Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New to the CF scene
    Join Date
    Mar 2007
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Login script problems

    Hi, I'm having trouble with this login. I can register a new account without a problem, but cannot login. It always says that I didn't provide the correct user name or password. (but I did)

    Can anyone tell me what could be wrong? Here's the login script below.


    Code:
    <?php // accesscontrol.php
    
    include ("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");
    
    session_start();
    
    if (isset($_POST['uid'])) {
     $uid = $_POST['uid'];
    } else {
     $uid = $_SESSION['uid'];
    }
    if (isset($_POST['pwd'])) {
     $pwd = md5($_POST['pwd']);
    } else {
     $pwd = $_SESSION['pwd'];
    }
    
    
    if(!isset($uid) || !isset($pwd) )
    {
      ?>
      <html>
      <head>
      <title> Please Log In for Access </title>
      </head>
    <body>
      <table align=center width=300 border=0 cellspacing=0 cellpadding=0 bgcolor="#2f4f4f">
      <tr><td>
       <table border=0 width=100% cellspacing=1 cellpadding=1>
        <form action="<?=$_SERVER['PHP_SELF']?>" method=POST>
        <tr><td BGCOLOR="#2f4f4f"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif" COLOR="#FFFFFF">
        <B>Please Log In For Access:</B>
        </td></tr>
        <tr><td BGCOLOR="#c7c7c7"><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">
    You must log in to access this area of the site.
         </td></tr>
        <tr>
         <td BGCOLOR="#fffff0">
          <table width=100% border=0 cellspacing=0 cellpadding=0>
        <tr>
         <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Email Address:</td>
         <td><input type=text name="uid" size="20" value=""></td>
        </tr>
            <tr>
         <td><FONT SIZE="-1" FACE="Verdana,Tahoma,Arial,Helvetica,sans-serif">Password:</td>
         <td><input type=password name="pwd" size="20"></td>
        </tr>
        <tr>
         <td colspan=2 align=center>
          <input type=submit name="Login" value="Login">
         </td>
        </tr>
        </form>
          </table>
         </td>
        </tr>
       </table>
      </td></tr>
     </table>
      </body>
      </html>
      <?php
      exit;
    }
    //Clean the input submitted to mysql
    $uid=addslashes($uid);
    $pwd=addslashes($pwd);
    
    //this puts the variable into the session
    
    $_SESSION['uid'] = $uid; 
    $_SESSION['pwd'] = $pwd;
    
    $sql = "SELECT * FROM users WHERE email = '$uid' AND passwd = '$pwd' ";
    
    $result = mysql_query($sql);
    
    if (!$result) {
    echo "A database error occurred while checking your login details";
    }
    //if bad user/pass combo access denied
    if (mysql_num_rows($result) == 0) {
    
      unset($_SESSION['uid']);
      unset($_SESSION['pwd']);
      ?>
      <html>
      <head>
      <title> Access Denied </title>
      </head>
      <body>
      <h1> Access Denied </h1>
      <p>There are several reasons this may be happening:<BR>
      <UL><LI>Your username or password is incorrect</LI>
      <LI>You have forgotten your login information. <a href="/phprentals/html/lostpwd.php">Lost Password</a></LI></UL>
      To return to our login page, <a href="index.php">click here</a>.</p>
      </body>
      </html>
        <?php
      exit;
    }
    
    ?>

  • #2
    Regular Coder
    Join Date
    Feb 2007
    Location
    near Washington, DC
    Posts
    135
    Thanks
    0
    Thanked 0 Times in 0 Posts
    From what I can see, this code should work, so I'm gonna ask a "DOH!" question...

    Are you certain the password in the database is stored with md5 encryption?

    Also, what does addslashes do, and was it applied in the same way at registration (i.e., before the data went into the database)?
    Last edited by phoenixshade; 03-11-2007 at 05:27 AM. Reason: Question
    — Wilford Nusser
    Validate Your Code: (X)HTML CSS
    An HTML Email is NOT a Web Page: HTML Email Guide (1.2Mb pdf) Webmail CSS Support
    REGEX: Brought to you by Psychotic Crack-Smoking Monkeys

  • #3
    New to the CF scene
    Join Date
    Mar 2007
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I checked the database and it seems to be storing everything fine. I did not write this script, it came from a third party package and now it's not working.

    Thanks for any additional help.

    Also, what does addslashes do, and was it applied in the same way at registration (i.e., before the data went into the database)?
    I haven't a clue what it does. You're guess is as good as mine.
    I'm stil quite new to php, I'm not a "coder" (I hope it's okay for me to ask here anyway) and while I know the basics, this one is giving me a headache. lol

  • #4
    Regular Coder
    Join Date
    Feb 2007
    Location
    near Washington, DC
    Posts
    135
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Are you familiar with MD5 encryption? Sorry if I'm beating a dead horse, but from your answer, I'm not sure.

