Novice to Ninja Chapter 9 Access Control Can't Log In

I setup everything as per the information giving. I created a script to access the authors table and was able to add users with Email and Passwords. The issue I am having is when I try to log in it said I am using the wrong username or password. I changed the access for the group by changing the ID associated with each Joke. I also tried to log in using the account in the authors table with no password. I checked my php.ini file and it is setup correctly. I also followed the example from Keven Yank “Managing Users with PHP Sessions and MySQL” Updated 2009 located here http://www.sitepoint.com/users-php-sessions-mysql/. I am having the same issue with this script. Wrong Username or Password. Can someone help Thanks in advance.

Can you post some code to look at?

Here is the signup form. If I update the password in the database along with the salt added I can log in.

 <?php // signup.php
include 'common.php';
include 'db.php';
if (!isset($_POST['submitok'])):
// Display the user signup form
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

  <title>New User Registration</title>

  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

</head>

<body>

  <h3>New User Registration Form</h3>

  <p><font color="orangered" size="+1"><tt><b>*</b></tt></font> indicates a required field</p>

  <form method="post" action="<?=$_SERVER['PHP_SELF']?>">

    <table border="0" cellpadding="0" cellspacing="5">


    <tr>

      <td align="right">

        <p>Full Name</p>

      </td>

      <td>

        <input name="newname" type="text" maxlength="100" size="25" />

        <font color="orangered" size="+1"><tt><b>*</b></tt></font>

      </td>

    </tr>

    <tr>

      <td align="right">

        <p>E-Mail Address</p>

      </td>

      <td>

        <input name="newemail" type="text" maxlength="100" size="25" />

        <font color="orangered" size="+1"><tt><b>*</b></tt></font>

      </td>

    </tr>

       <tr>

      <td align="right" colspan="2">

        <hr noshade="noshade" />

        <input type="reset" value="Reset Form" />

        <input type="submit" name="submitok" value="   OK   " />

      </td>

    </tr>

  </table>

</form>

</body>

</html>

 <?php
else:
// Process signup submission
dbConnect('keeper');

if ($_POST['newname']==''
or $_POST['newemail']=='') {
error('One or more required fields were left blank.\
'.
'Please fill them in and try again.');
}

// Check for existing user with the new id
$sql = "SELECT COUNT(*) FROM author WHERE email = '$_POST[newemail]'";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred in processing your '.
'submission.\
If this error persists, please '.
'contact info@corner.com.');
}
if (@mysql_result($result,0,0)>0) {
error('A user already exists with your chosen userid.\
'.
'Please try another.');
}

$newpass = substr(md5(time()),0,6);


 $sql = "INSERT INTO author SET
password = PASSWORD('$newpass'),
name = '$_POST[newname]',
email = '$_POST[newemail]'";
if (!mysql_query($sql))
error('A database error occurred in processing your '.
'submission.\
If this error persists, please '.
'contact info@corner.com.');

 // Email the new password to the person.
$message = "G'Day!

Your personal account
has been created! To log in, proceed to the
following address:


Your personal login ID and password are as follows:

userid: $_POST[newemail]
password: $newpass

You aren't stuck with this password! You can change it at any time after you have logged in.

If you have any problems, feel free to contact me at <Your email>.


";

mail($_POST['newemail'],"Your Password ",
$message, "From:Your Site <>");


 ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Registration Complete </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<p><strong>User registration successful!</strong></p>
<p>Your userid and password have been emailed to
<strong><?=$_POST[newemail]?></strong>, the email address
you just provided in your registration form. To log in,
click <a href="">here</a> to return to the login
page, and enter your new personal userid and password.</p>
</body>
</html>
<?php
endif;
?>

And the access file


<?php
function userIsLoggedIn()
{
if (isset($_POST['action']) and $_POST['action'] == 'login')
{
if (!isset($_POST['email']) or $_POST['email'] == '' or
!isset($_POST['password']) or $_POST['password'] == '')
{
$GLOBALS['loginError'] = 'Please fill in both fields';
return FALSE;
}

$password = md5($_POST['password'] . '');
if (databaseContainsAuthor($_POST['email'], $password))
{
session_start();
$_SESSION['loggedIn'] = TRUE;
$_SESSION['email'] = $_POST['email'];
$_SESSION['password'] = $password;
return TRUE;
}
else
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
$GLOBALS['loginError'] =
'The specified email address or password was incorrect.';
return FALSE;
}
}
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
header('Location: ' . $_POST['goto']);
exit();
}
session_start();
if (isset($_SESSION['loggedIn']))
{
return databaseContainsAuthor($_SESSION['email'], $_SESSION['password']);
}
}
function databaseContainsAuthor($email, $password)
{
include 'db.inc.php';
try
{
$sql = 'SELECT COUNT(*) FROM author
WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
function userHasRole($role)
{
include 'db.inc.php';
try
{
$sql = "SELECT COUNT(*) FROM author
INNER JOIN authorrole ON author.id = authorid
INNER JOIN role ON roleid = role.id
WHERE email = :email AND role.id = :roleId";
$s = $pdo->prepare($sql);
$s->bindValue(':email', $_SESSION['email']);
$s->bindValue(':roleId', $role);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author roles.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}

Hi,
I am also working with this book. I recently set this up too.
I was not able to get started with the signup or a password so I echoed
md5(my password);
I then put the output of this directly into the database.
Then I was able to login and get started, creating other users, roles and giving them passwords.
Are you sure that you are connecting to your database and the paths in the include lines are correct?
I had to play with path for a while to get it all to work. Are your common.php and db.php in the same directory as the new signup form? If not you’ll have to put in a longer path name.
Hope that helps,
Shane

I will try it and see if it works. I did change all the paths for the includes and both file are also in the same dir.

You’ve got a mix of the mysql_* extension (which is depreceated as of version 5.5 of PHP and will likely be removed from version 5.6 of PHP) and PDO. You need to change your signup form script to use PDO. Also your signup script is wide open to SQL injection attack as you’re letting user submitted data near the database. You need to use prepared statements like you’ve already done in your “access” file