not able to login through admin.php

This site is best viewed in a modern browser with JavaScript enabled.

addyjo

Hi All,

Please help me, i am newbie and making an eCommerce website by reading books & watching youtube tutorials etc. etc. now i have stucked on admin page wherein i am not able to log in, though i am putting the right username & password but still i am getting wrong username & password messege..please help..i am using this script below....help would be much appreciated

<?php

session_start();
if(isset($_SESSION['admin'])){
	header("location: admin/index.php");
	exit();
}

$msg="";
if(isset($_POST['username'])){
	$admin= $_POST['username'];
	$password= $_POST['password'];
	$admin = stripslashes($admin);
	$password= stripslashes($password);
	$admin=strip_tags($admin);
	$password= strip_tags($password);
	if((!$admin) || (!$password)){
		$msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";

}else{
	$admin= mysql_real_escape_string($admin);
	$password= md5($password);
	include_once("scripts/connect.php");
	$sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
	$count= mysql_num_rows($sql);
	if($count > 0){
		while($row= mysql_fetch_array($sql)){
			$id= $row['id'];
			$name= $row['name'];
			$pass= $row['password'];
			$_SESSION['id']= $id;
			$_SESSION['name']= $name;
			$_SESSION['password']= $pass;
			mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
			header("location: admin/index.php");


			}

	}else{
		$msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";

	}
}

}

?>

addyjo

i am getting this error "mysql_real_escape_string(): Access denied for user 'root'@'localhost' (using password: NO)" please help

NogDog

Try putting that line after the "include" line a couple lines after that. (I'm assuming that include file does the database connection stuff, which needs to happen before you try to use mysql_real_escape_string().)

(PS: The MySQL PHP extension (the mysql_*() functions) is deprecated, and you really should migrate any related code to use the MySQLi or PDO extension, instead, since future versions of PHP may no longer support the old extension.)

addyjo

NogDog;1352155 wrote:
Try putting that line after the "include" line a couple lines after that. (I'm assuming that include file does the database connection stuff, which needs to happen before you try to use mysql_real_escape_string().)

(PS: The MySQL PHP extension (the mysql_*() functions) is deprecated, and you really should migrate any related code to use the MySQLi or PDO extension, instead, since future versions of PHP may no longer support the old extension.)

Hi...thanks for your quick reply..i did the same as per your last sugestion..but still no progress...its showing wrong username or password..

Gravy

Try changing:

$sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");

Temporarily to:

$sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1;");
echo $temp;

The next time you try to login it will give you the SQL query.

Make sure the data in the query is what you expected, try it directly in phpMyAdmin, manually compare the data to what is in the database. Is the password MD5'd in the database too?

Basically compare all the data and make sure everything matches up nicely.

addyjo

Gravy;1352321 wrote:
Try changing:
$sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
Temporarily to:
$sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1;");
echo $temp;
The next time you try to login it will give you the SQL query.

Make sure the data in the query is what you expected, try it directly in phpMyAdmin, manually compare the data to what is in the database. Is the password MD5'd in the database too?

Basically compare all the data and make sure everything matches up nicely.

hi gravy ... thanks for the reply ...still no success i am getting this error below in error_log file...

[17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_real_escape_string(): Access denied for user 'root'@'localhost' (using password: NO) in /home/addykhan2003/public_html/admin.php on line 21
[17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_real_escape_string(): A link to the server could not be established in /home/addykhan2003/public_html/admin.php on line 21
[17-Aug-2014 05:57:21 UTC] PHP Notice: Undefined variable: temp in /home/addykhan2003/public_html/admin.php on line 24
[17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/addykhan2003/public_html/admin.php on line 25

yes the password is md5 in database i have used this code below to hash it..n saved in my database too

<?php

$P= "abdul82";
$p= md5($p);
echo $p;

Gravy

Ah, I thought you correct that.

Then my guess is that the problem is in your scripts/connect.php file.
Perhaps the root password you're using is wrong?

