divinedesigns1 Posted August 21, 2012 Share Posted August 21, 2012 hey guys, long time no see, im having a problem using a nickname or a email to log into a website i have everything layout but its not working im not sure what im doing wrong thats why i came here for a few pointers or tip this is what my query looks like $log = "SELECT * FROM members WHERE nick='$username' OR email='$username' AND password='$password'"; and this is what the html code looks like <form action="" method="post">Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" name="submitt" value="Login" /></form> what i was planning is when you enter either a email or username it still logs you in as long as the information is within the database but so far im only being able to use the username only Link to comment Share on other sites More sharing options...
rootKID Posted August 21, 2012 Share Posted August 21, 2012 (edited) do you get any errors at all?... if no, i suggest to look at your names at your input fields, ect examble: your submit input is with the name (submitt) with 2 't's... recheck the names and on the post/variable your using to make the login query to work... EXAMPLE: <?phpif(isset($_POST['form_login_submit'])){$user = (POST)...$pass = (POST)...$email = (POST)...(QUERY HERE...)}?> you should check at (QUERY,THE IF STATEMENT,AND VARIABLES...) only examble, i dont know your coding style ... Edited August 21, 2012 by rootKID Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 do you get any errors at all?... if no, i suggest to look at your names at your input fields, ect examble: your submit input is with the name (submitt) with 2 't's... recheck the names and on the post/variable your using to make the login query to work... EXAMPLE: <?phpif(isset($_POST['form_login_submit'])){$user = (POST)...$pass = (POST)...$email = (POST)...(QUERY HERE...)}?> you should check at (QUERY,THE IF STATEMENT,AND VARIABLES...) only examble, i dont know your coding style ... yeah i put the name submitt there because it was getting mixed up with other another form lol, and imma have to check the if statement, thats the only thing that is left to do, since theres no error at all, and the variables are correct for the, since im using whats in the form i displayed Link to comment Share on other sites More sharing options...
niche Posted August 21, 2012 Share Posted August 21, 2012 (edited) put this at the end of your query: or die(mysql_error()); for more verbose info on your problem. Edited August 21, 2012 by niche Link to comment Share on other sites More sharing options...
birbal Posted August 21, 2012 Share Posted August 21, 2012 (edited) use braces to group the condition SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password' when in doubt basic database debug technuiqe applies like printing the query,using mysql_error() like niche said and mysql_num_rows() to get the returned row. if query get successfull that does not always mean it is returning rows Edited August 21, 2012 by birbal Link to comment Share on other sites More sharing options...
JamesB Posted August 21, 2012 Share Posted August 21, 2012 as birbal showed, without using the brackets AND will take priority over OR, due to operator precedence:http://dev.mysql.com...precedence.html without the brackets in your query, it was actually getting ran as: SELECT * FROM members WHERE nick='$username' OR (email='$username' AND password='$password') which is also a huge security issue, as any password could have been used with a valid username. Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 as birbal showed, without using the brackets AND will take priority over OR, due to operator precedence:http://dev.mysql.com...precedence.html without the brackets in your query, it was actually getting ran as: SELECT * FROM members WHERE nick='$username' OR (email='$username' AND password='$password') which is also a huge security issue, as any password could have been used with a valid username. oo ok, i didnt know that part Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 use braces to group the conditionSELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password' when in doubt basic database debug technuiqe applies like printing the query,using mysql_error() like niche said and mysql_num_rows() to get the returned row. if query get successfull that does not always mean it is returning rows ok ill do that Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 put this at the end of your query: or die(mysql_error()); for more verbose info on your problem. funny part is, i had that but i removed it, kinda dont like having it there but imma have to get use to using it Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 im still having that problem with logging in with my email but the username works perfectly well and when i print_r() it out i get this 'SELECT * FROM members WHERE nick='Siggie' OR (email='Siggie' AND password='fa619b9b5872b9b80d2baff431c9891c')' as you see the email holds the username also is this suppose to happen? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 21, 2012 Share Posted August 21, 2012 Your parentheses are in the wrong place, look at post 5. Link to comment Share on other sites More sharing options...
