Missing Password check
Posted
by
AAA
on Stack Overflow
See other posts from Stack Overflow
or by AAA
Published on 2010-12-28T21:51:44Z
Indexed on
2010/12/29
1:54 UTC
Read the original article
Hit count: 596
I am using the code below, it checks for empty fields and verifies email, but even if the password is correct it won't login. the password has been inserted with md5 protection, below is the code. I am new to this so please bare with me. Thanks!
PHP:
session_start();
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$email = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM accounts WHERE email = '$email'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: home.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['email'] | !$_POST['password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM accounts WHERE email = '".$_POST['email']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['password'] = stripslashes($_POST['password']);
$info['password'] = stripslashes($info['password']);
$_POST['password'] = md5($_POST['password']);
//gives error if the password is wrong
if ($_POST['password'] != $info['password']) {
die('Incorrect password, please try again.');
}
else
{
// if login is ok then we add a cookie
$_POST['email'] = stripslashes($_POST['email']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['email'], $hour);
setcookie(Key_my_site, $_POST['password'], $hour);
//then redirect them to the members area
header("Location: home.php");
}
}
}
else
{
// if they are not logged in
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>email:</td><td>
<input type="text" name="email" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="password" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
}
Here is the registration code:
PHP:
// here we encrypt the password and add slashes if needed
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = mysql_escape_string($_POST['password']);
$_POST['email'] = mysql_escape_string($_POST['email']);
$_POST['full_name'] = mysql_escape_string($_POST['full_name']);
$_POST['user_url'] = mysql_escape_string($_POST['user_url']);
}
// now we insert it into the database
$insert = "INSERT INTO accounts (Uniquer, Full_name, Email, Password, User_url)
VALUES ('".$uniquer."','".$_POST['full_name']."', '".$_POST['email']."','".$_POST['password']."', '".$_POST['user_url']."')";
$add_member = mysql_query($insert);
After using ini_set function i got to see the error, i am getting this message but not sure what it means:
Notice: Undefined index: password in /var/www/domain.com/htdocs/login.php on line 103
Notice: Use of undefined constant password - assumed 'password' in /var/www/domain.com/htdocs/login.php on line 11
© Stack Overflow or respective owner
