Member Avatar for engrjd91

Hello everyone!

I have a problem in login system of my CMS.
When I enter the correct Username and Password, the System is always showing Invalid Credentials, However I have checked in my Databse Tables that I am providing the correct username and password. I am not getting the problem in my Code.. can anyone help??

<?php
session_start();
 ?>
<?php include_once("../includes/connection.php"); ?>
<!DOCTYPE html>
<html lang='en'>
<head>
    <meta charset="UTF-8" /> 
    <title>
        HTML Document Structure
    </title>
    <link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>

<div id="wrapper">

<?php
$current_page = $_SERVER['PHP_SELF'];
?>
    <form name="login-form" class="login-form" action= "<?php echo $current_page; ?>" method="post">

        <div class="header">
        <h1>Login Form</h1>
        <span>Fill out the form below to login to my super awesome imaginary control panel.</span>
        </div>

        <div class="content">
        <input name="username" type="text" class="input username" placeholder="Username" />
        <div class="user-icon"></div>
        <input name="password" type="password" class="input password" placeholder="Password" />
        <div class="pass-icon"></div>     
        </div>



        <div class="footer">
        <input type="submit" name="button" value="submit" class="button" />
        <a href="../qmc-reg/reg.php" style="color:#000" >  Register</a>
        </div>

    </form>
<?php
if (isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];

$query_one  = "SELECT * ";
$query_one .= "FROM users ";
$query_one .= "WHERE user_name = '".$username."' ";
$query_one .= "AND user_pass = '".$password."' ";
$query_one .= "LIMIT 1";

$result = mysql_query($query_one) or die(mysql_error());
$count = mysql_num_rows($result) or die(mysql_error());


if ($count == 1){
//$something  = mysql_fetch_array($count);

while ($something = mysql_fetch_array($result)){
        $something['user_id'];
        $something['user_name'];
        $something['user_pass'];



if ($count > 0 ){

$_SESSION['user_id'] = $something['user_id'];
$_SESSION['user_name'] = $something['user_name'];
$_SESSION['user_pass'] = $something['user_pass'];

$salt = "cas212c";
$hash = sha1($password, $salt);

if ($password == $hash){


session_write_close();

header("location: ../cms/cms.php");
}

else{
    echo "<div> Invalid Credentials </div>";
}
}}}
}
?>
</div>
<div class="gradient"></div>
</body>
</html>
  • 5 Contributors
  • 6 Replies
  • 228 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by toxicandy

Recommended Answers

All 6 Replies

Member Avatar for AndrisP

Delete space after equal sign action= "<?php echo $current_page; ?>" replace to action="<?php echo $current_page; ?>" and never use equal sign for compare username and password in the MySQL! Try this test case:

SELECT 'ABC' = 'abc','ĀBČ' = 'abc','ābč' = 'abc', 'ABC' LIKE 'abc', 
'ĀBČ' LIKE 'abc', 'ābč' LIKE 'abc', 'ABC' LIKE BINARY 'abc', 
'ĀBČ' LIKE BINARY 'abc', 'ābč' LIKE BINARY 'abc';

only "LIKE BINARY" return FALSE any other return TRUE (MySQL)

Member Avatar for engrjd91

Buddy, the problem isn't solved yet!

Member Avatar for lorenzoDAlipio

try to validate between the hash and the something['user_pass']?

user password input --- hash this password Vs. something['user_pass'].

Make sure the password stored in your database used the same hashing mechanism as the validation hashing mechanism.

Member Avatar for gabrielcastillo

Dump your post variable and see what you are getting from the form. If you are getting the correct params, then you know its not the form. If you are getting incorrect params then the problem is with the form and post.

By the looks of your code, your sha1 is incorrect.

you can modify your code a bit as well.

Create your password hash and store in the database. Then check the password hash against the string in the database.

$salt = 'cas212c';
$username = mysql_real_escape_string(trim($_POST['user_name']));
$password = sha1($_POST['user_pass'] . $salt);




$sql = "SELECT id FROM users WHERE user_name = '$username' AND user_pass = '$password' LIMIT 1";


$query = mysql_query($sql);

if(mysql_num_rows($query) == 1){
    $results = mysql_fetch_array($query);

    $_SESSION['user_id']   = $results['id'];
    $_SESSION['user_name'] = $username;
    $_SESSION['user_pass'] = $password;

    session_write_close();
}else{

    echo '<div>Invalid Credentials</div>';

}
Member Avatar for engrjd91

Problem remains the same buddy!

Member Avatar for toxicandy

Did you do what gabrielcastillo said? If you are storing Hashed passwords in your database then you will never get a result back if you are comparing the plain password that the user inputs in the form to the hashed password in the database. You need to do what he said and compare the hashed password in the database against the inputed password that has already ran through your hash function.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.