-2

In my Login form, I try entering the values I inserted into the MySQL tables I connected with PHP, but no matter what values I enter into the input fields, I always get the error I set up when the Username and Password are incorrect:

die("The username or password is incorrect. Click <a href='http://growtapians.com/Login & Register System/index.php'>here</a> and try again.");

This is the code to the entire function when someone enters in their credentials in the Login form:

if ($_POST['login']) {
 if ($_POST['username'] && $_POST['password']) {
      $username = mysql_real_escape_string($_POST['username']);
      $password = mysql_real_escape_string(hash("sha512", $_POST['password']));
      $user = mysql_fetch_array(mysql_query("SELECT * FROM 'users' WHERE 'Username' = '$username' && 'Password' ='$password'"));
      if ($user == '0' || $user['Password'] != $password) {
           die("The username or password is incorrect. Click <a href='http://growtapians.com/Login & Register System/index.php'>here</a> and try again.");
      };
      $salt = hash("sha512, rand() . rand() . rand()");
      setcookie("c_user", hash("sha512", $username), time() + 24 * 60 * 60, "/");
      setcookie("c_salt", $salt, time() + 24 * 60 * 60, "/");
      $userID = $user['ID'];
      mysql_query("UPDATE 'users' SET 'Salt'='$salt' WHERE 'ID'='$userID'");
      die("You have logged in successfully, $username!"); 
 };

};

The HTML:

<!DOCTYPE html>
        <html lang='en'>
            <head>
                <meta charset='UTF-8'>
                <meta name='viewport' content='width=device, height=device=height, initial-scale=1'>
            </head>
        <body>
            <div id='logindiv' style='width: 50%; padding: 10px; border: 5px solid #316ED6; background-color: #648CD1; color: #31D8EB; margin: auto; border-radius: 1.3em; text-align: center;'>
                <h1>Login</h1>
                <br />
                <form action='' method='post'>
                    <div>
                        <b>Username:</b>
                        <input type='text' name='username' style='padding: 4px;'/>
                    </div>
                    <div>
                    <b>Password:</b>
                    <input type='password' name='password' style='padding: 4px; '/>
                        </div>
                        <div>
                            <input type='submit' value='Login' name='login'/>
                        </div>
            </form>
                <div>
                    <h4>No Account? Register <a href='register.php'>Here!</a></h4>
                </div>
            </div>
     </body>

NOTES:

  • The PHP version supported by my hosting service is 5.5 & 5.6

  • I followed a tutorial dating 3 years back, so please excuse any outdated code

  • The extra bracket outside of the formatted code is supposed to be in the box of code I've provided, but it's not in there for some reason

Nonemoticoner
  • 650
  • 5
  • 14
Preston Is Awesome
  • 5
  • 5
  • It's not what is causing your problem, but you don't need to check the user's password matches inside and outside the SQL query. You only need to do it once. – Chris Mar 26 '16 at 17:33
  • Like @Chris said, you should only check password in the PHP not the SQL, also, if you hash the password again and check it against the one in the DB it won't match. Use hash_equals http://php.net/manual/en/function.hash-equals.php – Baruch Mar 26 '16 at 17:35
  • Your query is not correct $user = mysql_fetch_array(mysql_query("SELECT * FROM 'users' WHERE 'Username' = '$username' && 'Password' ='$password'")); Remove the single quotes from around the table name and field names. – DevMan Mar 26 '16 at 17:41
  • 1
    1. You check the password already in the query (as mentioned above), no need to check it again. 2. You're using the quotes wrong, see the dupe below (meaning your query fails, which you never really check for). 3. `mysql_*` functions are deprecated since PHP 5.5 (and **removed entirely** in PHP 7) and you should [stop using them](http://stackoverflow.com/q/12859942) if you can. You should choose another API that allows you to use prepared statements (which you *really should*), like `mysqli_*` or PDO - see [choosing an API](http://php.net/manual/en/mysqlinfo.api.choosing.php). – Qirel Mar 26 '16 at 17:41
  • You posted this already http://stackoverflow.com/questions/36230195/registration-system-error and I closed it with http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks - Yours being an exact duplicate of your first and closed as such. Please don't repost. – Funk Forty Niner Mar 26 '16 at 17:45
  • Stop using the **deprecated and as of PHP7 removed** mysql_* functions. Migrate to PDO and start using Prepared Statements. – Charlotte Dunois Mar 26 '16 at 17:46
  • @CharlotteDunois My hosting service doesn't support mysqli_ functions – Preston Is Awesome Mar 26 '16 at 18:43
  • PDO != MySQLi, MySQLi is a MySQL specific PHP extension. PDO can be used for every db engine, if the correct db engine driver is installed. – Charlotte Dunois Mar 26 '16 at 18:45
  • If your hosting service doesn't has PDO installed, tell them do update their PHP installation. If they don't want to do that, change the hosting service. – Charlotte Dunois Mar 26 '16 at 18:46
  • @Baruch How do I use hash_equals? I never really understood hash functions. Also, if I can't hash the password when is gets posted, what do I do exactly to check if it equals the password in the SQL query? – Preston Is Awesome Mar 26 '16 at 18:48
  • @PrestonIsAwesome If what you're trying to do is verify the submitted password vs the password in the database, then you don't need to hash the new password you just need to use the crypt library's function to verify password I.E. using password_verify `password_verify("user_submitted_pw", "db_stored_pw")` that should return a boolean. Use [password_hash](http://php.net/manual/en/function.password-hash.php) instead of just hash. Also, please read the other comments. `mysql_*` should not be used, ever. – Baruch Mar 26 '16 at 20:29
  • @Baruch Thanks for the clarification and advice, helped me out a lot. About the `mysql_`, the only reason why I use that is because my hosting service (eHost) only supports PHP 5.5 & 5.6, otherwise, I'd be using `mysqli_` functions right now. – Preston Is Awesome Mar 26 '16 at 21:50

3 Answers3

0

You shouldn't have quotes around your table name or field names.

Chris
  • 5,571
  • 2
  • 20
  • 32
0

In your query:

SELECT * FROM 'users' WHERE 'Username' = '$username' && 'Password' ='$password'

I think you are confusing backtick (`) with single quotes. Single quotes belong around values you are checking, like '$password' and '$username'. You don't need the backticks unless you need to escape reserved MySQL commands because you're using them as field names.

Can you try this query instead?

"SELECT * FROM users WHERE Username = '$username' && Password ='$password'"

I hope this helps you, perhaps I'm missing something else, but that's what stood out to me anyway!

Aaron Belchamber
  • 1,480
  • 1
  • 16
  • 20
0

Try breaking it up into parts:

 $query=  mysql_query("SELECT * FROM `users` WHERE `Username` = '".$username."' AND `Password` ='".$password."' ") or die(mysql_error());

 $user = mysql_fetch_array($query);

Please ensure that you can't put table name or column name within quotes ''.

You can use tilt operator ``.

Also, it's better to stick to the standard SQL AND operator rather than &&.

Hope this helps.

Indrasis Datta
  • 8,692
  • 2
  • 14
  • 32
  • Please ensure that you can't put table name or column name within quotes ''. You can use tilt operator ``. Also, it's better to stick to the standard SQL AND operator rather than &&. – Indrasis Datta Mar 26 '16 at 17:45