Problem using different type of names to login

[divinedesigns1]

hey guys, long time no see, im having a problem using a nickname or a email to log into a website i have everything layout but its not working im not sure what im doing wrong thats why i came here for a few pointers or tip this is what my query looks like

$log = "SELECT * FROM members WHERE nick='$username' OR email='$username' AND password='$password'";

and this is what the html code looks like

 <form action="" method="post">Username: <input type="text" name="username" /> Password: <input type="password" name="password" />  <input type="submit" name="submitt" value="Login" /></form>

what i was planning is when you enter either a email or username it still logs you in as long as the information is within the database but so far im only being able to use the username only

[rootKID]

do you get any errors at all?... if no, i suggest to look at your names at your input fields, ect examble: your submit input is with the name (submitt) with 2 't's... recheck the names and on the post/variable your using to make the login query to work... EXAMPLE:

<?phpif(isset($_POST['form_login_submit'])){$user = (POST)...$pass = (POST)...$email = (POST)...(QUERY HERE...)}?>

you should check at (QUERY,THE IF STATEMENT,AND VARIABLES...) only examble, i dont know your coding style ...

Edited August 21, 2012 by rootKID

[divinedesigns1]

do you get any errors at all?... if no, i suggest to look at your names at your input fields, ect examble: your submit input is with the name (submitt) with 2 't's... recheck the names and on the post/variable your using to make the login query to work... EXAMPLE:

<?phpif(isset($_POST['form_login_submit'])){$user = (POST)...$pass = (POST)...$email = (POST)...(QUERY HERE...)}?>

you should check at (QUERY,THE IF STATEMENT,AND VARIABLES...) only examble, i dont know your coding style ...

yeah i put the name submitt there because it was getting mixed up with other another form lol, and imma have to check the if statement, thats the only thing that is left to do, since theres no error at all, and the variables are correct for the, since im using whats in the form i displayed

[niche]

put this at the end of your query:

or die(mysql_error());

for more verbose info on your problem.

Edited August 21, 2012 by niche

[birbal]

use braces to group the condition

SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password' 

when in doubt basic database debug technuiqe applies like printing the query,using mysql_error() like niche said and mysql_num_rows() to get the returned row. if query get successfull that does not always mean it is returning rows

Edited August 21, 2012 by birbal

[JamesB]

as birbal showed, without using the brackets AND will take priority over OR, due to operator precedence:http://dev.mysql.com...precedence.html without the brackets in your query, it was actually getting ran as:

SELECT * FROM members WHERE nick='$username' OR (email='$username' AND password='$password')

which is also a huge security issue, as any password could have been used with a valid username.

[divinedesigns1]

as birbal showed, without using the brackets AND will take priority over OR, due to operator precedence:http://dev.mysql.com...precedence.html without the brackets in your query, it was actually getting ran as:

SELECT * FROM members WHERE nick='$username' OR (email='$username' AND password='$password')

which is also a huge security issue, as any password could have been used with a valid username.

oo ok, i didnt know that part

[divinedesigns1]

use braces to group the condition

SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password' 

when in doubt basic database debug technuiqe applies like printing the query,using mysql_error() like niche said and mysql_num_rows() to get the returned row. if query get successfull that does not always mean it is returning rows

ok ill do that

[divinedesigns1]

put this at the end of your query:

or die(mysql_error());

for more verbose info on your problem.

funny part is, i had that but i removed it, kinda dont like having it there but imma have to get use to using it

[divinedesigns1]

im still having that problem with logging in with my email but the username works perfectly well and when i print_r() it out i get this 'SELECT * FROM members WHERE nick='Siggie' OR (email='Siggie' AND password='fa619b9b5872b9b80d2baff431c9891c')' as you see the email holds the username also is this suppose to happen?

[justsomeguy]

Your parentheses are in the wrong place, look at post 5.

[thescientist]

show us the code that handles that part. it's impossible to know what you're doing if we can't see it.

