PHP help for my little project

[OldWolf]

Hello php coders!

Well, me and a couple friends are working on a game... nothing fancy, just for me and the members of my website to hopefully enjoy. Anyway, I'm fairly new to php and sql (I've really only used it to make very simple changes on my forums, or to apply preconstructed modifications).

Here's the issue... I've successfully created a registration (maybe I should say modified a registration, based on a tutorial I read)... but I'm having issues with the login file that goes with it. This is what I have right now:

PHP Code:

<?php

// database connect script.
require ('config.php');
require (ROOT_PATH.'db_connect.php');

if($usergroup >= 1) {
    die('You are already logged in, '.$_SESSION['username'].'.');

}


?>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php

if (isset($_POST['submit'])) { // if form has been submitted


    /* check they filled in what they were supposed to and authenticate */
    if(!$_POST['uname'] | !$_POST['passwd']) {
        die('You did not fill in a required field.');
    }

    // authenticate.

    if (!get_magic_quotes_gpc()) {
        $_POST['uname'] = addslashes($_POST['uname']);
    }

    $check = mysql_query ("SELECT username, password FROM users WHERE username = '".$_POST['uname']."'");
    if (!$check || mysql_num_rows($check) == 0) {
        die('That username does not exist in our database.');
    }
    

    $info = mysql_fetch_row($check);
    // check passwords match

    $_POST['passwd'] = stripslashes($_POST['passwd']);
    $info['password'] = stripslashes($info['password']);
    $_POST['passwd'] = md5($_POST['passwd']);


    if ($_POST['passwd'] != $info['password']) {
        die('Incorrect password, please try again.');
    }

    // if we get here username and password are correct, 
    //register session variables and set last login time.

    $date = date('m d, Y');

    $update_login = $db_object->query("UPDATE users SET last_login = '$date' WHERE username = '".$_POST['uname']."'");
  $usergroupcheck = $db_object->query("SELECT username, usergroup FROM users WHERE username = '".$_POST['uname']."'");
    $_POST['uname'] = stripslashes($_POST['uname']);
    $_SESSION['usergroup'] = $usergroupcheck;
    $_SESSION['username'] = $_POST['uname'];
    $_SESSION['password'] = $_POST['passwd'];
    
       if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
      setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
   }
    
    
    mysql_close ($db_object);

?>
<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">
<h1>Logged in</h1>
<p>Welcome back <?php echo $_SESSION['username']; ?>, you are logged in.</p>

<?php

} else {    // if form hasn't been submitted

?>
<h1>Login</h1>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table align="center" border="1" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td>
<input type="text" name="uname" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="passwd" maxlength="50">
</td></tr>
<tr><td><input type="checkbox" name="remember">Remember Me (uses cookies)</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
</body>
</html>

The issue is that when I try to log in, it gives me an incorrect password (I'm sure the password is correct). It correctly checks the database for an existing username (typing in a wrong username gives the username does not exist error), but it appears to have issues checking the password.

I'm sure it's a simple problem, but what did I do wrong?

[mairving]

Is the password encrypted when it goes into the database?

[faulkner132]

Quote:

Originally Posted by mairving Is the password encrypted when it goes into the database?

Agreed, store the password as plain text and see if it works. After verifying it does work, you can insert an encrypted string (I always use use base64 function). I never use the password field type in MySQL.

[OldWolf]

It is m5d when it gets placed into the database... I'll see if the plain text works... thanks for the thoughts.

[catacon]

You want to keep it encrypted, but you need to also encrypt the one entered from the login field. Right now you are checking the md5 encrypted password against a none encrypted password, so they don't match. You need to encrypt the password entered from the login field and then match it against the one in the database.

[OldWolf]

Hmm... this line should be changing the posted password to md5 before comparing:

PHP Code:

$_POST['passwd'] = md5($_POST['passwd']); 


Did I do something wrong there?

[faulkner132]

To debug this, I would recommend removing any kind of encryption you have on your passwords, both in the database and the submit code. Test to make sure it is working with nothing encrypted. Then go back and add the encryption stuff. This way you can find out if your code is wrong or your encryption is out of sync.

[mairving]

Quote:

Originally Posted by faulkner132 To debug this, I would recommend removing any kind of encryption you have on your passwords, both in the database and the submit code. Test to make sure it is working with nothing encrypted. Then go back and add the encryption stuff. This way you can find out if your code is wrong or your encryption is out of sync.

Agreed.

You might also go ahead and do a trim on the password as well to avoid any errors.