[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 755
  • Last Modified:

"Incorrect password" on login script

Hello,

I am makinng an login script which i got from http://php.about.com/od/finishedphp1/ss/php_login_code.htm, but every time i want to login with the correct user:pass it keeps saying "incorrect password".
I've CHMOD the members.php to 777 already.

What am I doing wrong?


<?php include("includes/header.php"); ?>
    
 	<div id="page_title" >
      <img src="images/titels/admin.png" width="212" height="45" alt="admin" />
    </div>
    
 	<div id="content" >    
      Vul hieronder de logingegevens in.
      
      <?php 
// Connects to your Database 
mysql_connect("***", "***", "***") or die(mysql_error()); 
mysql_select_db("***") or die(mysql_error()); 

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password']) 
{
}
else
{
header("Location: admin.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('<br /><br />Je hebt niet alles ingevuld.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('<br /><br />Incorrect username.');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('<br /><br />Incorrect password.');
}

else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour);	

//then redirect them to the members area 
header("Location: admin.php"); 
} 
} 
} 
else 
{	

// if they are not logged in 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<?php 
} 
?>

</div>

<?php include("includes/footer.php"); ?>

Open in new window

0
priktop
Asked:
priktop
  • 3
  • 2
  • 2
1 Solution
 
CCongdonCommented:
Are you storing the password in the database as an MD5 hash, some other encryption/hash, or in plain text? If in plain text, comment out line 59 in the code you posted.
0
 
priktopAuthor Commented:
Yes it is stored as MD5 hash, so unfortunately that's not it.
0
 
profyaCommented:
The best way to debug such as case:
1) Add error_reporting(E_ALL) at the top of the script. This helps detecting warnings and unseen errors.
2) Visualize the problem by adding echo statements to see what's going on, for example echo the two passwords just before matching.

I suggest change lines form 57 to 63 as what attached, I thing $_POST is readonly.

$typedPass = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$typedPass = md5($typedPass);

//gives error if the password is wrong
if ($typedPass != $info['password']) {
die('<br /><br />Incorrect password.');

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
priktopAuthor Commented:
Thanks i figured out what was wrong thanks to that.
0
 
CCongdonCommented:
Good catch profya. IIRC, you are right... $_POST and $_GET are read-only since they are 'provided' by the page that sent the data.
0
 
profyaCommented:
Thanks guys.
I would like also to suggest changing the way the script shows incorrect login messages. As a security advice, never tell whether the problem is with the username of password because this helps the attacker, use one message for both:
"Incorrect username or password. Login denied."
or something alike.
0
 
priktopAuthor Commented:
You are very right, haven't thought that way. Thanks :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now