Login php script

Question

I have here a login script.I removed from it the database username/password to post it on stack.My problem is that it tells me everytime I write a username and a password(even when they are correct) that the password and username are invalid.I obviously used select *from ........ and then put a variable $rows to count the affected rows,but it's value is 0 everytime and I am not able to log in.

<h1>Log in</h1>
<form action="" method="post">

    Username:<input type="text" name="username" placeholder="username" value=""/> <br />

    Password:<input type="password" name="password" placeholder="*******" value=""/> <br />

    <input type="submit" name="submit" value="Log In" />
             <br />


</form>





    <?php

    $error=''; 
    if (isset($_POST['submit'])) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
    $error = "Username or Password is empty";
    echo $error;
    }
    else
    {

    $username=$_POST['username'];
    $password=$_POST['password'];

    $connection = mysql_connect("mysql.hostinger.ro", "_patr0", "  ");

    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);

    $db = mysql_select_db("_ppl", $connection);



    $query = mysql_query("select * from people where pw='$password' AND username='$username'", $connection);


    $rows=mysql_num_rows($query);

    if ($rows==1) {


    /*$_SESSION['login_user']=$username;*/ // Initializing Session


    echo 'You are logged in';
    } else {
    $error = "Username or Password is invalid";
    }
    echo $error;
    mysql_close($connection); // Closing Connection
    }
    }
    ?>

What do you mean by "I've removed it from the database"? Also you should be aware that mysql_* functions are deprecated, and you should start using PDO or mysqli_*. — Bono, Jan 22 '15 at 17:35
have you tried dumping the contents of your $_POST vars within your script to see if they are definitely set? — Halfpint, Jan 22 '15 at 17:35
I wanted to say that I removed the database username and password from the script I posted here... — Patr0nu, Jan 22 '15 at 17:38
Please don't store user passwords in plain text or any other recoverable form. That's grossly irresponsible to your users. — David, Jan 22 '15 at 17:40
Add error reporting to the top of your file(s) right after your opening ` — Funk Forty Niner, Jan 22 '15 at 17:42
Yes I am sure.David I stored the passwords using aes_encrypt('$password','text') — Patr0nu, Jan 22 '15 at 17:43
I would stay away from using `aes_encrypt`. I recommend you use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). Not to mention prepared statements which are much safer ;-) — Funk Forty Niner, Jan 22 '15 at 17:48
The main problem ,as far as i have noticed from your code is **variables name** you are using 1 name for diffrent actions in your code! — Amit Verma, Jan 22 '15 at 17:56
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. In this short example you have a number of dangerous [SQL injection vulnerabilities](http://bobby-tables.com/) coming from a reckless lack of [proper escaping](http://bobby-tables.com/php). Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](http://laravel.com/docs/security) built-in. — tadman, Jan 22 '15 at 17:57

score 1 · Accepted Answer · answered Jan 22 '15 at 17:46

1

Yes I am sure.David I stored the passwords using aes_encrypt('$password','text')

This could be your problem, when you are running your mysql query here you are trying to match a plain text password from the user input, but you store them as encrypted strings. You need to encrypt the password in your SQL query.

answered Jan 22 '15 at 17:46

PHP Addict

136
5

@PhpAddict Good explaination +1 cuz you really deserve it. – Amit Verma Jan 22 '15 at 18:01

score 0 · Answer 2 · answered Jan 22 '15 at 18:09

Looking at your code (whilst skipping the unimportant parts):

$username=$_POST['username'];
$password=$_POST['password'];
...
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
...
$query = mysql_query("select * from people where pw='$password' AND username='$username'", $connection);

What you're actually doing is taking the username and password in plain text and converting it to a format where the database doesn't get corrupted if odd formatting characters are used for plain text then you're comparing it to the values in the database.

Before doing anything else, run phpmyadmin, mysql command line server or something where you can actually pull up the contents of your people table.

Then enter this sql query:

select * from people;

or choose the show all records in the people table option (if it exists in your database manager).

Scroll up and down the screen and look for items in the username and password field to see what they are.

If it looks like gibberish, then chances are the info placed in the table is likely encoded.

Either change the database data so that username and password is in plain text and use the same respective values in the text boxes on your form, just to make sure everything works plain text style.

Once that works fine, then you need to create some kind of encoding to the data in your table.

Try this (and assume $imported_username and $imported_password have the values from the username and password fields in db friendly format (as you did near the top of your code)):

In your registration script insert the following statements to create a record:

$user=$imported_username;
$pass=md5($imported_password);
$query = mysql_query("insert into people (username,pw) values('$user','$pass')", $connection);

Then in your login processing script, change:

$query = mysql_query("select * from people where pw='$password' AND username='$username'", $connection);

to:

$query = mysql_query("select * from people where pw='".md5($password)."' AND username='$username'", $connection);

That way, you'll have the username stored in the database and the password encoded.

Login php script

2 Answers2