asked on

"Incorrect password" on login script

Hello,

I am makinng an login script which i got from http://php.about.com/od/finishedphp1/ss/php_login_code.htm, but every time i want to login with the correct user:pass it keeps saying "incorrect password".
I've CHMOD the members.php to 777 already.

What am I doing wrong?

<?php include("includes/header.php"); ?>
    
 	<div id="page_title" >
      <img src="images/titels/admin.png" width="212" height="45" alt="admin" />
    </div>
    
 	<div id="content" >    
      Vul hieronder de logingegevens in.
      
      <?php 
// Connects to your Database 
mysql_connect("***", "***", "***") or die(mysql_error()); 
mysql_select_db("***") or die(mysql_error()); 

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password']) 
{
}
else
{
header("Location: admin.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('<br /><br />Je hebt niet alles ingevuld.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('<br /><br />Incorrect username.');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('<br /><br />Incorrect password.');
}

else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour);	

//then redirect them to the members area 
header("Location: admin.php"); 
} 
} 
} 
else 
{	

// if they are not logged in 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<?php 
} 
?>

</div>

<?php include("includes/footer.php"); ?>

Open in new window

CCongdon

Are you storing the password in the database as an MD5 hash, some other encryption/hash, or in plain text? If in plain text, comment out line 59 in the code you posted.

priktop

ASKER

Yes it is stored as MD5 hash, so unfortunately that's not it.

ASKER CERTIFIED SOLUTION

profya

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

priktop

ASKER

Thanks i figured out what was wrong thanks to that.

CCongdon

Good catch profya. IIRC, you are right... $_POST and $_GET are read-only since they are 'provided' by the page that sent the data.

profya

Thanks guys.
I would like also to suggest changing the way the script shows incorrect login messages. As a security advice, never tell whether the problem is with the username of password because this helps the attacker, use one message for both:
"Incorrect username or password. Login denied."
or something alike.

priktop

ASKER

You are very right, haven't thought that way. Thanks :)

&quot;Incorrect password&quot; on login script

"Incorrect password" on login script