Login Script

[Panta]

please i have this login script but the problem is that i have names and password that i stored the password with md5, but it can not see them. the page is displayin "The Admin_name was not found."

<?php error_reporting(E_ALL);     ini_set('display_errors', 1);     include 'config.php';     $submit = isset($_POST['login']) ? $_POST['login'] : "";     $admin = isset($_POST['admin']) ? $_POST['admin'] : "";     $admin = mysql_real_escape_string(strip_tags(htmlspecialchars($admin) ) );     $password = isset($_POST['password']) ? md5($_POST['password']) : "";   $error_string = ''; # error_string is modified in db.php!  $page_mode = $_POST['page_mode']; # empty variable defaults to '' (or null)  if ($page_mode === 'login'){  if ($admin == '' || strlen($password) == 0) # password can be of spaces, which must not be trimmed!    $error_string .= 'Please enter your Admin_name and password.<br>';  else  {    $result = mysql_query("SELECT id, admin, password FROM principal WHERE admin='".$admin."' and password='".$password."';");    if (!($row = mysql_fetch_assoc($result)))      $error_string .= 'The Admin_name was not found.<br>';    else if ($row['password'] != ($password))      $error_string .= 'The password did not match.<br>';    else    {      $_SESSION['user_id'] = $row['id'];      $_SESSION['user_name'] = $row['admin'];      header('Location: alright');      exit();    }  }}?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <title>Admin login page</title>    <style type="text/css">    .error_text {      color: #FF0000;      width: 400px;      text-align: center;    }    .left_box {      float: left;      width: 150px;      text-align: right;      padding-right: 5px;    }    .right_box {      clear: right;    }    </style>  </head>  <body>    <div class="error_text"><?php echo $error_string; ?></div>    <form action="adminlogin.php" method="post">    <input type="hidden" name="page_mode" value="login">    <div class="left_box">Admin</div>    <div class="right_box"><input type="text" name="admin" size="30" maxlength="255" value="<?php if (isset($admin)) echo $admin; ?>"></div>    <div class="left_box">Password</div>    <div class="right_box"><input type="password" name="password" size="30"></div>    <div class="left_box"> </div>    <div class="right_box"><input type="submit" value="Log In" size="30"></div>    </form>  </body></html>

[justsomeguy]

First, it's always going to display that one message regardless of whether the name wasn't found or the password was wrong. If the password was wrong it's still going to display that same message. If your name and password are stored in the database as MD5 hashes then you need to hash the values when you send them to the database to check.

[Redroest]

Try to do this principle with EVERY single thing that you insert, update or select from the database. What I mean:use for example mysql_real_escape_string(); to prevent strings or something to disrupt your mysql query and use something like html_entities(); to prevent the database output (first prevented by mysql_real_escape_string(); to disrupt your query) from messing up your xhtml code.

<?php$string = "photo's";mysql_real_escape_string($string);//Database query inserts the $string.....//Database query outputs the stringecho "<input type='text' name='testfield' value='".$string."'>";?>

When you look at your source, you will find this html code:<input type='text' name='testfield' value='photo's'>Do you see the error on 'photo's'> ??Same counts for MD5. First store it using MD5 then get it back using the same way or return it using the opposite (luckily there is no way to return a password once it has been MD5th haha)