CODEWITHSUNDEEP
phpauthentication
user4703256
user4703256

Reputation: 31

cannot log in with correct password and username. keep false

when I log in, even the password and username are correct, it keep error.

Array ( [0] => That user/password combination is incorrect )

the username and password is active and existed. login.php

    <?php
include 'init.php';

if(empty($_POST) === false){
    $username = $_POST['username'];
    $password = $_POST['pwd1'];

if(empty($username)|| empty($password)) {
        echo 'You need to enter username and password';
    }
    else if(user_exists($username) === true){
        if(user_active($username) === true){

        $login = login($username, $password);
        if($login === false){
            $errors[] = 'That user/password combination is incorrect' ;

        } else{

            $_SESSION['user_id'] = $login;
            ob_end_clean();
            header('Location:forum.php');
            exit();
        }
    }
    else{$errors[] = 'You haven\'t activated your account!';}
    }
    else{$errors[] = 'We can\'t find that username. Have you registered?';}

    print_r($errors);

}
?>

users.php

<?php
function logged_in(){
    return (isset($_SESSION['user_id'])) ? true :false;
}
function user_exists($username){
    $username = sanitize($username);
    $sql = "SELECT COUNT(user_id) FROM `user` WHERE username = '$username'";
    $result = mysql_query( $sql);

    return (mysql_result($result,0) ==1) ? true : false;
}
function user_active($username){
    $username = sanitize($username);
    $sql ="SELECT COUNT(user_id) FROM `user` WHERE username = '$username' AND `active` = 1";
    $result = mysql_query( $sql);
    if ($result === false){
        return false;

    }
        return (mysql_result($result,0) ==1) ? true : false;
}
function user_id_from_username($username){
    $username = sanitize($username);
    $sql = "SELECT user_id FROM `user` WHERE username = '$username'";
    $result = mysql_query( $sql);
    if ($result === false){
        return false;

    }
    return mysql_result($result,0, 'user_id');
}
function login($username, $password){

    $username = sanitize($username);
    $password = md5($password);
    $query = mysql_query("SELECT COUNT(user_id) 
        FROM `user`
        WHERE username ='$username' AND pwd1 ='$password'");

    $row = mysql_fetch_row($query); 
    if($row[0]>0){
        return user_id;
        }else{
            return false;
            } 

}

?>

general.php

<?php
function sanitize($data){
    return mysql_real_escape_string($data);}
?>

init.php

<?php
ob_start();
session_start();

require 'connect.php';
require 'general.php';
require 'users.php';


$errors = array();
?>

Upvotes: 1

Views: 1116

Answers (1)

n-dru
n-dru

Reputation: 9430

You don't assign $login to $_SESSION['user_id'], because you call die($login); before that, which is same as exit, nothing is parsed after that. Change the order.

And pray that your sanitize function works. Anyway, you had better switch to PDO, because mysql_ functions are deprecated and not safe. Even if you sanitize your $_POST and $_GET, you can still have malicious values selected from your database or from XML you parse or from other source.

Upvotes: 2

Related Questions