user login page

sarmenhb · 01-22-2008, 02:24 AM

anyone see anything wrong in this script? for some reason the login wont work.

i decided to use sessions instead of cookies for authentication.

Code:

<?php

#---------------------------------------
include("include/conn.php");
mysql_select_db("auth_users");
#---------------------------------------





#-------------------------------------------------------------------------------------------
#		if this page is visited while the user is logged in , log em in if data is correct
#-------------------------------------------------------------------------------------------

if($_SESSION['$username'] && $_SESSION['$password'])
{

	
//check if its the correct ip that is stored in the session

$checkip = getenv('REMOTE_ADDR');
if(($_SESSION['$userip'] == $checkip) && ($_SESSION['password'] == $data['password'])) {
	
	//log the user in
	header("Location: members.php");
}
}
else {   }


#-------------------------------------------------------------------------------------------

 


#----------------------------------------------------------
if(isset($_POST['submit'])) {

#---- check if anything was entered
if(!$_POST['txt_username'] || !$_POST['txt_pass']) {
die('Username or password was not entered');
}

#------> check if username exists
$username = addslashes($_POST['txt_username']);
$checkuser = mysql_query("SELECT * FROM userlogin WHERE username = '$username'");
$checkrow = mysql_num_rows($checkuser);

if($checkrow == 0) { die('the username you entered does not exist in the database'); }


#--------->check if the username and password is correct

while ($data = mysql_fetch_array($checkuser)) { 

$_POST['txt_pass'] = stripslashes($_POST['txt_pass']);
$data['password'] = stripslashes($data['password']);
$_POST['txt_pass'] = md5($_POST['txt_pass']);




#----> check if the password entered was incorrect
if($_POST['txt_pass'] != $data['password']) { die('password entered was incorrect, please try again'); }




else { 

#---- [ LOG THE USER IN ]



//create a session and give it to the user

session_start();
session_register('login') ;
session_register('password');
session_register('userip');

$_SESSION['login'] = $_POST['username'];
$_SESSION['password'] =$_POST['password'];
$_SESSION['userip'] = getenv('REMOTE_ADDR');

header("Location: members.php");


}
}
}







else { 

?> 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>sharedemon login page</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div class="title">Share Demon Login Page</div>
<form method="post" action="login.php">
<table>
<tbody>
<tr>
<td>Username: </td>
<td><input type="text" name="txt_username" /></td>
</tr>

<tr>
<td>Password: </td>
<td><input type="password" name="txt_pass" /></td>
</tr>
</tbody>
<tfoot>
<tr>
<td rowspan="2" colspan="2"> <center><input type="submit" name="submit" value="submit" /> | <input type="reset" name="reset" value="reset" /></center></td><br />
</tr></tfoot></table><br />
</form>
<center>dont have a login? <a href="register.php">click here</a> to register</center><br />

<a href="index.php">home</a>
</body>
</html>

<?php
}
?>

Orc · 01-22-2008, 02:26 AM

Whats the error your'e getting?

Update:
Assign the sessions to the $data variable when looping.

Like so:

PHP Code:


			
$_SESSION['username'] = $data['username'];
// then session register
session_register($_SESSION['username']);

By the way, theres no session_start() at the very top,
that generates the session, then assigns the session to sql row, then you register the session to it and it should be there.

Uhh.. I don't know what else considering I'm half asleep here.

Also remember the mysql_real_escape_string function I told ye, also if you want to what I ment by generation. use session_start() then do print_r(session_id())

sarmenhb · 01-22-2008, 04:43 AM

i fixed a couple of things on the code that i found but now when i try to login , lets say the login and password is "dumb" and the same information exists in the database and the password in the database is in md5 thing is when i login it says password entered incorrectly. so i decided to output the md5 version of the password that i entered and match it against the one existing in the database and they look like two different strings. what is wrong here? i cant seem to find it.

Code:

<?php

#---------------------------------------
include("include/conn.php");
mysql_select_db("auth_users");
#---------------------------------------





#-------------------------------------------------------------------------------------------
#		if this page is visited while the user is logged in , log em in if data is correct
#-------------------------------------------------------------------------------------------

if($_SESSION['$username'] && $_SESSION['$password'])
{

	
//check if its the correct ip that is stored in the session

$checkip = getenv('REMOTE_ADDR');
if($_SESSION['$userip'] == $checkip) {
	
	//log the user in
	header("Location: members.php");
}
}
else {   }


#-------------------------------------------------------------------------------------------

 


#----------------------------------------------------------
if(isset($_POST['submit'])) {

#---- check if anything was entered
if(!$_POST['txt_username'] || !$_POST['txt_pass']) {
die('Username or password was not entered');
}

#------> check if username exists
$username = addslashes($_POST['txt_username']);
$checkuser = mysql_query("SELECT * FROM userlogin WHERE username = '$username'");
$checkrow = mysql_num_rows($checkuser);

if($checkrow == 0) { die('the username you entered does not exist in the database'); }


#--------->check if the username and password is correct

while ($data = mysql_fetch_array($checkuser)) { 

$_POST['txt_pass'] = $_POST['txt_pass'];
$data['password'] =  $data['password'];
$_POST['txt_pass'] = md5($_POST['txt_pass']);




#----> check if the password entered was incorrect
if($_POST['txt_pass'] != $data['password']) { die(print_r("txt_pass: ".$_POST['txt_pass']."<br>"."data pass: ".$data['password'])); }


else { 

#---- [ LOG THE USER IN ]

//create a session and give it to the user
session_start();
session_register('$username') ;
session_register('$password');
session_register('$userip');

$_SESSION['$username'] = $_POST['txt_username'];
$_SESSION['$password'] = $_POST['txt_pass'];
$_SESSION['$userip'] = getenv('REMOTE_ADDR');

header("Location: members.php");



 } 




}
}










else { 

?> 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>sharedemon login page</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div class="title">Share Demon Login Page</div>
<form method="post" action="login.php">
<table>
<tbody>
<tr>
<td>Username: </td>
<td><input type="text" name="txt_username" /></td>
</tr>

<tr>
<td>Password: </td>
<td><input type="password" name="txt_pass" /></td>
</tr>
</tbody>
<tfoot>
<tr>
<td rowspan="2" colspan="2"> <center><input type="submit" name="submit" value="submit" /> | <input type="reset" name="reset" value="reset" /></center></td><br />
</tr></tfoot></table><br />
</form>
<center>dont have a login? <a href="register.php">click here</a> to register</center><br />

<a href="index.php">home</a>
</body>
</html>

<?php
}
?>

sketchMedia · 01-22-2008, 09:29 AM

have you given your database column enough room to hold the entire MD5 string? is the DB string shorter than the new MD5?

sketchMedia · 01-22-2008, 09:33 AM

also do you have register_globals off, if so just use $_SESSION to create a session as they are registered automatically, otherwise use session_register(), If your script uses session_register it will not work if register_globals is turned off.