Help - Login Always Says 'Incorrect Password'

[PHP-LEE]

I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5.

 

 

Register Code:

 

<?php

error_reporting (E_ALL ^ E_NOTICE);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Register</title>
</head>
<body>
<?php


if ( $_POST['registerbtn'] ){
$getuser = $_POST['user'];
$getemail = $_POST['email'];
$getpass = $_POST['pass'];
$getretypepass = $_POST['retypepass'];

if ($getuser){
	if ($getemail){
		if ($getpass){
			if ($getretypepass){
				if ( $getpass === $getretypepass ){
					if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){
						require("./connect.php");

						$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
						$numrows = mysql_num_rows($query);
						if ($numrows == 0){
							$query = mysql_query("SELECT * FROM users WHERE email='$getemail'");
							$numrows = mysql_num_rows($query);
							if ($numrows == 0){


								$password = md5(md5("kjfiufj".$password."Fj56fj"));
								$date = date("F d, Y");
								$code = md5(rand());

								mysql_query("INSERT INTO users VALUES (
									'', '$getuser', '$password', '$getemail', '0', '$code', '$date'
								)");

								$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
								$numrows = mysql_num_rows($query);
								if ($numrows == 1){

									$site = "http://c3221281.web44.net/";
									$webmaster = "Simon <admin@simon.com>";
									$headers = "From: $webmaster";
									$subject = "Activate Your Account";
									$message = "Thanks for registering. Click the link below to activate your account.\n";
									$message .= "$site/activate.php?user=$getuser&code=$code\n";
									$message .= "You must activate your account to login.";

									if ( mail($getemail, $subject, $message, $headers) ){
										$errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>.";
										$getuser = "";
										$getemail = "";
									}
									else
										$errormsg = "An error has occueed. Your activation email was not sent.";

								}
								else
									$errormsg = "An error has occured. Your account was not created.";

							}
							else
								$errormsg = "There is already a user with that email.";
						}
						else
							$errormsg = "There is already a user with that username.";

						mysql_close();
					}
					else
						$errormsg = "You must enter a valid email address to register.";
				}
				else
					$errormsg = "Your passwords did not match.";
			}
			else
				$errormsg = "You must retype your password to register.";
		}
		else
			$errormsg = "You must enter your password to register.";
	}
	else
		$errrosmg = "You must enter your email to register.";
}
else
	$errormsg = "You must enter your username to register.";
}


$form = "<form action='./register.php' method='post'>
<table>
<tr>
<td></td>
<td><font color='red'>$errormsg</font></td>
</tr>
<tr>
<td>Username:</td>
<td><input type='text' name='user' value='$getuser' /></td>
</tr>
<tr>
<td>Email:</td>
<td><input type='text' name='email' value='$getemail' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='pass' value='' /></td>
</tr>
<tr>
<td>Retype:</td>
<td><input type='password' name='retypepass' value='' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='registerbtn' value='Register' /></td>
</tr>
</table>
</form>";

echo $form;

?>
</body>
</html>

 

 

 

 

 

Login Code:

 

<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['userid'];
$username = $_SESSION['username'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Login</title>
</head>
<body>
<?php

if ($username && $userid){
	echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page.";
}
else{
	$form = "<form action='./login.php' method='post'>
	<table>
	<tr>
		<td>Username:</td>
		<td><input type='text' name='user' /></td>
	</tr>
	<tr>
		<td>Password:</td>
		<td><input type='password' name='password' /></td>
	</tr>
	<tr>
		<td></td>
		<td><input type='submit' name='loginbtn' value='Login' /></td>
	</tr>
	<tr>
		<td><a href='./register.php'>Register</a></td>
		<td><a href='./forgotpass.php'>Forgot your password?</a></td>
	</tr>
	</table>
	</form>";

	if ($_POST['loginbtn']){
		$user = $_POST['user'];
		$password = $_POST['password'];

		if ($user){
			if ($password){
				require("connect.php");

				$password = md5(md5("kjfiufj".$password."Fj56fj"));


