Search code examples
phphtmllogin-script

Php Login Script Not Logging In At All

I created a script to log users into a website, however I can never get authenticated, even with the right password. Everything else works properly. This script is activated by pressing a login button after typing a username and password in textboxes. Below is the script:

<?php
session_start();
include('connection.php');

//STEP 2 Declare Variables

$Name = $_POST['username'];
$Pass = md5($_POST['password']); // Encrypt password with md5() function.
$Query = mysql_query("SELECT * FROM Users WHERE username='$Name' AND password='$Pass'");
$NumRows = mysql_num_rows($Query);
$_SESSION['username'] = $Name;
$_SESSION['password'] = $Pass;

//STEP 3 Check to See If User Entered All Of The Information

if(empty($_SESSION['username']) || empty($_SESSION['password']))
  {
    die("Go back and login before you visit this page!");
  }

if($Name && $Pass == "")
  {
    die("Please enter in a name and password!");
  }

if($Name == "")
  {
    die("Please enter your name!" . "</br>");
  }

if($Pass == "")
  {
    die("Please enter a password!");
    echo "</br>";
  }

//STEP 4 Check Username And Password With The MySQL Database

if($NumRows) 
  {
    // If The User Makes It Here Then That Means He Logged In Successfully
    echo "";
    $_SESSION['username']=$Database_Name;
  }

else 
  {
    die("Incorrect Username or Password!");
  }
?>

After I login I get "Incorrect Username or Password!", even though the username and password entered are correct. The passwords are being entered as md5() hashes in the database. This script worked years ago when I first created it. Posted below is a screenshot of the DB. Any help would be greatly appreciated

Here is a picture of a user in my DB named Bob who is using an MD5 hash of the word "Password" as his Password.

Here is a picture of the echoed results when he tries to login.

Solution

  • This code:

    if($NumRows != 0)
  {
    while($Row = mysql_fetch_assoc($Query))
      {
        $Database_Name = $Row['username'];
        $Database_Pass = $Row['password'];
      }
  }

else
  {
    die("Incorrect Username or Password!");
  }

if($Name == $Database_Name && $Pass == $Database_Pass)
  {
    // If The User Makes It Here Then That Means He Logged In Successfully
    echo "";
    $_SESSION['username']=$Database_Name;
  }

    Can be simplified by using only mysql_num_rows:

    if($NumRows) {
    // If The User Makes It Here Then That Means He Logged In Successfully
    echo "";
    $_SESSION['username']=$Database_Name;
} else {
    die("Incorrect Username or Password!");
}

    Explanation:

    Since, you are using mysql_num_rows, it will return 1 row if your query matches, thus the user is already authenticated, else it will return 0. Using mysql_fetch_assoc then comparing the results is redundant.

    if($NumRows) will return 1 if one row matches, and 1 is true.

    Update:

    It's most probably due to length of field in your database being too short to successfully insert the whole md5() hash. Thus, the latter part did not insert successfully.

    IMPORTANT:

    You should not be using MySQL as it is already deprecated, use MySQLi instead. MySQL functions are not available in PHP 7.

    Also, you need to prevent MySQL Injection by using mysql_real_escape_string.

    md5() isn't a very secure way of storing passwords, instead use crypt().