Login Code

[ChidoriSoul]

Hey, I am making a Login code, and everything is complete, but it is not working properly. The error is this: Even though I enter everything correctly, it always says that the password is incorrect? My code is this:

<?phpsession_start();require_once 'db.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'login'){  $name = $_POST['name'];  $password = $_POST['password'];  if (trim($name) == '' || trim($password) == '')	$error_string .= 'Please enter your username and password.<br>';  else  {		$result = db_query("SELECT id, name, password FROM users WHERE name='" . mysql_real_escape_string($name) . "'");	if (!($row = mysql_fetch_assoc($result)))	  $error_string .= 'The username was not found.<br>';	else if ($row['password'] != sha1($password))	  $error_string .= 'The password does not match the username provided.<br>';	else	{	  $_SESSION['user_id'] = $row['id'];	  $_SESSION['user_name'] = $row['name'];	  header('Location: index.php');	  exit();	}  }}?><html><center><head><title>Pokemon Planet - Version 0.1</title><link rel='stylesheet' type='text/css' href='stylesheet.css'><body><div class="error_text"><?php echo $error_string; ?></div><div id="container">	<div id="banner"></div>	<div id="frame">		<div id="leftmenu"><div style="padding: 3px;">			<center><b>General Options</b><br/><a href='index.php'>Index</a><br/><a href='register.php'>Register</a><br/><a href='login.php'>Login</a></center>		</div></div>		<div id="content"><div style="padding: 3px;">			<center><u>Login!</u><br/>Here you can login to access the RPG, but you have to have already <a href='register.php'>registered</a>.<br/><br/><form action="login.php" method="post"><input type="hidden" name="page_mode" value="login"><b>Username:</b><br/><input type="text" name="name" size="20" maxlength="255" value="<?php if (isset($name)) echo $name; ?>"><br/><br/><b>Password:</b><br/><input type="password" name="password" size="20"><br/><input type="submit" value="Log In" size="30"></center>		</div></div>		<div id="rightmenu"><div style="padding: 3px;">			<center><b>General Options</b><br/><a href='index.php'>Index</a><br/><a href='register.php'>Register</a><br/><a href='login.php'>Login</a></center>		</div></div>	</div>	<div id="footer"><center><font color='#000000'>Pokemon Planet is © 2009 by Shadow. This site is created and coded by Shadow. Pokemon Planet is in no way affiliated with Nintendo, Pokémon Company, Game Freak, Creatures, or any related organizations. Most Pokémon images (sprites, icons, map tiles, etc.) are © Nintendo and their publishers. Images are slightly modified in order to meet certain needs upon this website.</font></center></div></div></body></center></html>

[Ingolme]

If you want to set session variables before redirecting, you need to use the session_write_close() function:

$_SESSION['user_id'] = $row['id'];$_SESSION['user_name'] = $row['name'];session_write_close();header('Location: index.php');

[ChidoriSoul]

I do that, but it still displays the same problem. It always says this password does not match the user provided, but I know I enter it right

[justsomeguy]

If it says the password is not the same as in the database, then the password is not the same as in the database. If you don't believe it, then print out the 2 things you're comparing:else if ($row['password'] != sha1($password))If you print $row['password'] and sha1($password), they aren't going to match. If they did match, it wouldn't tell you that they don't.

[ChidoriSoul]

Oh, I see where you are getting with this :)Anyway, how would I change it to make it so it sees the same password from the database?

[Ingolme]

Well, how are the passwords encrypted in the database? Only you can know that.

[ChidoriSoul]

All the passwords in my database are converted to this, 'da39a3ee5e6b4b0d3255bfef95601890afd80709'

[justsomeguy]

That looks like a SHA-1 hash, so the code should work as long as you're typing in the password that was hashed for the database. You can print out a hash to make sure the value in the database is correct:echo sha1('your password');

[ChidoriSoul]

Oh yes, you are right, the two are different, so how do I change it to make them the same?

[Ingolme]

How did you get the passwords into the database in the first place? You must have the script that did that. That script would have the function used to encrypt the data.

[ChidoriSoul]

My Register Page is this:

