"Incorrect password" on login script

Hello,

I am makinng an login script which i got from http://php.about.com/od/finishedphp1/ss/php_login_code.htm, but every time i want to login with the correct user:pass it keeps saying "incorrect password".
I've CHMOD the members.php to 777 already.

What am I doing wrong?


<?php include("includes/header.php"); ?>
    
 	<div id="page_title" >
      <img src="images/titels/admin.png" width="212" height="45" alt="admin" />
    </div>
    
 	<div id="content" >    
      Vul hieronder de logingegevens in.
      
      <?php 
// Connects to your Database 
mysql_connect("***", "***", "***") or die(mysql_error()); 
mysql_select_db("***") or die(mysql_error()); 

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password']) 
{
}
else
{
header("Location: admin.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('<br /><br />Je hebt niet alles ingevuld.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('<br /><br />Incorrect username.');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('<br /><br />Incorrect password.');
}

else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour);	

//then redirect them to the members area 
header("Location: admin.php"); 
} 
} 
} 
else 
{	

// if they are not logged in 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<?php 
} 
?>

</div>

<?php include("includes/footer.php"); ?>

Open in new window

priktopAsked:
Who is Participating?
 
profyaConnect With a Mentor Commented:
The best way to debug such as case:
1) Add error_reporting(E_ALL) at the top of the script. This helps detecting warnings and unseen errors.
2) Visualize the problem by adding echo statements to see what's going on, for example echo the two passwords just before matching.

I suggest change lines form 57 to 63 as what attached, I thing $_POST is readonly.

$typedPass = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$typedPass = md5($typedPass);

//gives error if the password is wrong
if ($typedPass != $info['password']) {
die('<br /><br />Incorrect password.');

Open in new window

0
 
CCongdonCommented:
Are you storing the password in the database as an MD5 hash, some other encryption/hash, or in plain text? If in plain text, comment out line 59 in the code you posted.
0
 
priktopAuthor Commented:
Yes it is stored as MD5 hash, so unfortunately that's not it.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
priktopAuthor Commented:
Thanks i figured out what was wrong thanks to that.
0
 
CCongdonCommented:
Good catch profya. IIRC, you are right... $_POST and $_GET are read-only since they are 'provided' by the page that sent the data.
0
 
profyaCommented:
Thanks guys.
I would like also to suggest changing the way the script shows incorrect login messages. As a security advice, never tell whether the problem is with the username of password because this helps the attacker, use one message for both:
"Incorrect username or password. Login denied."
or something alike.
0
 
priktopAuthor Commented:
You are very right, haven't thought that way. Thanks :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.