Hello everyone!

I have a problem in login system of my CMS.
When I enter the correct Username and Password, the System is always showing Invalid Credentials, However I have checked in my Databse Tables that I am providing the correct username and password. I am not getting the problem in my Code.. can anyone help??

<?php
session_start();
 ?>
<?php include_once("../includes/connection.php"); ?>
<!DOCTYPE html>
<html lang='en'>
<head>
    <meta charset="UTF-8" /> 
    <title>
        HTML Document Structure
    </title>
    <link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>

<div id="wrapper">

<?php
$current_page = $_SERVER['PHP_SELF'];
?>
    <form name="login-form" class="login-form" action= "<?php echo $current_page; ?>" method="post">

        <div class="header">
        <h1>Login Form</h1>
        <span>Fill out the form below to login to my super awesome imaginary control panel.</span>
        </div>

        <div class="content">
        <input name="username" type="text" class="input username" placeholder="Username" />
        <div class="user-icon"></div>
        <input name="password" type="password" class="input password" placeholder="Password" />
        <div class="pass-icon"></div>     
        </div>



        <div class="footer">
        <input type="submit" name="button" value="submit" class="button" />
        <a href="../qmc-reg/reg.php" style="color:#000" >  Register</a>
        </div>

    </form>
<?php
if (isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];

$query_one  = "SELECT * ";
$query_one .= "FROM users ";
$query_one .= "WHERE user_name = '".$username."' ";
$query_one .= "AND user_pass = '".$password."' ";
$query_one .= "LIMIT 1";

$result = mysql_query($query_one) or die(mysql_error());
$count = mysql_num_rows($result) or die(mysql_error());


if ($count == 1){
//$something  = mysql_fetch_array($count);

while ($something = mysql_fetch_array($result)){
        $something['user_id'];
        $something['user_name'];
        $something['user_pass'];



if ($count > 0 ){

$_SESSION['user_id'] = $something['user_id'];
$_SESSION['user_name'] = $something['user_name'];
$_SESSION['user_pass'] = $something['user_pass'];

$salt = "cas212c";
$hash = sha1($password, $salt);

if ($password == $hash){


session_write_close();

header("location: ../cms/cms.php");
}

else{
    echo "<div> Invalid Credentials </div>";
}
}}}
}
?>
</div>
<div class="gradient"></div>
</body>
</html>  

Delete space after equal sign action= "<?php echo $current_page; ?>" replace to action="<?php echo $current_page; ?>" and never use equal sign for compare username and password in the MySQL! Try this test case:

SELECT 'ABC' = 'abc','ĀBČ' = 'abc','ābč' = 'abc', 'ABC' LIKE 'abc', 
'ĀBČ' LIKE 'abc', 'ābč' LIKE 'abc', 'ABC' LIKE BINARY 'abc', 
'ĀBČ' LIKE BINARY 'abc', 'ābč' LIKE BINARY 'abc';

only "LIKE BINARY" return FALSE any other return TRUE (MySQL)

Buddy, the problem isn't solved yet!

try to validate between the hash and the something['user_pass']?

user password input --- hash this password Vs. something['user_pass'].

Make sure the password stored in your database used the same hashing mechanism as the validation hashing mechanism.

Dump your post variable and see what you are getting from the form. If you are getting the correct params, then you know its not the form. If you are getting incorrect params then the problem is with the form and post.

By the looks of your code, your sha1 is incorrect.

you can modify your code a bit as well.

Create your password hash and store in the database. Then check the password hash against the string in the database.

$salt = 'cas212c';
$username = mysql_real_escape_string(trim($_POST['user_name']));
$password = sha1($_POST['user_pass'] . $salt);




$sql = "SELECT id FROM users WHERE user_name = '$username' AND user_pass = '$password' LIMIT 1";


$query = mysql_query($sql);

if(mysql_num_rows($query) == 1){
    $results = mysql_fetch_array($query);

    $_SESSION['user_id']   = $results['id'];
    $_SESSION['user_name'] = $username;
    $_SESSION['user_pass'] = $password;

    session_write_close();
}else{

    echo '<div>Invalid Credentials</div>';

}

Problem remains the same buddy!

Did you do what gabrielcastillo said? If you are storing Hashed passwords in your database then you will never get a result back if you are comparing the plain password that the user inputs in the form to the hashed password in the database. You need to do what he said and compare the hashed password in the database against the inputed password that has already ran through your hash function.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.