-1

UPDATE(solved): Previously I set the password length to 15 characters where it should be 32 character since the password is encrypted to md5. Now it works fine. Thanks for all the answers and suggestions.

Below is the register php code. The code works fine and able to store password in the database in md5.

  <html>
<?php
error_reporting(0);
if($_POST['submit'])
{
    $name = mysql_real_escape_string($_POST['name']);
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    $password1 = mysql_real_escape_string($_POST['password1']);

    $enc_password = md5($password);

    if($name && $username && $password && $password1)
    {
        if(strlen($name)<30)
        {
            if(strlen($username)<10)
            {
                if(strlen($password)<15 || strlen($password)>6)
                {
                    if($password == $password1)
                    {
                        require "dbc.php";
                        $query = mysql_query("INSERT INTO users VALUES ('$name','$username','$enc_password')");     
                        echo "Registration Complete! <a href='index.php'>Click here to login</a>";
                    }
                    else
                    {
                        echo "Passwords must match";
                    }
                }
                else
                {
                    echo "Your password must be between 6 and 15 characters";   
                }
            }
            else
            {
                echo "Your username is too long";   
            }
        }
        else
        {
            echo "Your name is too long";
        }
    }
    else
    { 
        echo "All fields are required"; 
    }
}

?>

    <form action="register.php" method="POST">
        Name: <input type="text" name="name" value="<?php echo "$name"; ?>"> Max Length:30<p>
        Username: <input type="text" name="username" value="<?php echo "$username"; ?>"> Max Length:10<p>
        Password: <input type="password" name="password"> Max length:15<p>
        Re-Enter Password: <input type="password" name="password1"><p>
        <input type="submit" name="submit" value="Register">
    </form>
    <input type="button" value="<< Back to Login Area" onclick="window.location='../login%20and%20registration/members.php'">

</html>

Below is the login php code.

    <?php

session_start();

require "dbc.php";

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$enc_password = md5($password);

if($username&&$password)
{
    $query = mysql_query("SELECT * FROM users WHERE username='$username'");
    $numrow = mysql_num_rows($query);

if($numrow!=0)
{
    while($row = mysql_fetch_assoc($query))
    {
        $db_username = $row['username'];
        $db_password = $row['password'];
    }

    if($username==$db_username&&$password==$db_password)
    {
        //echo "Logged in <a href='members.php'>Click here to enter the members area</a>";
        $_SESSION['username']=$db_username;
        header("location: members.php");
    }
    else 
    {
        header("location: index.php?error=Incorrect Password");
    }
}
else 
{
    header("location: index.php?error=That user doesn't exist");
}
}

else 
{
    header("location: index.php?error=All fields are required");
}

?>

The problem is I kept getting the "Incorrect Password" when I try to log in. I think theres something with retrieving the password from the database. Anyone can help?

Yasser Shaikh
  • 46,934
  • 46
  • 204
  • 281
user2251028
  • 1
  • 1
  • 1
  • 2
  • 4
    FYI, [you shouldn't use MD5 for password hashing](http://stackoverflow.com/a/401684/1607098) – Touki Apr 09 '13 at 06:52
  • Since the database contains the MD5 password, your comparison needs to be with `$enc_password` instead of `$password`, i.e. `if($username==$db_username&&$enc_password==$db_password)` – Simon MᶜKenzie Apr 09 '13 at 06:54
  • 1
    If you're storing password hashes (which you ought to, but they ought to be salted), there's no *need* to impose a maximum length on the password - if the user wants to use the entire text of War and Peace, let them. – Damien_The_Unbeliever Apr 09 '13 at 06:55

4 Answers4

3

You need to use $enc_password instead of $password in line:

if($username==$db_username&&$password==$db_password)

P.S. Also if you use md5 then don't do mysql_real_escape_string(), md5 will change your string and all injects will be removed.

P.P.S. Use PDO instead of mysql_*

UPDATE

Also username must be case insensitive so better to do:

if(strcasecmp($username, $db_username)===0 && $password==$db_password)

strcasecmp

Narek
  • 3,813
  • 4
  • 42
  • 58
  • ive changed from if($username==$db_username&&$password==$db_password) to if($username==$db_username&&$enc_password==$db_password) still give the same error – user2251028 Apr 09 '13 at 13:27
  • Then make `die($username.'=='.$db_username.'&&'.$enc_password.'=='.$db_password);` and see what is different in output. – Narek Apr 09 '13 at 13:28
  • @user2251028 also see my update, you may have case problem with your username. – Narek Apr 09 '13 at 13:33
  • I tried die($username.'=='.$db_username.'&&'.$enc_password.'=='.$db_password); got this error message SCREAM: Error suppression ignored for Parse error: syntax error, unexpected 'else' (T_ELSE) in C:\wamp\www\login and registration\login.php on line 30 – user2251028 Apr 09 '13 at 14:42
  • Probably you added it into if() and else statements. Move that code before if – Narek Apr 09 '13 at 14:45
0

change

if($username==$db_username&&$password==$db_password)

to

if($username == $db_username && $enc_password == $db_password)

You are using $password but it should be $enc_password

Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
0

you're comparing $password with $db_password while you should be comparing $enc_password with $db_password. 

if($username==$db_username&&$enc_password==$db_password)
michp
  • 64
  • 5
0

In your case you should compare like this

 $password = md5($password);//change value entered of password to md5

 if($username==$db_username&&$password==$db_password)
chandresh_cool
  • 11,753
  • 3
  • 30
  • 45