thescientist Posted August 21, 2012 Share Posted August 21, 2012 show us the code that handles that part. it's impossible to know what you're doing if we can't see it. Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 21, 2012 Author Share Posted August 21, 2012 for the nick that works perfectly well its just the password, i think its looking in both the nick and the email for the information or its getting the email and nick mix up <?phpinclude_once 'function.php';if(isset($_POST['submitt'])){// define the variables$username = $_POST['username'];$password = $_POST['password'];$break = "<br/>"; // filter out the variables$username = strip_tags($username);$username = stripslashes($username);$username = preg_replace('#^[A-Za-z0-9]!#', '', $username);$password = strip_tags($password);$password = stripslashes($password);$password = preg_replace('#@^[A-Za-z0-9]!#', '', $password); // check to see if any field is emptyif(empty($username) && empty($password)){echo 'Please Fill Both Fields';echo $break;}elseif(empty($username)){echo 'A username is required';echo $break;}elseif(empty($password)){echo 'A Password is required';echo $break;// if the fields arent empty filter and log them in}elseif(!empty($username) && !empty($password)){$username = mysqli_real_escape_string($con, $username);$password = mysqli_real_escape_string($con, $password);$password = md5(md5('$password' . 'salt') . 'pepper'); // if the fields are filter, match the information given$log = "SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password'" or die("Error: " . mysqli_error());$result_log = mysqli_query($con, $log);$check = mysqli_num_rows($result_log);// check to see if the account existif($check > 0){while($log_check = mysqli_fetch_array($result_log)){// create session for the id$users = $log_check['users'];$_SESSION['uid'] = $users;// create session for the full name$fullname = $log_check['full'];$_SESSION['name'] = $fullname;// create session for the nickname$username = $log_check['nick'];$_SESSION['nick'] = $username;// create session for the email$email = $log_check['email'];$_SESSION['em'] = $email;// create session for the password$password = $log_check['password'];$_SESSION['pass'] = $password;}}else{echo 'No Such account';}}} Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 22, 2012 Author Share Posted August 22, 2012 ok i got it working but for some reason, it doesnt work when i have the password encryted Link to comment Share on other sites More sharing options...
birbal Posted August 22, 2012 Share Posted August 22, 2012 does the password is encrypted in same way at the time of registration, as you are doing in login ? both have to be encrypted in same way. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 22, 2012 Share Posted August 22, 2012 $password = md5(md5('$password' . 'salt') . 'pepper'); Why do you have $password in single quotes? Do you know what that does? If you print out the hashed password you'll notice that it's always the same no matter which password you type in. It will always be "fa619b9b5872b9b80d2baff431c9891c". And why are you using MD5 anyway? http://www.php.net/m...g.syntax.single Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 22, 2012 Author Share Posted August 22, 2012 does the password is encrypted in same way at the time of registration, as you are doing in login ? both have to be encrypted in same way.yes it is, i did it on the registeration then i copy it and paste it to make sure its the exact thing$password = md5(md5('$password' . 'salt') . 'pepper'); Why do you have $password in single quotes? Do you know what that does? If you print out the hashed password you'll notice that it's always the same no matter which password you type in. It will always be "fa619b9b5872b9b80d2baff431c9891c". And why are you using MD5 anyway? http://www.php.net/m...g.syntax.single well from what i remember thats how it was done, and i use md5 because im comfortable with it Link to comment Share on other sites More sharing options...
justsomeguy Posted August 22, 2012 Share Posted August 22, 2012 It doesn't matter to you that MD5 has been unsuitable for cryptographic use for at least the last 15 years? What is it about SHA-1, for example, that you're not comfortable with? The only difference as far as you're concerned is that SHA-1 produces a longer hash. Anyway, check the link I gave you for a discussion about the different types of quotes in PHP. Link to comment Share on other sites More sharing options...
thescientist Posted August 22, 2012 Share Posted August 22, 2012 yes it is, i did it on the registeration then i copy it and paste it to make sure its the exact thingwell from what i remember thats how it was done, and i use md5 because im comfortable with it I think you are also missing the point about $password being in quotes... Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 23, 2012 Author Share Posted August 23, 2012 I think you are also missing the point about $password being in quotes...ok, well just to update you i recreated the encryption properly but it still doesnt work so now im creating the login, to check and see exactly where i messed up, ill update you later on when im finish Link to comment Share on other sites More sharing options...
justsomeguy Posted August 23, 2012 Share Posted August 23, 2012 Did you fix the issue with the quotes? That was the only problem I saw. More importantly, do you know what the issue with the quotes was? Did you read the string reference? If you print out the password hash, do you know why it is always "fa619b9b5872b9b80d2baff431c9891c" even if you type in a different password? Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 23, 2012 Author Share Posted August 23, 2012 yeah i read it and i remove it from the quote which was wrong and i created a sha1() and it works with the email but i didnt bother to test it with the username, soo i left it like that for now, everything works perfect tho Link to comment Share on other sites More sharing options...
divinedesigns1 Posted August 23, 2012 Author Share Posted August 23, 2012 but i still dont understand quotes Link to comment Share on other sites More sharing options...
birbal Posted August 23, 2012 Share Posted August 23, 2012 what you did not understand? did you read the link #16 post about strings ? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 23, 2012 Share Posted August 23, 2012 The key thing to understand about quotes in PHP is that double quoted strings will do variable replacement and support several escape sequences, like "\n" resulting in a newline or "\t" resulting in a tab character. Single quoted strings do not replace variables and do not support any escape sequence other than \' and \\. So in your code instead of hashing the password they typed in, it was hashing the string "$password", which is how I knew what the hash would be. You should still read the manual on strings though, that's stuff you need to know. If you're trying to program without knowing the basics like that then you're doing yourself a disservice. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now