<?phprequire_once 'db.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'register'){  $name = trim($_POST['name']);  $password = $_POST['password'];  $conf_password = $_POST['conf_password'];  $email = trim($_POST['email']);  if ($name == '')	$error_string .= 'Please enter your name.<br>';  if (strlen(trim($password)) > 20)	$error_string .= 'Your password extends the allowed amount of 20 characters.<br>';  if ($password != $conf_password)	$error_string .= 'The password and confirmation password do not match.<br>';  if (!isValidEmail($email))	$error_string .= 'Please enter a valid email address.<br>';  if ($_POST['code'] != "Holo") 	die('You entered an incorrect code.');  if ($error_string == '')  {	$result = db_query("SELECT id FROM users WHERE email='" . mysql_real_escape_string($email) . "'");	if (mysql_num_rows($result) > 0)	  $error_string .= 'That email address is already registerd.<br>';	else	{	  $name = mysql_real_escape_string($name);	  $password = sha1($password);	  $email = mysql_real_escape_string($email); 	 	  db_query("INSERT INTO users (name, password, email) VALUES ('{$name}', '{$password}','{$email}')");	  header('Location: complete.php');	  exit();	}  }}function isValidEmail($email = ''){	return preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*@[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix",$email);}?><html><!--[if IE]>  <link rel="stylesheet" type="text/css" href="allie.css" /><![endif]--><center><head><title>Pokemon Planet - Version 0.1</title><link rel='stylesheet' type='text/css' href='stylesheet.css'><body><div class="error_text"><?php echo $error_string; ?></div><div id="container">	<div id="banner"></div>	<div id="frame">		<div id="leftmenu"><div style="padding: 3px;">			<center><b>General Options</b><br/><a href='index.php'>Index</a><br/><a href='register.php'>Register</a><br/><a href='login.php'>Login</a><br/><br/><b>Miscellaneous</b><br/><a href='chat.php'>Chat</a><br/><a href='donate.php'>Donate</a></center>		</div></div>		<div id="content"><div style="padding: 3px;">			<center><u>Register!</u><br/>Here you can register for the RPG, you just have to fill in these forms.<br/><br/><form action="register.php" method="post"><input type="hidden" name="page_mode" value="register"><b>Username:</b><br/><input type="text" name="name" div id='input' size="20" maxlength="255" value="<?php if (isset($name)) echo $name; ?>"><br/><br/><b>Password:</b><br/><input type='password' div id='input' name='pass' maxlength='20'><br/><br/><b>Repeat Password:</b><br/><input type='password' div id='input' name='reppass' maxlength='20'><br/><br/><b>Email:</b><br/><input type="text" div id='input' name="email" size="20" maxlength="255" value="<?php if (isset($email)) echo $email; ?>"><br/><br/><b>Enter Code:</b><br/><input type='text' div id='input' name='code' size='20'><br/><input type="submit" value="Register" size="30"></center>		</div></div>		<div id="rightmenu"><div style="padding: 3px;">			<center><b>General Options</b><br/><a href='index.php'>Index</a><br/><a href='register.php'>Register</a><br/><a href='login.php'>Login</a><br/><br/><b>Miscellaneous</b><br/><a href='chat.php'>Chat</a><br/><a href='donate.php'>Donate</a></center>		</div></div>	</div>	<div id="footer"><center><font color='#000000'>Pokemon Planet is © 2009 by Shadow. This site is created and coded by Shadow. Pokemon Planet is in no way affiliated with Nintendo, Pokémon Company, Game Freak, Creatures, or any related organizations. Most Pokémon images (sprites, icons, map tiles, etc.) are © Nintendo and their publishers. Images are slightly modified in order to meet certain needs upon this website.</font></center></div></div></body></center></html>

[dsonesuk]

theres no closing tag for form </form>

[ChidoriSoul]

Oh, thank you, corrected

[dsonesuk]

<input type='password' div id='input' name='reppass' maxlength='20'>$conf_password = $_POST['conf_password']; ?????????

[justsomeguy]

Look at your form:<b>Password:</b><br/><input type='password' div id='input' name='pass' maxlength='20'><br/><br/><b>Repeat Password:</b><br/><input type='password' div id='input' name='reppass' maxlength='20'>Look at the PHP:$password = $_POST['password'];$conf_password = $_POST['conf_password'];You're also not checking if the password is blank or too short, you're only checking if it's too long. All of your passwords in the database now are blank, the value you see is the SHA-1 hash of the empty string (sha1('')).Also, what the heck is going on with the "div" in all the inputs, and why do they all have the same ID?

[ChidoriSoul]

Thats how it is, I got the code from the post from Justsomeguy

[chibineku]

What is the word div doing in your inputs? Also, as dsonesuk pointed out, you're searching for a variable name that doesn't match the one on the form, so it'll always be empty.

[justsomeguy]

Is everyone on lunch break all of a sudden?

[chibineku]

Lunch? It's 10 to 2 in the am where I am. Or do you just mean the fact that you're the only guy helping anyone today? You could do with the posts, anyway. You're not even at 14k yet. Slacker.

[ChidoriSoul]

Thank you everyone! My Login code now works fine!The reason for the div in the input is for my stylesheet code, to do some stuff to the input box.

[justsomeguy]

Or do you just mean the fact that you're the only guy helping anyone today?

It seems like we're all trying to say the same things at once.

The reason for the div in the input is for my stylesheet code, to do some stuff to the input box.

That's not exactly valid, there's a better way to do it.