0

Hey I'm trying to get a login working where the passwords have been hashed. I have it working when the passwords are hashed but can't seem to get it working when they are. It give me the error "Sorry, your username or password are incorrect". Any pointers to where I might have gone wrong? It connects to the db correct I just took them details out of the "".

Below is my checklogin php

<?php
$host = ""; // Host name 
$username = "root"; // Mysql username 
$password = ""; // Mysql password 
$db_name = "login"; // Database name 
$tbl_name = "tbl_pswd"; // Table name 

mysql_connect("", "root", "") or die("cannot connect");
mysql_select_db("login") or die("cannot select DB");


$username = $_POST['username'];
$passowrd = sha1($_POST['password']);

$sql = "(SELECT username FROM tbl_pswd WHERE username = '$username' AND password = '$password')";
$result = mysql_query($sql);

if (mysql_num_rows($result) < 1) {
    echo 'Sorry, your username or password was incorrect!';
} else {
    printf('welcome back %5s!', $_POST['username']);
}
?>

Here is my HTML form incase it also helps

<html>
    <head>
        <title>Login</title>
    <h1> Login Menu </h1>
</head>
<body>

    <form name="form1" method="post" action="checklogin.php">
        Username: <input type="text" name="username">
        Password: <input type="password" name="password">
        <input type="submit" value="Submit">
    </form>

</body>
</html>

Thanks for any help!

Tzar
  • 1,761
  • 2
  • 14
  • 21
Forrest
  • 567
  • 1
  • 5
  • 10
  • Hash your password here http://codepad.org/Ty7ZrhPu and compare with db – Hüseyin BABAL Apr 09 '14 at 13:23
  • First of all, please read into prepared statements and MySQL injections. Also do not use mysql_* functions, these are considered bad practice and will be removed in future PHP versions. Aside from this your code is a safety atrocity. You're using password for the database and for checking a user password. – Luceos Apr 09 '14 at 13:24

3 Answers3

2

You have mispelled password:

$passowrd = sha1($_POST['password']);

fix it:

$password = sha1($_POST['password']);

Things to note

  • don't reuse the same variable for your database connection instead create separate values
  • protect your code from SQL injection
  • Upgrade mysql to mysqli
Community
  • 1
  • 1
meda
  • 45,103
  • 14
  • 92
  • 122
  • 1
    +1 for showing correct solution; might have considered explaining that he's using the same variable for user input as well as database connection. – Luceos Apr 09 '14 at 13:28
  • hmm Thanks for the variable advice I fixed the spelling mistake but it still says I'm entering the wrong details I'm thinking maybe something wrong with my if statement at the bottom? – Forrest Apr 09 '14 at 13:41
  • have you try to log the query and run it directly in the DB? please debug this – meda Apr 09 '14 at 13:44
  • @user3253191 you can add more checks `if ($result) { //check count} else { //mysql_query failed }` – meda Apr 09 '14 at 14:09
1

there is a simple spelling mistake-

$passowrd = sha1($_POST['password']);

correct it and it will work!

sunny
  • 1,156
  • 8
  • 15
  • well spotted, currently a check is done with the username posted and the MySQL database password.. Please update your answer to inform him about using well defined and differentiated variables. – Luceos Apr 09 '14 at 13:26
-1

at this line: mysql_connect("", "root", "")or die("cannot connect"); there is no hostname.

mysql_connect(hostname, username, password) or die("cannot connect");

commonly hostname is "localhost"

here the code:

mysql_connect("localhost", "root", "")or die("cannot connect");

and then

wrong spelling (line): $passowrd = sha1($_POST['password']);

zessx
  • 68,042
  • 28
  • 135
  • 158
user3515475
  • 1