I'm doing a verify login in php and when i put my username and password correctly. It prompts 'Incorrect UserName Password'

?php

$user = $_POST ['txtuname'];
$pass = $_POST ['txtpass'];
$encryptpass=md5($pass);


    // used mysql_connect_db instead of mysql_connect
    mysql_connect("localhost", "root", "") or die(mysql_error());

    // This line is missing
    mysql_select_db("intranet") or die(mysql_error());


    // pass= ' " . $pass . " ' " ----> contains space resulting to incorrect pass
    //$sql = "SELECT * FROM employee WHERE uname = " . $user . " and pswrd = " . $pass . "";

    $sql= "SELECT * FROM employee WHERE uname='$user' and pswrd='$encryptpass'";

    $rs = mysql_query($sql) or die(mysql_error());

        if(mysql_affected_rows() > 0)
            {
                $row =mysql_fetch_array ($rs);
                echo "name: " . $row['fname'] . " " . $row['lname'];

                }
        else
            {
            echo "Incorrect Username or Password";

            }
?>

Thank You for helping!

using select you are not affecting any rows.

You should use mysql_num_rows() on line 22 instead, and you want it == 1 (because each username should only have 1 assciated password, and if you are getting more than 1 you're in trouble.

Also, sanitize your variables (learn about mysql_real_escape_string())

It prompts incorrect password again :(

sorry, let me be more clear...

$sql= "SELECT * FROM employee WHERE uname='$user' and pswrd='$encryptpass'";

$rs = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($rs) === 1) //if === does not work, try ==
 {
  $row = mysql_fetch_array ($rs);
  echo "name: " . $row['fname'] . " " . $row['lname'];
 }
else
 {
 ....

I try both. Still Incorrect password. Is my

$encryptpass=md5($pass);

correct? I try to echo

echo $encryptpass;

my password is = "y"
the one that i log in =d41d8cd98f00b204e9800998ecf8427e
the one in db = 415290769594460e2e48

but they are y(the one in log in and db). :(

Are you definitely using MD5 in the database (i.e. not SHA1)? Also I would recommend trimming your posted data to ensure there is no white space.

I'm sorry I am new in php. I will try your suggestion. Thank You

I do not know what I am doing please help me :((

<?php
ob_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="intranet"; // Database name 
$tbl_name="employee"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$myusername = $_POST['txtunamea']; 
$mypassword = $_POST['txtpassa'];
$encryptpass = hash('sha512', $mypassword . $salt);

//$sql = "SELECT * FROM $tbl_name WHERE uname = '$myusername' AND upass = '$mypassword')";
$sql= "SELECT * FROM employee WHERE uname='$username' and pswrd='$encryptpass'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){

echo "correct Username or Password";
}
else {
    echo "$mypassword<br />";
    echo $encryptpass;
    echo $count;
    echo "Wrong Username or Password";
}

ob_end_flush();
?>

I use Sha but I't prompts Wrong username or password :) Help please Thank You

check and compare $encryptpass and the value for employee.pswrd

I'm comparing. my password is '12345' during registration. I'm using md5, sha, AES_DECRYPT. Still I'm getting incorrect password during log in.. what am I doing?

blue, since you are messing around with all your different encryptions types you may have mixed yourself up.

Whatever you encrypt the password with during creation, you must use to check against the password in login.

So, if your "signup" page uses MD5, then your login script must also use MD5.

You may also have encryption turned on in your database, in which case you would be encrypting and encrypted string - but PHP would have no idea that it has been re-encrypted. So make sure that your table column is not, for any reason, encrypted during an insert. If it is, you need to decrypt it during a select (assuming you have the right key).

If you created your own tables, you would know if encryption is turned on for the insert/update.

