...

View Full Version : Login script problems



Merekat
03-11-2007, 05:01 AM
Hi, I'm having trouble with this login. I can register a new account without a problem, but cannot login. It always says that I didn't provide the correct user name or password. (but I did)

Can anyone tell me what could be wrong? Here's the login script below.



<?php // accesscontrol.php

include ("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");

session_start();

if (isset($_POST['uid'])) {
$uid = $_POST['uid'];
} else {
$uid = $_SESSION['uid'];
}
if (isset($_POST['pwd'])) {
$pwd = md5($_POST['pwd']);
} else {
$pwd = $_SESSION['pwd'];
}


if(!isset($uid) || !isset($pwd) )
{
?>
<html>
<head>
<title> Please Log In for Access </title>
</head>
<body>
<table align=center width=300 border=0 cellspacing=0 cellpadding=0 bgcolor="#2f4f4f">
<tr><td>
<table border=0 width=100% cellspacing=1 cellpadding=1>
<form action="<?=$_SERVER['PHP_SELF']?>" method=POST>
<tr><td BGCOLOR="#2f4f4f"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif" COLOR="#FFFFFF">
<B>Please Log In For Access:</B>
</td></tr>
<tr><td BGCOLOR="#c7c7c7"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">
You must log in to access this area of the site.
</td></tr>
<tr>
<td BGCOLOR="#fffff0">
<table width=100% border=0 cellspacing=0 cellpadding=0>
<tr>
<td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Email Address:</td>
<td><input type=text name="uid" size="20" value=""></td>
</tr>
<tr>
<td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Password:</td>
<td><input type=password name="pwd" size="20"></td>
</tr>
<tr>
<td colspan=2 align=center>
<input type=submit name="Login" value="Login">
</td>
</tr>
</form>
</table>
</td>
</tr>
</table>
</td></tr>
</table>
</body>
</html>
<?php
exit;
}
//Clean the input submitted to mysql
$uid=addslashes($uid);
$pwd=addslashes($pwd);

//this puts the variable into the session

$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

$sql = "SELECT * FROM users WHERE email = '$uid' AND passwd = '$pwd' ";

$result = mysql_query($sql);

if (!$result) {
echo "A database error occurred while checking your login details";
}
//if bad user/pass combo access denied
if (mysql_num_rows($result) == 0) {

unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<html>
<head>
<title> Access Denied </title>
</head>
<body>
<h1> Access Denied </h1>
<p>There are several reasons this may be happening:<BR>
<UL><LI>Your username or password is incorrect</LI>
<LI>You have forgotten your login information. <a href="/phprentals/html/lostpwd.php">Lost Password</a></LI></UL>
To return to our login page, <a href="index.php">click here</a>.</p>
</body>
</html>
<?php
exit;
}

?>

phoenixshade
03-11-2007, 05:21 AM
From what I can see, this code should work, so I'm gonna ask a "DOH!" question...

Are you certain the password in the database is stored with md5 encryption?

Also, what does addslashes do, and was it applied in the same way at registration (i.e., before the data went into the database)?

Merekat
03-11-2007, 05:28 AM
I checked the database and it seems to be storing everything fine. I did not write this script, it came from a third party package and now it's not working.

Thanks for any additional help. :)


Also, what does addslashes do, and was it applied in the same way at registration (i.e., before the data went into the database)?

I haven't a clue what it does. You're guess is as good as mine. ;)
I'm stil quite new to php, I'm not a "coder" (I hope it's okay for me to ask here anyway) and while I know the basics, this one is giving me a headache. lol

phoenixshade
03-11-2007, 05:49 AM
Are you familiar with MD5 encryption? Sorry if I'm beating a dead horse, but from your answer, I'm not sure.

Since you can check the database, do the passwords in the database look more like this:

hax8xor
fido0721
lbjkilledjfk
...
or this:

tsEYD3Gde7mD8rXm21xRgTJ27mEny7xJ
Omsd6N9dM3nxRb96QXs94pMbwB8t2Ti9
...
It should look like the latter. If it looks like the first one, then it's very insecure.

