PHP-LEE Posted November 14, 2011 Share Posted November 14, 2011 I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5. Register Code: <?php error_reporting (E_ALL ^ E_NOTICE); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Register</title> </head> <body> <?php if ( $_POST['registerbtn'] ){ $getuser = $_POST['user']; $getemail = $_POST['email']; $getpass = $_POST['pass']; $getretypepass = $_POST['retypepass']; if ($getuser){ if ($getemail){ if ($getpass){ if ($getretypepass){ if ( $getpass === $getretypepass ){ if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){ require("./connect.php"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $query = mysql_query("SELECT * FROM users WHERE email='$getemail'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $password = md5(md5("kjfiufj".$password."Fj56fj")); $date = date("F d, Y"); $code = md5(rand()); mysql_query("INSERT INTO users VALUES ( '', '$getuser', '$password', '$getemail', '0', '$code', '$date' )"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $site = "http://c3221281.web44.net/"; $webmaster = "Simon <admin@simon.com>"; $headers = "From: $webmaster"; $subject = "Activate Your Account"; $message = "Thanks for registering. Click the link below to activate your account.\n"; $message .= "$site/activate.php?user=$getuser&code=$code\n"; $message .= "You must activate your account to login."; if ( mail($getemail, $subject, $message, $headers) ){ $errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>."; $getuser = ""; $getemail = ""; } else $errormsg = "An error has occueed. Your activation email was not sent."; } else $errormsg = "An error has occured. Your account was not created."; } else $errormsg = "There is already a user with that email."; } else $errormsg = "There is already a user with that username."; mysql_close(); } else $errormsg = "You must enter a valid email address to register."; } else $errormsg = "Your passwords did not match."; } else $errormsg = "You must retype your password to register."; } else $errormsg = "You must enter your password to register."; } else $errrosmg = "You must enter your email to register."; } else $errormsg = "You must enter your username to register."; } $form = "<form action='./register.php' method='post'> <table> <tr> <td></td> <td><font color='red'>$errormsg</font></td> </tr> <tr> <td>Username:</td> <td><input type='text' name='user' value='$getuser' /></td> </tr> <tr> <td>Email:</td> <td><input type='text' name='email' value='$getemail' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='pass' value='' /></td> </tr> <tr> <td>Retype:</td> <td><input type='password' name='retypepass' value='' /></td> </tr> <tr> <td></td> <td><input type='submit' name='registerbtn' value='Register' /></td> </tr> </table> </form>"; echo $form; ?> </body> </html> Login Code: <?php error_reporting (E_ALL ^ E_NOTICE); session_start(); $userid = $_SESSION['userid']; $username = $_SESSION['username']; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Login</title> </head> <body> <?php if ($username && $userid){ echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else{ $form = "<form action='./login.php' method='post'> <table> <tr> <td>Username:</td> <td><input type='text' name='user' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='password' /></td> </tr> <tr> <td></td> <td><input type='submit' name='loginbtn' value='Login' /></td> </tr> <tr> <td><a href='./register.php'>Register</a></td> <td><a href='./forgotpass.php'>Forgot your password?</a></td> </tr> </table> </form>"; if ($_POST['loginbtn']){ $user = $_POST['user']; $password = $_POST['password']; if ($user){ if ($password){ require("connect.php"); $password = md5(md5("kjfiufj".$password."Fj56fj")); // make sure login info correct $query = mysql_query("SELECT * FROM users WHERE username='$user'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; if ($password == $dbpass){ if ($dbactive == 1){ // set session info $_SESSION['userid'] = $dbid; $_SESSION['username'] = $dbuser; echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else echo "You must activate your account to login. $form"; } else echo "You did not enter the correct password. $form"; } else echo "The username you entered was not found. $form"; mysql_close(); } else echo "You must enter your password. $form"; } else echo "You must enter your username. $form"; } else echo $form; } ?> </body> </html> Many thanks for your time and help, Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 14, 2011 Share Posted November 14, 2011 That error message is due to the following comparison failing - if ($password == $dbpass){. Why don't you echo both of those variables and see if you can determine why the comparison is failing? Quote Link to comment Share on other sites More sharing options...
PHP-LEE Posted November 14, 2011 Author Share Posted November 14, 2011 That error message is due to the following comparison failing - if ($password == $dbpass){. Why don't you echo both of those variables and see if you can determine why the comparison is failing? Good idea. It only shows the $password and $dbpass is blank. I also tried $dbid and $dbuser which are both apparently blank also. Any ideas as to why? Thanks Quote Link to comment Share on other sites More sharing options...
Psycho Posted November 14, 2011 Share Posted November 14, 2011 Well, here is where you define $dbpass $dbpass = $row['password']; So, I'm guessing 'password' is either blank or doesn't exist int eh result set. Your code is very sloppy and will result in these kind of problems. For example, here is where you do the insert mysql_query("INSERT INTO users VALUES ('', '$getuser', '$password', '$getemail', '0', '$code', '$date')"); First of all, you should always create your queries as string variables so you can echo them to the page for debugging purposes. Second, you are not specifying the fields for the values and are instead relying upon the order of the fields. That is what I mean by sloppy. If you ever need to make changes to your db structure in the future you may have many different pages to go update. Instead you should specify the fields and then the values. Then you wouldn't need to pass an empty value for fields that you don't have a value for like you are doing with the first field. Anyway, do a print_r($row) to see what is returned from the query. Quote Link to comment Share on other sites More sharing options...
PHP-LEE Posted November 14, 2011 Author Share Posted November 14, 2011 Anyway, do a print_r($row) to see what is returned from the query. Thanks for your reply. I have done a print_r($row) and it displays the correct row of the user I am trying to log in as, including the MD5 of the password I am typing. Does this help narrow down the problem? Thanks, Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 14, 2011 Share Posted November 14, 2011 It only shows the $password and $dbpass is blank. I also tried $dbid and $dbuser which are both apparently blank also. Any ideas as to why? Where exactly in your code did you put the echo statements? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 14, 2011 Share Posted November 14, 2011 You need to set error_reporting to E_ALL. Your existing setting is hiding notice messages and there is a notice that would help you determine why your registration script is not putting the correct password value into your table. Hint: The submitted password is not in a variable named $password. You also need to use a DATE data type for your date column, with a YYYY-MM-DD format. Your existing format cannot be directly used by mysql for greater-then/less-than comparisons, sorting, or in any of the mysql date functions. Quote Link to comment Share on other sites More sharing options...
Psycho Posted November 14, 2011 Share Posted November 14, 2011 Hint: The submitted password is not in a variable named $password. Good catch! I didn't see that before. Also, I would highly suggest changing the logic for your validations and the resulting error handling. Your validations always check for a "valid" result, then proceed to the next (embedded) validation. This makes it VERY difficult to debug your code. One, because of all the embedded statements and Two, because it is hard to match up the error message to the validation. Instead, I find it easier to check for the invalid condition so I can put the error message where the validation takes place. For example: if (!$getuser) { $errormsg = "You must enter your username to register."; } elseif (!$getemail) { $errrosmg = "You must enter your email to register."; } elseiff (!$getpass) { $errormsg = "You must enter your password to register."; } //Continue all validations else { //All validations passed, do something } However, there are several problems with the WAY you are doing your validations, but one thing at a time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.