Log in need to check password

capljina2 · September 29, 2018, 7:17am

I need help with checking password all other works good

      
                                        <form class="form-horizontal" action="" method="post" id="form1" style="width: 95%; margin: 0 2.5%" novalidate>
                                            <div class="control-group">
                                                <label class="control-label" for="ea">Email Address:</label>
                                                <div class="controls">
                                                      <DIV align="left"><input type="email" name="email" id="email" class="input-large valid"></div>
                                                </div>
                                            </div>
                                            <div class="control-group">
                                                <label class="control-label" for="pa">Password:</label>
                                                <div class="controls">
                                                    <DIV align="left"><input type="password"  name="password" id="password" class="input-large valid"></div>
                                                </div>
                                            </div>
                                  <div class="control-group">
                                                <div class="controls" id="exist_wait"></div>
                                  </div>
                                              
                                            <div class="control-group">
                                                <label class="control-label"></label>
                                                <div class="controls">
                                                  <tr valign="baseline">
                                                <td nowrap align="right">&nbsp;</td>
                                                <td> <DIV align="left"><input type="submit" name="Submit1" class="submit" value="Submit"></div></td>
                                              </tr>
                                                   </form>

if(isset($_SESSION['user'])!="")
{
		
}



$conn= mysqli_connect("localhost","root",""); 
	if(mysqli_connect_error()) { 
		die('Could not connect: ' . mysqli_connect_error());
	}
	$conn->select_db('cars123');

if(isset($_POST['Submit1']))



  

{
	$email = mysqli_real_escape_string($conn, $_POST['email']);
	$upass = mysqli_real_escape_string($conn, $_POST['pass']);
	$res=mysqli_query($conn, "SELECT * FROM users WHERE           email='$email'       ")  or die("Error: ".mysqli_error($dbc));
	$row=mysqli_fetch_array($res, MYSQLI_ASSOC);
	
	if($row['password']==md5($upass))                  
	{
		
		$_SESSION['user'] = $row['user_id'];
	      $_SESSION['password']= $row['password'];
		echo'<script>window.location="http://localhost/carbooking3/16%20y/korak1.php";</script>';
	}
	else
	{
        echo'<script>window.location="http://localhost/carbooking3/16%20y/korak3.php";</script>';
		}
		}

CREATE TABLE `users` (
  `user_id` int(5) NOT NULL,
  `email` varchar(255) NOT NULL,
  `username` varchar(25) NOT NULL,
  `password` varchar(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

m_hutley · September 29, 2018, 10:14am

#1: Storing the password in the session is unnecessary.
#2: Consider stepping up from md5 to something like PHP’s native password hasher.
#3: Be careful checking for the submit value, certain browsers had a property where if you hit enter to submit the form, it didnt send the submit button’s value. (Uncertain of the current status of this condition)
#4: What precisely is going wrong with your code?

capljina2 · September 29, 2018, 10:16am

I tried to many times to check pass didnt work i need add password check

m_hutley · September 29, 2018, 10:23am

So you’re saying your password check isnt matching known good passwords?

Well lets see.

#1: $upass = mysqli_real_escape_string($conn, $_POST[‘pass’]);
Unnessary. You dont send the password to a query.
Also, $_POST[‘pass’] doesnt exist. You called your form element password, not pass.

capljina2 · September 29, 2018, 10:28am

SELECT * FROM users WHERE email=‘$email’ and password=‘$ password’
i need this get work

capljina2 · September 29, 2018, 10:29am

pass=password

m_hutley · September 29, 2018, 10:33am

Well i’d strongly suggest NOT sending the password via query, and instead getting a result from the database by email alone and testing it when it gets back, as you currently have it.

If you must do it that way, then try that first and then tell us what isnt working with that approach.

capljina2 · September 29, 2018, 10:36am

password via query page goes on same page all the time

capljina2 · September 29, 2018, 10:39am

if try like this if($row[‘password’]==md5($upass) && (email=‘$email’) ) getting error

rpkamp · September 29, 2018, 11:43am

!! Do not use MD5 for storing passwords, it is not secure !!

As wikipedia says:

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).

(emphasis mine)

Use PHP’s builtin password_hash instead.

capljina2 · September 29, 2018, 5:00pm

so how check password

TomB · September 29, 2018, 5:13pm

Here’s a complete example: https://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

capljina2 · September 29, 2018, 5:17pm

<?php 
			$upass= 'abcxyz123'; // password 
    $salt = '}#f4ga~g%7hjg4&j(7mk?/!bj30ab-wi=6^7-$^R9F|GK5J#E6WT;IO[JN'; // random string 

    $hash = md5($upass); 
    $hash_md5 = md5($salt . $upass); 

    // echo now 
    echo 'Original Password: ' . $upass . '<br><br>';
    echo 'Original Salt: ' . $salt . '<br><br>';
    echo 'MD5: ' . $hash . '<br><br>';
    echo 'MD5 with Salt: ' . $hash_md5 . '<br><br>';?>
```like this

capljina2 · September 29, 2018, 5:20pm

you misunderstood i have password hash i need check password against db is user in db or not

benanamen · September 29, 2018, 5:27pm

You need to stop what your doing. As you have already been told, DO NOT USE MD5.

spaceshiptrooper · September 29, 2018, 5:33pm

As many has already said, you shouldn’t be making your own homebrew password hashing algorithm. With what I can deduct from your recent posts, you don’t really know that much about the basics yet. Cryptography is something entirely different and is way way way way more complex than the basics of PHP. Since neither you have the grasp of the basics nor are a cryptography expert, I would strongly advise you not to write your own algorithm. Please use password_hash() and password_verify() as others have tried to point out.

capljina2 · September 29, 2018, 11:11pm

I fixed `:smile:

$email = trim($_POST['email']);
$password = trim($_POST['password']);

$sql = "select * from users where email = '".$email."'";
$rs = mysqli_query($conn,$sql);
$numRows = mysqli_num_rows($rs);

if($numRows  == 1){
	$row = mysqli_fetch_assoc($rs);
	if(password_verify($password,$row['password'])){
		echo'<script>window.location="http://localhost/carbooking3/16%20y/S.php";</script>';	
	}
	else{
	echo'<script>window.location="http://localhost/carbooking3/16%20y/S%20-%20Copy.php";</script>';	                    
	}
}
else{
	echo'<script>window.location="http://localhost/carbooking3/16%20y/S%20-%20Copy.php";</script>';	
}

}t`

capljina2 · September 29, 2018, 11:15pm

I wrote some algorithms long time ago .I didnt touch computer for almost a year.

benanamen · September 29, 2018, 11:23pm

Now you just need to stop creating variables for nothing, stop putting spaces in file and directory names and start using Prepared Statements and start specifying the column names you want instead of SELECT * .

rpkamp · September 30, 2018, 8:59am

Why not use header('Location: http://localhost/carbooking3/16%20y/S.php'); to redirect?