Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7

Thread: Login Error

  1. #1
    New Coder
    Join Date
    Sep 2011
    Posts
    78
    Thanks
    15
    Thanked 0 Times in 0 Posts

    Login Error

    Okay guys so im trying to make a simple php login page that requires a user to enter in his/her username and password.

    The password in my users table has a datatype of BLOB and when the user adds users into the DB i am doing a AES_ENCRYPT to save the password in the DB but encrypted.

    Right now i am having trouble and can't figure out what i am missing or doing wrong? I have already tried to DEBUG and echo out my sql statement but i still can't figure out what the problem is and why the login form wont work when the user enters in the right username and password!

    config.php:
    Code:
    <?
    $conn = mysql_connect( "localhost", "root", "temp1234" );
    $conn or die( "Error connecting: " . mysql_error() );
    
    $db_name = "DoctorsOfficeDB";
    mysql_select_db( $db_name )
     or die( "Bad db name: $db_name" );
    ?>
    Login.php:
    Code:
    <?php
    include("config.php");
    
    	//start session
    	session_start();
    	
    if( $_POST )
    {
    
    
    	// username and password sent from Form 
    	$myusername = $_POST['username']; 
    	$mypassword = $_POST['password']; 
    
    $sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword='$mypassword');";
    $result=mysql_query($sql);
    $row=mysql_fetch_array($result);
    $active=$row['active'];
    $count=mysql_num_rows($result);
    
    
    // If result matched $myusername and $mypassword, table row must be 1 row
    
    	if($count==1)
    	{
    		session_register("myusername");
    		$_SESSION['login_user']=$myusername;
    
    		header("Location: welcome.php");
    		exit();
    	}
    	else 
    	{
    		$error="Your Login Name or Password is invalid";
    	}
    }
    ?>
    <html>
    <body>
    
    <form action="Login.php" method="post">
    <fieldset>
    <legend>Login Information:</legend>
    UserName: <input type="text" size="20" name="username" /><br />
    Password: <input type="password" size="20" name="password" /><br />
    </fieldset>
    <input type="submit" value="Submit">
    </form>
    
    
    </body>
    </html>
    lock.php
    Code:
    <?php
    include("config.php");
    
    session_start();
    $user_check=$_SESSION['login_user'];
    
    $ses_sql=mysql_query("select username from users where username='$user_check' ");
    
    $row=mysql_fetch_array($ses_sql);
    
    $login_session=$row['username'];
    
    if(!isset($login_session))
    {
    header("Location: Login.php");
    }
    ?>
    logout.php :
    Code:
    <?php
    session_start();
    if(session_destroy())
    {
    header("Location: Login.php");
    }
    ?>
    welcome.php:
    Code:
    <?php
    
    include('lock.php');
    
    ?>
    
    <html>
    <head>
    <title>Welcome</title>
    </head>
    
    <body>
    <h1>Welcome <?php echo $login_session; ?></h1> 
    
    <h2><a href="logout.php">Sign Out</a></h2>
    </body>
    </html>

  • #2
    New Coder
    Join Date
    Sep 2011
    Posts
    78
    Thanks
    15
    Thanked 0 Times in 0 Posts
    I forgot to mention that right now when i try to use a correct username and password and hit submit on the login page i keep getting these errors:

    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 17

    Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 19

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,438
    Thanks
    75
    Thanked 4,372 Times in 4,337 Posts
    Ready to kick yourself?

    Code:
    and aes_decrypt(pword='$mypassword');
    What do you think that is doing?

    It is *NOT* decrypting the pword field.

    Instead, it is *FIRST* comparing the pword field *AS IS* to the $mypassword value.

    *THEN* it is decrypting the value true or false which is the result of the comparison!!! (Well, it will surely be false, of course.)

    Now try this:
    Code:
    and aes_decrypt(pword)='$mypassword';
    *NOW* you are decrypting the pword field *BEFORE* comparing to $mypassword.

    Except this *STILL* won't work. That's because the aes_decrypt( ) function, just like the aes_encrypt function, requires *TWO* arguments. The thing to be decrypted *AND* the encryption key that was used to encrypt it.

