PHP script bug....please help...

This site is best viewed in a modern browser with JavaScript enabled.

dhirajkumar_41

This is Login script..
I also has register script which works fine adds some fields to database including
password with just md5 encryption.
when i try to login with email and password, this script always shows incorrect password message when i
type correct password and shows me member area when i type wrong password.
i couldnot find any error. pls help

<?php

// Connects to your Database

mysql_connect("localhost", "root", "dhiraj") or die(mysql_error());

mysql_select_db("test") or die(mysql_error());

session_start();

$e_id;
$pwd;

if(!isset($_POST['submit']))
{
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">

<tr><td colspan=2><h1>Login</h1></td></tr>

<tr><td>Email Id:</td><td>

</td></tr>

<tr><td>Password:</td><td>

</td></tr>

</td></tr>

</table>

</form>

<?php
}

else
{
// if form has been submitted
$SESSION['e_id']=$POST['email'];
$SESSION['pwd']=$POST['pass'];

        // makes sure they filled it in

if(!$_POST['email'] | !$_POST['pass']) 
           {

	die('You did not fill in a required field.');

}

// checks it against the database

$check = mysql_query("SELECT * FROM users WHERE u_email = '".$_POST['email']."'")or die(mysql_error());



            //Gives error if user dosen't exist

            $check2 = mysql_num_rows($check);

           if ($check2 == 0) 
          {

                           unset($_SESSION['e_id']);
                           unset($_SESSION['pwd']);
	die('That user does not exist in our database. <a href=enter.php>Click Here to Register</a>');
           }

           while($info = mysql_fetch_array( $check )) 	

           {



                        $_POST['pass'] = md5($_POST['pass']);



                       //gives error if the password is wrong

             	if ($_POST['pass'] != $info['u_pass'])
                         {

                     		die('Incorrect password, please try again.');
                                //this gets executed when supply correct password.

            	} 
                          else 
                          { 


                          //then redirect them to the members area 

                            header("Location: members.php"); 
                        //this gets executed when i supply wrong password.

                           } 

     }

}

?>

ginerjm

I took the liberty of cleaning up your code to make it more readable and to add some notes. Also - rules say you should use tags to wrap your code with, which I did here.

Look for my comments - NOTE or ???

<?
session_start();
//  TURN ON ERROR REPORTING
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', '1');
set_time_limit(2);
// Connects to your Database
mysql_connect("localhost", "root", "dhiraj") or die(mysql_error());
mysql_select_db("test") or die(mysql_error());
if(!isset($_POST['submit']))
{
    // People frown on this, but I use it too.
    $action=$_SERVER['PHP_SELF'];
    $code=<<<heredocs
    <form action="$action" method="post">
    <table border="0">
    <tr>
    <td colspan=2><h1>Login</h1></td>
    </tr>
    <tr>
    <td>Email Id:</td>
    <td><input type="text" name="email" maxlength="60"></td>
    </tr>
    <tr>
    <td>Password:</td>
    <td><input type="password" name="pass" maxlength="50"></td>
    </tr>
    <tr>
    <td colspan="2" align="right"><input type="submit" name="submit" value="Login"></td>
    </tr>
    </table>
    </form>
heredocs;
    echo $code;
}
else
{
    // if form has been submitted
//  ????
//  Why save these values if you haven't checked them yet ???
//  ????
    $_SESSION['e_id']=$_POST['email'];
    $_SESSION['pwd']=$_POST['pass'];
    // makes sure they filled it in
//  ???
//  Following statement has an invalid operator  'OR' is '||' not '|'
//  do you have error checking turned on?
    if(!$_POST['email'] | !$_POST['pass'])
    {
        // ????
        //  Very in-elegant.  You leave your user hanging with
        //  no place to go.
        die('You did not fill in a required field.');
    }
    // checks it against the database
    //  NOTE use of {} to eliminate breaking up string
    //  NOTE - die should provide some kind of contextual message to help you determine
    //  where in your code you died.
    $check = mysql_query("SELECT * FROM users WHERE u_email = '{$_POST['email']}'") or die(mysql_error());
    //  NOTE - you need to check if the query actually ran NOW
    //
    //Gives error if user dosen't exist
    $check2 = mysql_num_rows($check);
    if ($check2 == 0)
    {
        // ???? See? if you hadn't saved them, you wouldn't need to unset them now
        unset($_SESSION['e_id']);
        unset($_SESSION['pwd']);
    // ??? This statement is flawed - you will NOT get a link from this, simply a message
        die('That user does not exist in our database. <a href=enter.php>Click Here to Register</a>');
    }
    while($info = mysql_fetch_array( $check ))
    {
        // NOTE - you should trim your input first
        $_POST['pass'] = md5($_POST['pass']);
        //gives error if the password is wrong
        //  ???? is 'u_pass' the correct name from your table??
        if ($_POST['pass'] != $info['u_pass'])
        {
            die('Incorrect password, please try again.');
            // NOTE - again - you leave your user hanging
            //   How can he try again if you don't give him a screen?
            //this gets executed when supply correct password.
        }
        else
        {
            //then redirect them to the members area
            // NOW SAVE the credentials in SESSION !!!
            // BUT - Do You Really need to save the password ??
            $_SESSION['e_id']=$_POST['email'];
            $_SESSION['pwd']=$_POST['pass'];
            header("Location: members.php");
            //this gets executed when i supply wrong password.
            // ????  You really need an exit() line here!!
        }
    }
}
?>

I didn't see your specific problem, but the errors I did see should preclude this script from even running. YOU NEED TO TURN ON ERROR CHECKING!!

Try my code and add error checking and see what happens.

The_Alchemist

ginerjm has said everything.
I'd like to tell you one more thing, if you dont want your database te be hacked, pleae use mysqli_* functions or PDO Prepared statements.

root

Also be aware that forum code tags exist to make reading code posted easier, please use them.

dhirajkumar_41

ginerjm, really thanks for help. my problem is solved. Actually, when i was hashing password with md5 i stored it in the password field whose length was not enough to store the hash. so increased that and problem solved. But this thread really important for me.

Actually, i am right now doing this on xampp (phpmyadmin) and i am trying to create the good script before i own a web space. i am trying to be careful.
I have more questions for you if you dont mind.

about session variable, should i set them just before redirecting user to member area? and what's the adv. of exit after header.

once again thanks for reply. and let me know if you have any experience with database schema.because i have a question or 2 about db design. Thanks.