[divinedesigns1]

for the nick that works perfectly well its just the password, i think its looking in both the nick and the email for the information or its getting the email and nick mix up

 <?phpinclude_once 'function.php';if(isset($_POST['submitt'])){// define the variables$username = $_POST['username'];$password = $_POST['password'];$break = "<br/>"; // filter out the variables$username = strip_tags($username);$username = stripslashes($username);$username = preg_replace('#^[A-Za-z0-9]!#', '', $username);$password = strip_tags($password);$password = stripslashes($password);$password = preg_replace('#@^[A-Za-z0-9]!#', '', $password); // check to see if any field is emptyif(empty($username) && empty($password)){echo 'Please Fill Both Fields';echo $break;}elseif(empty($username)){echo 'A username is required';echo $break;}elseif(empty($password)){echo 'A Password is required';echo $break;// if the fields arent empty filter and log them in}elseif(!empty($username) && !empty($password)){$username = mysqli_real_escape_string($con, $username);$password = mysqli_real_escape_string($con, $password);$password = md5(md5('$password' . 'salt') . 'pepper'); // if the fields are filter, match the information given$log = "SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password'" or die("Error: " . mysqli_error());$result_log = mysqli_query($con, $log);$check = mysqli_num_rows($result_log);// check to see if the account existif($check > 0){while($log_check = mysqli_fetch_array($result_log)){// create session for the id$users = $log_check['users'];$_SESSION['uid'] = $users;// create session for the full name$fullname = $log_check['full'];$_SESSION['name'] = $fullname;// create session for the nickname$username = $log_check['nick'];$_SESSION['nick'] = $username;// create session for the email$email = $log_check['email'];$_SESSION['em'] = $email;// create session for the password$password = $log_check['password'];$_SESSION['pass'] = $password;}}else{echo 'No Such account';}}}

[divinedesigns1]

ok i got it working but for some reason, it doesnt work when i have the password encryted

[birbal]

does the password is encrypted in same way at the time of registration, as you are doing in login ? both have to be encrypted in same way.

[justsomeguy]

$password = md5(md5('$password' . 'salt') . 'pepper'); Why do you have $password in single quotes? Do you know what that does? If you print out the hashed password you'll notice that it's always the same no matter which password you type in. It will always be "fa619b9b5872b9b80d2baff431c9891c". And why are you using MD5 anyway? http://www.php.net/m...g.syntax.single

[divinedesigns1]

does the password is encrypted in same way at the time of registration, as you are doing in login ? both have to be encrypted in same way.

yes it is, i did it on the registeration then i copy it and paste it to make sure its the exact thing

$password = md5(md5('$password' . 'salt') . 'pepper'); Why do you have $password in single quotes? Do you know what that does? If you print out the hashed password you'll notice that it's always the same no matter which password you type in. It will always be "fa619b9b5872b9b80d2baff431c9891c". And why are you using MD5 anyway? http://www.php.net/m...g.syntax.single

well from what i remember thats how it was done, and i use md5 because im comfortable with it

[justsomeguy]

It doesn't matter to you that MD5 has been unsuitable for cryptographic use for at least the last 15 years? What is it about SHA-1, for example, that you're not comfortable with? The only difference as far as you're concerned is that SHA-1 produces a longer hash. Anyway, check the link I gave you for a discussion about the different types of quotes in PHP.

[thescientist]

yes it is, i did it on the registeration then i copy it and paste it to make sure its the exact thingwell from what i remember thats how it was done, and i use md5 because im comfortable with it

I think you are also missing the point about $password being in quotes...

[divinedesigns1]

I think you are also missing the point about $password being in quotes...

ok, well just to update you i recreated the encryption properly but it still doesnt work so now im creating the login, to check and see exactly where i messed up, ill update you later on when im finish

[justsomeguy]

Did you fix the issue with the quotes? That was the only problem I saw. More importantly, do you know what the issue with the quotes was? Did you read the string reference? If you print out the password hash, do you know why it is always "fa619b9b5872b9b80d2baff431c9891c" even if you type in a different password?

[divinedesigns1]

yeah i read it and i remove it from the quote which was wrong and i created a sha1() and it works with the email but i didnt bother to test it with the username, soo i left it like that for now, everything works perfect tho

[divinedesigns1]

but i still dont understand quotes

[birbal]

what you did not understand? did you read the link #16 post about strings ?

[justsomeguy]

The key thing to understand about quotes in PHP is that double quoted strings will do variable replacement and support several escape sequences, like "\n" resulting in a newline or "\t" resulting in a tab character. Single quoted strings do not replace variables and do not support any escape sequence other than \' and \\. So in your code instead of hashing the password they typed in, it was hashing the string "$password", which is how I knew what the hash would be. You should still read the manual on strings though, that's stuff you need to know. If you're trying to program without knowing the basics like that then you're doing yourself a disservice.