    So you need to actually use
    Code:
    and aes_decrypt(pword,'WHATEVER THE KEY IS')='$mypassword';
    ********************

    Incidentally, this is not really the best way to encrypt passwords.

    You really should use a one-way encryption algorithm, so that even you are not able to decrypt them. That way, if somebody ever did manage to break into your site, they wouldn't be able to runs aes_decrypt on the db and decrypt them. And if they broke into your system they would just look in the PHP code to find the place where you did aes_decrypt and run around decrypting all the passwords.

    With a one-way encryption, you then always do this:
    Code:
    and pword=SOME_ONE_WAY_ENCRYPTION('$mypassword');
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,438
    Thanks
    75
    Thanked 4,372 Times in 4,337 Posts
    The real root of your problem is a lack of error handling.

    At a bare bones minimum, you should be doing something like
    $result=mysql_query($sql) or die(mysql_error());

    Personally, I'd rather see you do something like this:
    Code:
    $result=mysql_query($sql);
    if ( ! $result ) {
        echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
        exit();
    }
    (I don't use PHP, but I'd do the equivalent of that in other languages.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    New Coder
    Join Date
    Sep 2011
    Posts
    78
    Thanks
    15
    Thanked 0 Times in 0 Posts
    okay thank you for the comments i changed the sql statement and it seems to be working i did a echo on it to debug and see if it is getting the data from the text fields and finding the right user from the table...........but after i hit submit it still never does anything, even when i dont enter a password it should display an error msg it doesn't do anything?!?! it seems like it never enters the if($count statement)

    i am confused as to what this line of code means(does exactly)
    // If result matched $myusername and $mypassword, table row must be 1 row

    if($count==1)
    Code:
    <?php
    include("config.php");
    
    	//start session
    	session_start();
    	
    if($_POST)
    {
    	// username and password sent from Form 
    	$myusername = $_POST['username']; 
    	$mypassword = $_POST['password']; 
    
    $sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword,'The Secret Phrase')='$mypassword';";
    
    echo "<hr>DEBUG SQL: " . $sql . "<hr/>\n";
    
    $result = mysql_query($sql);
    
    if ( ! $result ) 
    {
        echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
        exit();
    }
    
    $row = mysql_fetch_array($result);
    $active = $row['active'];
    $count = mysql_num_rows($result);
    
    // If result matched $myusername and $mypassword, table row must be 1 row
    
    	if($count==1)
    	{
    		session_register("myusername");
    		$_SESSION['login_user']=$myusername;
    
    		header("Location: welcome.php");
    		exit();
    	}
    	else 
    	{
    		$error="Your Login Name or Password is invalid";
    	}
    }
    ?>
    <html>
    
    <head>
    
    <title>DoctorsOfficeDB</title>
    
    </head>
    <body>
    
    <table width="1358" border="0">
    <tr>
    <td colspan="2" style="background-color:#FFA500;">
    
    <hr /><h2>Doctor's Office DB</h2><hr /></td></tr> </table>
    
    <form action="Login.php" method="post">
    <fieldset style="width:500px">
    <legend>Login Information:</legend>
    UserName: <input type="text" size="20" name="username" /><br />
    Password: <input type="password" size="20" name="password" /><br />
    </fieldset>
    <input type="submit" value="Submit">
    </form>
    
    
    </body>
    </html>

  • #6
    New Coder
    Join Date
    Sep 2011
    Posts
    78
    Thanks
    15
    Thanked 0 Times in 0 Posts
    okay i got it to at least display the error message now if the user provided the wrong password or username.

    But i am still having troublegetting it to actually run if the user provided the right password and username.

    The if ($count == 1) will never run because $count is always 0. I tried doing before the if statement
    $count = $count + 1

    but this will always allow a user to gain access even if he/she put in a wrong password

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,438
    Thanks
    75
    Thanked 4,372 Times in 4,337 Posts
    This seems strange:
    Code:
    $row = mysql_fetch_array($result);
    $active = $row['active'];
    $count = mysql_num_rows($result)
    How can you get a field named active when your SQL query did
    Code:
    SELECT user_id FROM users ...
    With that SELECT, the *ONLY* value you will be able to read from the $result will be user_id. You can't get fields you don't SELECT.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •