Incorrect password?

[3raser]

The password ARE correct. My code keeps saying that the password is INCORRECT. The password is MD5'ed once a user registers, and when they type in a password at the login (as shown), the password is also MD5'ed.

 

Why is it that it's output is incorrect password?

 

<?php
session_start();
include("includes/mysql.php");
include("includes/config.php");

?>


<title><?php echo $title; ?></title>

	<?php
	if(!$_SESSION['user'])
	{

	$username = $_POST['username'];
	$password = $_POST['password'];

	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);

	if(!$password || !$username)
	{

		echo
		'
		<h1>Login</h1>

					<center><p><form action="login.php" method="POST">
					<table border="0">
					<tr><th>Username:</th> <td><input type="text" name="username" maxlength="20"><br/></td></tr>
					<tr><th>Password:</th> <td><input type="password" name="password" maxlength="30"><br/></td></tr>
					<tr><th></th><td><input type="submit" value="Login"></td></tr>
					</table></form></p></center>
			</div>
		';

	}
	else
	{
	 $query = mysql_query("SELECT COUNT(username),password,username FROM users WHERE username='$username'");
	 $check = mysql_fetch_assoc($query);

	 $db_username = $check['username'];

	 $password = md5($password);

	 if($check['COUNT(username)'] < 1)
	 {
		echo
		'
				 <p>No account exists with this username. Please go back.</p>
		';
	 }
	 elseif($check['password']==$password && $db_username==$username)
	 {
		echo
		'
		<h1>Login Successful</h1>

				 <p>You have successfully logged in! Return home.</p>

		';
		$_SESSION['user']=$username;
	 }
	 else
	 {
			echo
			'
					 <p>The password you have enetered in is incorrect. Please go back.</p>

			';
	 }
	}
	}
	else
	{
			echo
			'
					 <p>Your already logged in!</p>
			';
	}
	?>

[BlueSkyIS]

problem: you use mysql_real_escape_string($password) before using md5($password).

[Pikachu2000]

You should actually not use any escaping on a value that will be, or has already been hashed.

[3raser]

Did all of the above.

 

Still didn't work.

 

Is it something wrong with my extraction query?

[Pikachu2000]

Have you echoed $username to be sure it has a value?

[trq]

Your entire authentication logic is flawed as well IMO.

 

if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) {
  if (mysql_num_rows($result)) {
    // valid, log user in
  } else {
    // invalid. show error
  }
} else {
  // query failed, handle error
}

 

Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea.

[3raser]

Have you echoed $username to be sure it has a value?

 

Yes, and the value comes out correctly.

 

The password you have entered in for Admin is incorrect. Please go back.

[Pikachu2000]

I agree with thorpe, that is something that needs to be changed. Have you manually compared the password value in the database to the hash generated in the login script?

[3raser]

Your entire authentication logic is flawed as well IMO.

 

if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) {
  if (mysql_num_rows($result)) {
    // valid, log user in
  } else {
    // invalid. show error
  }
} else {
  // query failed, handle error
}

 

Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea.

 

No worries, I just had that in there to make sure the username variable was working correctly.

 

And this code of yours, is it a fix or just a better code organization?

 

Can you please point out what was wrong with my previous code? It's just the way I code, and I'd love to get a few pointers on how I could improve it.

[jcbones]

Does your database column have enough space for a MD5 hash?

[Pikachu2000]

. . . Have you manually compared the password value in the database to the hash generated in the login script?