>
			<title>User is now signed in:<title>
		</head>

		<body>
			<h1>You are now signed in!</h1>
				<p>You can do now what you want to do!</p>
			</body>
		</html>
ADDENTRY;

} else {
// If anything else dont allow access and send back to original page!

	header("location: signin.php");

}
?>

 

This is where the user goes to when they go to this system (not a functional system, ie it doesnt actually do anything its more for my own theory.

 

As you wont have a session on the first turn to this page it goes to:

 

signin.php which contains:

<?php
// ini_set("display_errors", 1);

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// Do a procedure to log the user in:

// Santize User Inputs
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // cleans up with PHP first!

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);

if(mysql_num_rows($result) == 1) {

	session_name("jeremyBasicLogin");
	session_start();
	$_SESSION['is_logged_in'] = true;
	$_SESSION['username'] = $username;
	//print_r($_SESSION);  // debug purposes only!
	$_SESSION['time_loggedin'] = time(); // this is adding to the array (have seen the output in the SESSION vars!

	// call function to update the time stamp in MySQL?


	header("location: index.php");

} else if(mysql_num_rows($result) != 1) {
	$message = "You typed the wrong password or Username Please retry!";
}
} else {
$message = "";
}
// displays the login page:
echo <<<LOGIN
<html>
<body>
	<h1>Example Login</h1>

	<form id="login" name="login" action="{$_SERVER['PHP_SELF']}" method="post">
		<label for="username">Username: </label><input type="text" id="username" name="username" value="" /><br>
		<label for="password">Password: </label><input type="text" id="password" name="password" value="" /><br>
		<input type="submit" id="submit" name="submit" value="Login" />
	</form>
LOGIN;
	echo "<p>" . $message . "</p>";
echo <<<LOGIN

	<p>Please Login to View and Edit Your Entries</p>
	<p><a href="register.php">Click Here To Signup</a><p>
</body>
</html>
LOGIN;
?>

 

This checks through user inputs and hopefully logs them in, when Ive inserted the data into the database itself it works, if I try and login but if a user fills in this form:

 

signup.php:

 

<?php
//ini_set("display_errors", 1);

$message ='';

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// do some safe protecting of the users variables, apply it to all details!
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$email = trim(stripslashes(mysql_real_escape_string($_POST['email']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // does as above but also encrypts it using the md5 function!
$password2 = trim(stripslashes(mysql_real_escape_string(md5($_POST['password2'])))); // does as above but also encrypts it using the md5 function!

if($username != '' && $email != '' && $password != '' && $password2 != '') {
	// do whatever when not = to nothing/empty fields!

	if($password === $password2) {
		// do database stuff to enter users details

		$sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));";
		$result = mysql_query($sql);
		if($result) {
			$message = 'You may now login by clicking <a href="index.php">here</a>';
		}

	} else {
		// echo out a user message says they got their 2 passwords incorrectly typed:
		$message = 'Pleae re enter your password';
	}

} else {
	// they where obviously where empty
	$message = 'You missed out some required fields, please try again';
}

}

echo <<<REGISTER

<html>
<body>
<h1>Register Form</h1>
<p>Please fill in this form to register</p>
<form id="register" name="register" action="{$_SERVER['PHP_SELF']}" method="post">

<table>
	<tr>
		<td><label for="username">Username: </label></td>
		<td><input type="text" id="username" name="username" value="" /></td>
	</tr>

	<tr>
		<td><label for="email">Email: </label></td>
		<td><input type="text" id="email" name="email" value="" /></td>
	</tr>

	<tr>
		<td><label for="password">Password: </label></td>
		<td><input type="text" id="password" name="password" value="" /></td>
	</tr>

	<tr>
		<td><label for="password">Confirm Password: </label></td>
		<td><input type="text" id="password2" name="password2" value="" /></td>
	</tr>

	<tr>
		<td><input type="submit" id="submit" name="submit" value="Register" /></td>
	</tr>

<table>

REGISTER;
echo "<p>" . $message . "</p>";
echo <<<REGISTER

</form>
</body>
</html>
REGISTER;
?>

 

As I said when the user signs up when submitting the above form, it doesnt work, keeps coming up with a different value for the password, so I am about 99% certain its the password, but I have been maticulous about copying in the sanitize function for SQL injections and it just doesnt still work, really puzzled now.

 

Any helps appreciated,

Jeremy.

Link to comment
Share on other sites
micah1701 Member

micah1701

Posted
Posted

might not solve your problem but you should change:

trim(stripslashes(mysql_real_escape_string(md5($_POST['password']))))

to

md5(trim(stripslashes($_POST['password'])))

 

the functions work from the inside out.  so once you've md5()'d the word its not going to need to be real_escaped_string()'d anyway and it won't need to be trim'd or striped of slashes because you'll just have your md5 hash which doesn't have those things.

 

Link to comment
Share on other sites
j.smith1981 Regular Member

j.smith1981

Posted
  • Author
Posted

might not solve your problem but you should change:

trim(stripslashes(mysql_real_escape_string(md5($_POST['password']))))

to

md5(trim(stripslashes($_POST['password'])))

 

the functions work from the inside out.  so once you've md5()'d the word its not going to need to be real_escaped_string()'d anyway and it won't need to be trim'd or striped of slashes because you'll just have your md5 hash which doesn't have those things.

 

That didnt work, hmm didnt think it would, I'm baffled now, even increased the password attribute in the database to 100 just to see if it was that but that hasnt worked either.

 

Any other suggestions?

 

Thanks in advance,

Jeremy.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.