PDA

View Full Version : Login form errors



punstc
11-25-2008, 06:36 AM
I'm having problems with a login form, i believe it has something to do with the md5 encryption i'm trying to use because when i take it out and add into my database a password without md5 it works fine.. I'm pretty new at php and its my first time using md5 so if anyone can help I would appreciate it.

here is my code.



<?php
require("../../../connect.php");
if(!empty($_SESSION['logged_in']) && !empty($_SESSION['user'])) {
header('Location: index.php');
}
elseif(!empty($_POST['user']) && !empty($_POST['pass'])) {
echo("post not empty");
$user = mysql_real_escape_string($_POST['user']);
$pass = md5(mysql_real_escape_string($_POST['pass']));

$sql = "SELECT * FROM admin WHERE user = '$user' AND pass = '$pass' ";

$checklogin = mysql_query($sql);

if(mysql_num_rows($checklogin) == 1) {
echo("checking login");
$row = mysql_fetch_assoc($checklogin);

session_start();
$_SESSION['user'] = $user;
$_SESSION['logged_in'] = true;

header('Location: index.php');
}
else {
$status = 'Username and Password incorrect.';
}
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Admin: Edit/Remove Car</title>

<link href="../css/admin.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="_global">
<?=$status ?>
<form method="post" action="login.php" name="loginform" id="loginform">
<label for="user">Username:</label><input type="text" name="user" id="user" /><br />
<label for="pass">Password:</label><input type="password" name="pass" id="pass" /><br />
<input type="submit" name="login" id="login" value="Login" />
</form>
</div><!-- end _global -->
</body>
</html>

BabblingIdjit
11-25-2008, 10:20 PM
It's usually a good idea to explain what "problems" you are having, rather than make the people trying to help you guess.

I'm assuming your problem is that you are unable to login even with a valid username and password. Change this line:


$pass = md5(mysql_real_escape_string($_POST['pass']));
to:

$pass = md5($_POST['pass']);
There is no need to use mysql_real_escape_string and then MD5 the result. Once the MD5 is performed, there is no longer any threat in the submitted data.

How is the password field defined in your database? MD5 will produce a string 32 characters long. If your database does not allow for a long enough column, the data will be truncated and the password comparison will fail.

If that doesn't help, you'll need to describe your problem better.