    Since you can check the database, do the passwords in the database look more like this:
    Code:
    hax8xor
    fido0721
    lbjkilledjfk
    ...
    or this:
    Code:
    tsEYD3Gde7mD8rXm21xRgTJ27mEny7xJ
    Omsd6N9dM3nxRb96QXs94pMbwB8t2Ti9
    ...
    It should look like the latter. If it looks like the first one, then it's very insecure.

    Could you post the registration code, too? I might be able to find the problem by comparing the data handling between them.
    — Wilford Nusser
    Validate Your Code: (X)HTML CSS
    An HTML Email is NOT a Web Page: HTML Email Guide (1.2Mb pdf) Webmail CSS Support
    REGEX: Brought to you by Psychotic Crack-Smoking Monkeys

  • #5
    New to the CF scene
    Join Date
    Mar 2007
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, the passwords in the database look like the second example.

    This is the script that the registration form posts to. I can post the code for the registration form page too if you need to see that.

    Thank you!

    Code:
    <?php
    
    include ("".$_SERVER['DOCUMENT_ROOT']."/phprentals/includes/config.php");
    
    $fname = addslashes(strip_tags($_POST['fname']));
    $lname = addslashes(strip_tags($_POST['lname']));
    $add = addslashes(strip_tags($_POST['add']));
    $addtwo = addslashes(strip_tags($_POST['addone']));
    $city = addslashes(strip_tags($_POST['city']));
    $state = addslashes(strip_tags($_POST['state']));
    $zip = addslashes(strip_tags($_POST['zip']));
    $email = addslashes(strip_tags($_POST['email']));
    $phone = addslashes(strip_tags($_POST['phone']));
    
    
    if (!$fname || !$lname || !$add || !$city || !$state || !$zip || !$phone || !$email) {
        echo "Error!! You have not entered the following field(s).Hit back and try again<br>\n";
    
        $fields_to_validate = array('fname', 'lname', 'add', 'city', 'state', 'zip', 'phone', 'email');
        // validate above fields.
        $field_display_value = array('First Name', 'Last Name', 'Address', 'City', 'State', 'Zip', 'Telephone', 'Email');
        // if the field is not set then show the above display value.
        echo "<ul>\n";
    	
        for($a = 0;$a < count($fields_to_validate);$a++) {
            // loop through fields and check whether that has been set or not.
            if (!${$fields_to_validate[$a]}) {
    
                echo "<li><font color=\"#FF0000\">$field_display_value[$a]</font>\n";
            } 
        } 
        echo "</ul>\n";
    } else {
    
    //Select statement detects if another user matches
    $sql = "SELECT COUNT(*) FROM users WHERE email = '$email'";
        $result = mysql_query($sql);
        if (!$result) {	
    echo "A database error occurred";
        }
    //Code here inserts if customer has already been in
    if (mysql_result($result,0,0)>0) 	
    { 
    	echo "You have already registered. If you have forgotten your login details please <a href=\"lostpwd.php\">go here</a> to retrieve it.";
    }else {
    
        // password generation
    $length="8";
    $newpass = substr(md5(uniqid(rand(), true)), 0, $length);
        $newpassinst = md5("$newpass");
    	
        // db insert and redirection
        mysql_query ("INSERT INTO landlords (fname, lname, phone) VALUES ('$fname', '$lname', '$phone')");
        
    $idsql = "SELECT * FROM landlords WHERE fname='$fname' and lname='$lname'";
    //echo "$idsql";
    $result2 = mysql_query($idsql)
    or die ("Query failed");
    while ($row2 = mysql_fetch_array($result2))
    {
    $llid=$row2["lid"];
    }
    
        mysql_query ("INSERT INTO users (llid, fname, lname, email, addone, addtwo, city, state, zip, phone, passwd, tdate) VALUES ('$llid', '$fname', '$lname', '$email', '$add', '$addtwo', '$city', '$state', '$zip', '$phone', '$newpassinst', NOW()) ");
        
    	// mail password to user
    
        mail("$email", "$emailsubject", "Dear $fname $lname,
    Thank you for registering. Below you will find your username and password that will let you log in and begin to enter
    rental listings.
    
    Username: $email
    Password: $newpass
    
    
    ", "FROM:$owneremail");
    
    // thankyou page
    header("Location: http://$domain/phprentals/html/postregister.php");
    }} 
    ?>

  • #6
    Regular Coder the-dream's Avatar
    Join Date
    Mar 2007
    Location
    Northamptonshire, UK
    Posts
    477
    Thanks
    8
    Thanked 4 Times in 4 Posts
    Yup!

    Foold mon on nat 1

    !

  • #7
    New to the CF scene
    Join Date
    Mar 2007
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

  • #8
    Regular Coder the-dream's Avatar
    Join Date
    Mar 2007
    Location
    Northamptonshire, UK
    Posts
    477
    Thanks
    8
    Thanked 4 Times in 4 Posts
    Urrmmm!

    You said the script came from a third party package?
    Any idea where i could get it and scan over the code?

  • #9
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    PHP Code:
    echo $sql;
    $result mysql_query($sql) or die(mysql_error()); 
    Should tell you the problem if it's the query.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •