Link to home
Start Free TrialLog in
Avatar of TLN_CANADA
TLN_CANADAFlag for Afghanistan

asked on

PHP Login Page not working correctly

Hi all,

I found this PHP script online, changed it around a little but even when I have the correct username and passoword it's giving the message "Incorrect password, please try again.".

The DB connection is correct so it must be the script.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php

 // Connects to your Database

 mysql_connect("xxx)

 mysql_select_db("bubblesdb") or die(mysql_error());


 //Checks if there is a login cookie

 if(isset($_COOKIE['ID_my_site']))


 //if there is, it logs you in and directes you to the members page

 {
       $username = $_COOKIE['ID_my_site'];

       $pass = $_COOKIE['Key_my_site'];

              $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

       while($info = mysql_fetch_array( $check ))       

             {

             if ($pass != $info['password'])

                   {

                                      }

             else

                   {

                   header("Location: bubble.php");



                   }

             }

 }


 //if the login form is submitted

 if (isset($_POST['submit'])) { // if form has been submitted



 // makes sure they filled it in

       if(!$_POST['username'] | !$_POST['pass']) {

             die('You did not fill in a required field.');

       }

       // checks it against the database



       if (!get_magic_quotes_gpc()) {

             $_POST['email'] = addslashes($_POST['email']);

       }

       $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());



 //Gives error if user dosen't exist

 $check2 = mysql_num_rows($check);

 if ($check2 == 0) {

             die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');

                         }

 while($info = mysql_fetch_array( $check ))       

 {

 $_POST['pass'] = stripslashes($_POST['pass']);

       $info['password'] = stripslashes($info['password']);

       $_POST['pass'] = md5($_POST['pass']);



 //gives error if the password is wrong

       if ($_POST['pass'] != $info['password']) {

             die('Incorrect password, please try again.');

       }

 else

 {

 
 // if login is ok then we add a cookie

        $_POST['username'] = stripslashes($_POST['username']);

        $hour = time() + 3600;

 setcookie(ID_my_site, $_POST['username'], $hour);

 setcookie(Key_my_site, $_POST['pass'], $hour);       

 

 //then redirect them to the members area

 header("Location: journal.php");

 }

 }

 }

 else

{       

 

 // if they are not logged in

 ?>

 <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">

 <table border="0">

 <tr><td colspan=2><h1>Login</h1></td></tr>

 <tr><td>Username:</td><td>

 <input type="text" name="username" maxlength="40">

 </td></tr>

 <tr><td>Password:</td><td>

 <input type="password" name="pass" maxlength="50">

 </td></tr>

 <tr><td colspan="2" align="right">

 <input type="submit" name="submit" value="Login">

 </td></tr>

 </table>

 </form>

 <?php

 }

 

 ?>
 



</body>
</html>
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

This is not a very good (or secure) login script.

It is storing the password in a cookie

Usual practice is to hash the password as part of the query on the database preferably with a salt (random string of characters assigned to user account to obfiscate the hash).

Why this particular script is not working could be a number of reasons. Have you set up the database correctly?

Also remember all pages behind the login are going to have to do a security check (check the cookie is still valid - or session variable if you choose to do it that way - my preference) and redirect to the login page if you are not authenticated.
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TLN_CANADA

ASKER

Hi Julian, yes I think I have setup the DB correctly, I'm having a lot of issues with this script I downloaded as it is outdated  so better off I find a new one to work with and start from there.

Thank you Ray, I will post code in the code snippet feature in future.
Take a look at Ray's article - he covers it pretty well.
Thanks Julian, I working with Ray's code right now.
I've requested that this question be deleted for the following reason:

No longer using this script as it's outdated so I want to delete this question.
Good night, TLN_CANADA.  When you ask questions at EE please consider that your colleagues here are volunteers, rewarded only by your grant of points.  So when you delete your questions you shove a thumb in the eyes of the people who tried to help you.
Hi Ray,

I'm very sorry if I offended you, this certainly was not my intention.

When I awarded points on another question where there was not a direct solution to what I originally posted, an expert objected that the question was not answered correctly and suggested that I delete it instead. This is why I suggested this question be deleted.

Here is the question I am referring to:

https://www.experts-exchange.com/questions/27919495/Setting-up-Dreamweaver-with-Godaddy-Database.html

I would be happy to award points for this as you and others have certainly been of tremendous help both for this question and others. Please let me know what you feel would be best to do on this question.

Good night :)

Derek
@Tln_canada - I assume that even though you are not going to be using this particular script you are still going to be using a login script in which case the advice offered by Ray (and his article) are very relevant.

This is also true of anyone reading this thread - there is a lot of good info here for first time login script authors to put them on the right track.
Thank you! This script is much better Ray.
Absolutely Julian, I completely agree. Ray's script is perfect for what I'm needing and others should see this too.