0

I have this problem with my web system. As administrator, my purpose is to register some users giving them username,password,firstname and lastname. I do that properly since all the records are inserted correctly. But when I'm trying to have access as one of those users, I cannot enter, geting the message "Username and password do not match". This is my login check code: 

      if (isset($_POST['username']) && isset($_POST['password'])) {
            $username = $_POST['username'];
            $password = $_POST['password'];
            $_SESSION['username'] = $_POST['username']; 
            if ((!$username) || (!$password)) {
                do_html_header('');

                echo '<h3 style="color:#800000;">Please fill in both fields</h3><br><br></br></br>';
                display_login_form();
            }       
            else {
            $sql = mysql_query('SELECT * FROM members WHERE username="'.$_POST['username'].'" AND password=sha1("'.$_POST['password'].'")') or die(mysql_error());
            $login_check_member = mysql_num_rows($sql);
            if($login_check_member > 0) {
                     while($row = mysql_fetch_array($sql)) {
                        $role = $row["role"];
                        $_SESSION['role'] = $role;
                    }
                }
                else { // Run this code if login_check is equal to 0 meaning they do not exist
                do_html_header('');

                echo '<h3 style="color:#800000;">The Username And Password do not match.</h3><br><br></br></br>';
                display_login_form();

                }

Apparently, there is a problem with my while loop. But it does work properly for those users inserted in my database via MySql console of wampserver. The problem exists only for the users inserted via the web site. The part of code that I use to insert new users (servers) is :

$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$role = $_POST['role'];


$conn = mysql_connect("localhost", "root", "");
$db=mysql_select_db("buzzcafe" ,$conn);

 //$username= $_SESSION['username'];

if (isset($_POST['username'])) {
 if (isset($_POST['password'])) {
  if (isset($_POST['firstname'])) { 
    if (isset($_POST['lastname'])) { 
        if(isset($_POST['role'])) {

        $insertServer = mysql_query("INSERT INTO servers (username,password,firstname,lastname,role) VALUES('".$username."',sha1('".$password."'),'".$firstname."','".$lastname."','".$role."')")or die(mysql_error());
                echo "<h5 style=color:#800000><i>The server ".$username." is now registered </i></h5>";
                display_manager_menu();
            }

        }
    }
 }
}

Any ideas please?

Suspicius
  • 41
  • 1
  • 2
  • 9
  • OT: You can give multiple arguments to `isset()`, it will check that they're all set. So you can replace all those nested `if`s with a single call. – Barmar Sep 29 '13 at 22:44
  • Why do you think the problem is the `while` loop? The `if` statement doesn't go into the `while` loop if it displays the `do not match` message. – Barmar Sep 29 '13 at 22:46
  • 1
    Your INSERT is into `servers`; the SELECT is from `members` – andrewsi Sep 29 '13 at 22:47
  • Maybe try trimming the password before calling `SHA1()` on it. – Barmar Sep 29 '13 at 22:47
  • @andrewsi That must be a copy error, do you think the `servers` table really has a `firstname` column? – Barmar Sep 29 '13 at 22:48
  • 1
    @Barmar - I've seen enough code on SO that it's entirely possible :D – andrewsi Sep 29 '13 at 22:49

1 Answers1

0

  1. Look at the table you INSERT the data ('servers'). It's different from the table you SELECT the data from ('members').

  2. Don't use the mysql_query function, as it deprecated. Try using PDO or mysqli_query instead.

  3. Don't ever use unfiltered input in your query.

  4. Try using more secure functions for your login/registration form (like bcrypt, or password_hash). Look here.

Community
  • 1
  • 1
Yam Mesicka
  • 6,243
  • 7
  • 45
  • 64
  • Oh my Gosh! After all these hours, I probably need some rest. Thanks to you I've just realised that I was not inserting the records into the table from which I had to select them from. Thanks a lot for that. – Suspicius Sep 29 '13 at 22:55