				// make sure login info correct
				$query = mysql_query("SELECT * FROM users WHERE username='$user'");
				$numrows = mysql_num_rows($query);
				if ($numrows == 1){
					$row = mysql_fetch_assoc($query);
					$dbid = $row['id'];
					$dbuser = $row['username'];
					$dbpass = $row['password'];
					$dbactive = $row['active'];

					if ($password == $dbpass){
						if ($dbactive == 1){
							// set session info
							$_SESSION['userid'] = $dbid;
							$_SESSION['username'] = $dbuser;

							echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page.";

						}
						else
							echo "You must activate your account to login. $form";
					}
					else
						echo "You did not enter the correct password. $form";
				}
				else
					echo "The username you entered was not found. $form";

				mysql_close();
			}
			else
				echo "You must enter your password. $form";
		}
		else
			echo "You must enter your username. $form";
	}
	else
		echo $form;
}
?>
</body>
</html>

 

 

 

 

 

Many thanks for your time and help,

[PFMaBiSmAd]

That error message is due to the following comparison failing - if ($password == $dbpass){. Why don't you echo both of those variables and see if you can determine why the comparison is failing?

[PHP-LEE]

That error message is due to the following comparison failing - if ($password == $dbpass){. Why don't you echo both of those variables and see if you can determine why the comparison is failing?

 

Good idea.

 

It only shows the $password and $dbpass is blank. I also tried $dbid and $dbuser which are both apparently blank also.

 

Any ideas as to why?

 

Thanks

[Psycho]

Well, here is where you define $dbpass

$dbpass = $row['password'];

 

So, I'm guessing 'password' is either blank or doesn't exist int eh result set. Your code is very sloppy and will result in these kind of problems. For example, here is where you do the insert

mysql_query("INSERT INTO users VALUES ('', '$getuser', '$password', '$getemail', '0', '$code', '$date')");

 

First of all, you should always create your queries as string variables so you can echo them to the page for debugging purposes. Second, you are not specifying the fields for the values and are instead relying upon the order of the fields. That is what I mean by sloppy. If you ever need to make changes to your db structure in the future you may have many different pages to go update. Instead you should specify the fields and then the values. Then you wouldn't need to pass an empty value for fields that you don't have a value for like you are doing with the first field.

 

Anyway, do a print_r($row) to see what is returned from the query.

[PHP-LEE]

Anyway, do a print_r($row) to see what is returned from the query.

 

Thanks for your reply.

 

I have done a print_r($row) and it displays the correct row of the user I am trying to log in as, including the MD5 of the password I am typing.

 

Does this help narrow down the problem?

 

Thanks,

[PFMaBiSmAd]

It only shows the $password and $dbpass is blank. I also tried $dbid and $dbuser which are both apparently blank also.

 

Any ideas as to why?

 

Where exactly in your code did you put the echo statements?

[PFMaBiSmAd]

You need to set error_reporting to E_ALL. Your existing setting is hiding notice messages and there is a notice that would help you determine why your registration script is not putting the correct password value into your table. Hint: The submitted password is not in a variable named $password.

 

You also need to use a DATE data type for your date column, with a YYYY-MM-DD format. Your existing format cannot be directly used by mysql for greater-then/less-than comparisons, sorting, or in any of the mysql date functions.

 

 

[Psycho]

Hint: The submitted password is not in a variable named $password.

 

Good catch! I didn't see that before.

 

Also, I would highly suggest changing the logic for your validations and the resulting error handling. Your validations always check for a "valid" result, then proceed to the next (embedded) validation. This makes it VERY difficult to debug your code. One, because of all the embedded statements and Two, because it is hard to match up the error message to the validation. Instead, I find it easier to check for the invalid condition so I can put the error message where the validation takes place.

 

For example:

if (!$getuser)
{
    $errormsg = "You must enter your username to register.";
}
elseif (!$getemail)
{
    $errrosmg = "You must enter your email to register.";
}
elseiff (!$getpass)
{
    $errormsg = "You must enter your password to register.";
}

//Continue all validations

else
{
    //All validations passed, do something
}

 

However, there are several problems with the WAY you are doing your validations, but one thing at a time.