I'm assuming your code looks something like this at the moment:

<?php

session_start();
if(isset($_SESSION['admin'])){
    header("location: admin/index.php");
    exit();
}

$msg="";
if(isset($_POST['username'])){
    $admin= $_POST['username'];
    $password= $_POST['password'];
    $admin = stripslashes($admin);
    $password= stripslashes($password);
    $admin=strip_tags($admin);
    $password= strip_tags($password);
    if((!$admin) || (!$password)){
        $msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";

}else{
    include_once("scripts/connect.php");

    $admin= mysql_real_escape_string($admin);
    $password= md5($password);

    $sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
    echo $temp;
    $count= mysql_num_rows($sql);
    if($count > 0){
        while($row= mysql_fetch_array($sql)){
            $id= $row['id'];
            $name= $row['name'];
            $pass= $row['password'];
            $_SESSION['id']= $id;
            $_SESSION['name']= $name;
            $_SESSION['password']= $pass;
            mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
            header("location: admin/index.php");


            }

    }else{
        $msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";

    }
}

}

?>

Paying special attention to the order of:

 include_once("scripts/connect.php");
 $admin= mysql_real_escape_string($admin);

What are the contents of scripts/connect.php?

root

mysql_real_escape_string() is fine is your the only person on that server otherwise you need to have a resource identifier that is stored in a variable when you connect to the database.

$dbh = mysql_connect(... blah blah blah

now variable $dbh is a handle to the db so that

$xyz = mysql_real_escape_string( $whatIwantToEscape , $dbh);

and the same goes for queries, you would need

$myResult = mysql_query( $dbh , $myQueryString );

On other matters, security of your code is very bad, you should be sanitizing inputs in to an array that you then use and know is safe and not use the $POST array directly and you should operate a check to ensure that the login came from your site and check that the $POST['submit'] button is present.

Reliance on the $_SERVER['REQUEST_METHOD'] to test if the request is a POST request is not good enough, a post request could be coming from anywhere, you want to know that the post came from your site, the method I use is fairly simple

Using a whitelist and not using the $_POST array to control things...


$whitelist = array(
    "username"=>FILTER_SANITIZE_STRING,
    "password"=>FILTER_SANITIZE_STRING,
    "timeframe"=>FILTER_SANITIZE_STRING
);

foreach($whitelist as $field=>&$value){
    $value = isset( $_POST[ $field ] ) ? filter_var( $_POST[ $field ] , $value ) : false;
    if(!$value ) header("Location: /index.php");
}

if( $hash!=$whitelist['timeframe']) header("Location: /index.php"); // send to home page

then when you are sure that your values are sanitized, you can use the values in your whitelist in your script.

You might want to look at page salting as a way of marking your pages that your server issues, something that can be tested on form submission (login) and a check to ensure that your server issued the page and it is genuine.

addyjo

Gravy;1352365 wrote:
Ah, I thought you correct that.

Then my guess is that the problem is in your scripts/connect.php file.
Perhaps the root password you're using is wrong?

I'm assuming your code looks something like this at the moment:
<?php

session_start();
if(isset($_SESSION['admin'])){
    header("location: admin/index.php");
    exit();
}

$msg="";
if(isset($_POST['username'])){
    $admin= $_POST['username'];
    $password= $_POST['password'];
    $admin = stripslashes($admin);
    $password= stripslashes($password);
    $admin=strip_tags($admin);
    $password= strip_tags($password);
    if((!$admin) || (!$password)){
        $msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";

}else{
    include_once("scripts/connect.php");

    $admin= mysql_real_escape_string($admin);
    $password= md5($password);

    $sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
    echo $temp;
    $count= mysql_num_rows($sql);
    if($count > 0){
        while($row= mysql_fetch_array($sql)){
            $id= $row['id'];
            $name= $row['name'];
            $pass= $row['password'];
            $_SESSION['id']= $id;
            $_SESSION['name']= $name;
            $_SESSION['password']= $pass;
            mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
            header("location: admin/index.php");


            }

    }else{
        $msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";

    }
}

}

?>
Paying special attention to the order of:
 include_once("scripts/connect.php");
 $admin= mysql_real_escape_string($admin);
What are the contents of scripts/connect.php?

Hi Gravy,

i have match the database as per

$sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
echo $temp;
as everything is matching ... i have also made mysql_quicktest.php file to check weather my i am connected to my database or not ...i am using this code below to check my connect.php file

mysql_quicktest.php
<?php
//connect to the file above here
require "connect.php";
echo "<h1>Success in database connection! Happy coding!<h1>"
?>

connect.php

<?php

$host="localhost";
$user="*"; (here i put my username)
$pass="*";(here i put my password)
$name="mystore";

mysql_connect("$host","$user","$pass")or die(mysql_error());
mysql_select_db("$name") or die(mysql_error());

but whenever i check this through my mysql_quicktest.php file i get the success message....what should i do

root

You should be using the mysqli not mysql functions and you also need to be using handler variables for your connections as indicated in my post.