In general, the creation process would be something like this at creation (I am not sanitizing anything for the sake of simplicty):

<?php

if($_POST) {
$usr = $_POST['usrnm'];
$pass = hash('md5', $_POST['pswrd']);

$query = "INSERT INTO login (username, password) VALUES ('$usr', '$pass');";

$result = mysql_query($query);

if(mysql_affected_rows($result) == 1){
echo "Insert Complete!";
session_start();
$_SESSION['username'] = $usr;
//redirect or whatever...
}else {
echo "Insert failed!";
//redirect or whatever...
}
}

?>

Then our retrieval at login:

<?php

if($_POST){
$usr = $_POST['usrnm'];
$pass = hash('md5', $_POST['pswrd']);

$query = "SELECT username u, password p FROM login WHERE username='$usr' AND password='$pass';";

$result = mysql_query($query);

if(mysql_num_rows($result)==1) {
//login stuff
}else{
//login failure
}
}

?>

Hope that helps,

Ryan

Also, if you are going to use a salt, it needs to be unique for each password - it defeats the purpose of a salt if they are all the same, as a rainbow table can be made by injecting the salt.

You can even be so bold as to store the salt in the database along with the username, because it would take a rediculously long time to crack a single password with the salt, and then have to do it all over for the next one.

If you want to go even further, you can use salt and pepper, and pepper can be a global variable that is stored in a protected area that no one will never see unless they gain access to your FTP/root, in which case you have bigger problems than your database being cracked.

 <?php
    // used mysql_connect_db instead of mysql_connect
    mysql_connect("localhost", "root", "") or die(mysql_error());

    // This line is missing
    mysql_select_db("intranet") or die(mysql_error());

    echo $pass;
    if($_POST){

    $user = $_POST ['txtunamea'];
    $pass = hash('md5', $_POST['txtpassa']);
    //$query = "SELECT username u, password p FROM login WHERE username='$usr' AND password='$pass';";

        $query = "SELECT * FROM employee WHERE uname='$user' and pswrd='$pass'";
        $result = mysql_query($query);

        if(mysql_num_rows($result)==1) {
    //login stuff
            echo "Correct";
            }
        else{
    //login failure
            echo "Incorrect Username or Password";
            }
    }
?>

I use your code and modify some of it but there is no output(Page is blank). I do not know if it's working. Thank You..

I didnt add any redirects. You need to change the comments out.

//login stuff needs to be actual php commands..

redirect?
header("Location: mypagetogo.php");
exit();

error message?
echo "You failed to log in!!";

I left that part up to you.

You will also need to change the names in the SQL query, as well, to match your table.

Modified Code: Still I'm getting Incorrect UserName or password. What have I done?

    <?php


    $user = $_POST ['txtunamea'];
    $pass = hash('md5', $_POST['txtpassa']);
    // used mysql_connect_db instead of mysql_connect
    mysql_connect("localhost", "root", "") or die(mysql_error());

    // This line is missing
    mysql_select_db("intranet") or die(mysql_error());

    echo $pass;
    //if($_POST){
        $pass = hash('md5', $_POST['txtpassa']);

        $query = "SELECT * FROM employee WHERE uname='$user' and pswrd='$pass'";
        $result = mysql_query($query);
        echo $query;
        if(mysql_num_rows($result)==1) {
            echo "Correct";
            }
        else{
            echo "Incorrect Username or Password";
            }
    //}
?>

Check the length of the password field in the database, you wrote:

my password is = "y"
the one that i log in =d41d8cd98f00b204e9800998ecf8427e
the one in db = 415290769594460e2e48

now:

echo md5('y'); #outputs 415290769594460e2e485922904f345d

which is the same of the db version, but it seems that in your database the field is accepting only 20 chars, so change varchar(20) to varchar(32) which is the standard output for md5 function. And update the field with the new value, since the previous is truncated.

The hash that you get from the form, is generated by a boolean false:

md5(false); #outputs d41d8cd98f00b204e9800998ecf8427e

so check with a print_r($_POST); what you receive from the form. Bye!

^clever catch

Great... Thank you :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.