Could you post the registration code, too? I might be able to find the problem by comparing the data handling between them.

Merekat
03-11-2007, 06:27 AM
Yes, the passwords in the database look like the second example.

This is the script that the registration form posts to. I can post the code for the registration form page too if you need to see that.

Thank you!


<?php

include ("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");

$fname = addslashes(strip_tags($_POST['fname']));
$lname = addslashes(strip_tags($_POST['lname']));
$add = addslashes(strip_tags($_POST['add']));
$addtwo = addslashes(strip_tags($_POST['addone']));
$city = addslashes(strip_tags($_POST['city']));
$state = addslashes(strip_tags($_POST['state']));
$zip = addslashes(strip_tags($_POST['zip']));
$email = addslashes(strip_tags($_POST['email']));
$phone = addslashes(strip_tags($_POST['phone']));


if (!$fname || !$lname || !$add || !$city || !$state || !$zip || !$phone || !$email) {
echo "Error!! You have not entered the following field(s).Hit back and try again<br>\n";

$fields_to_validate = array('fname', 'lname', 'add', 'city', 'state', 'zip', 'phone', 'email');
// validate above fields.
$field_display_value = array('First Name', 'Last Name', 'Address', 'City', 'State', 'Zip', 'Telephone', 'Email');
// if the field is not set then show the above display value.
echo "<ul>\n";

for($a = 0;$a < count($fields_to_validate);$a++) {
// loop through fields and check whether that has been set or not.
if (!${$fields_to_validate[$a]}) {

echo "<li><font color=\"#FF0000\">$field_display_value[$a]</font>\n";
}
}
echo "</ul>\n";
} else {

//Select statement detects if another user matches
$sql = "SELECT COUNT(*) FROM users WHERE email = '$email'";
$result = mysql_query($sql);
if (!$result) {
echo "A database error occurred";
}
//Code here inserts if customer has already been in
if (mysql_result($result,0,0)>0)
{
echo "You have already registered. If you have forgotten your login details please <a href=\"lostpwd.php\">go here</a> to retrieve it.";
}else {

// password generation
$length="8";
$newpass = substr(md5(uniqid(rand(), true)), 0, $length);
$newpassinst = md5("$newpass");

// db insert and redirection
mysql_query ("INSERT INTO landlords (fname, lname, phone) VALUES ('$fname', '$lname', '$phone')");

$idsql = "SELECT * FROM landlords WHERE fname='$fname' and lname='$lname'";
//echo "$idsql";
$result2 = mysql_query($idsql)
or die ("Query failed");
while ($row2 = mysql_fetch_array($result2))
{
$llid=$row2["lid"];
}

mysql_query ("INSERT INTO users (llid, fname, lname, email, addone, addtwo, city, state, zip, phone, passwd, tdate) VALUES ('$llid', '$fname', '$lname', '$email', '$add', '$addtwo', '$city', '$state', '$zip', '$phone', '$newpassinst', NOW()) ");

// mail password to user

mail("$email", "$emailsubject", "Dear $fname $lname,
Thank you for registering. Below you will find your username and password that will let you log in and begin to enter
rental listings.

Username: $email
Password: $newpass


", "FROM:$owneremail");

// thankyou page
header("Location: http://$domain/phprentals/html/postregister.php");
}}
?>

the-dream
03-11-2007, 06:52 PM
Yup!

Foold mon on nat 1

!

Merekat
03-11-2007, 07:56 PM
:confused:

the-dream
03-11-2007, 08:02 PM
Urrmmm!

You said the script came from a third party package?
Any idea where i could get it and scan over the code?

Inigoesdr
03-11-2007, 11:52 PM
echo $sql;
$result = mysql_query($sql) or die(mysql_error());
Should tell you the problem if it's the query.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum