priktop
asked on
"Incorrect password" on login script
Hello,
I am makinng an login script which i got from http://php.about.com/od/finishedphp1/ss/php_login_code.htm, but every time i want to login with the correct user:pass it keeps saying "incorrect password".
I've CHMOD the members.php to 777 already.
What am I doing wrong?
I am makinng an login script which i got from http://php.about.com/od/finishedphp1/ss/php_login_code.htm, but every time i want to login with the correct user:pass it keeps saying "incorrect password".
I've CHMOD the members.php to 777 already.
What am I doing wrong?
<?php include("includes/header.php"); ?>
<div id="page_title" >
<img src="images/titels/admin.png" width="212" height="45" alt="admin" />
</div>
<div id="content" >
Vul hieronder de logingegevens in.
<?php
// Connects to your Database
mysql_connect("***", "***", "***") or die(mysql_error());
mysql_select_db("***") or die(mysql_error());
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: admin.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('<br /><br />Je hebt niet alles ingevuld.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('<br /><br />Incorrect username.');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('<br /><br />Incorrect password.');
}
else
{
// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
//then redirect them to the members area
header("Location: admin.php");
}
}
}
else
{
// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
</div>
<?php include("includes/footer.php"); ?>
Are you storing the password in the database as an MD5 hash, some other encryption/hash, or in plain text? If in plain text, comment out line 59 in the code you posted.
ASKER
Yes it is stored as MD5 hash, so unfortunately that's not it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks i figured out what was wrong thanks to that.
Good catch profya. IIRC, you are right... $_POST and $_GET are read-only since they are 'provided' by the page that sent the data.
Thanks guys.
I would like also to suggest changing the way the script shows incorrect login messages. As a security advice, never tell whether the problem is with the username of password because this helps the attacker, use one message for both:
"Incorrect username or password. Login denied."
or something alike.
I would like also to suggest changing the way the script shows incorrect login messages. As a security advice, never tell whether the problem is with the username of password because this helps the attacker, use one message for both:
"Incorrect username or password. Login denied."
or something alike.
ASKER
You are very right, haven't thought that way. Thanks :)