I see a bunch of little glitches

You do not need to md5 your POST values
As is you twice md5 it one as POST two while prep to insert in DB

If you read a bunch of crazy stuffs as md5 values than you have a problem
Possibly due to double md5 action, md5 in clear shows only alphanumerical chars

Do you really need to enter PW2, password 2 should only be used to match 1 against 2

To md5 at insert level you will do:
$query= “INSERT INTO my_table (username, password, etc…)
VALUES (‘$username’, md5(‘password’), etc…)”;

Try this and report

You're also doing addslashes() too many times - you can end up with the username being slashed twice, so that O'Reilly ends up as O\\\'Reilly.

I'm not understanding why the section following:
// here we encrypt the password and add slashes if needed

is there since you don't use them after that - maybe it was left over from a previous try.

I don't think it's performing the insert. In the insert you refer to $datetime and $id but I don't see them assigned anywhere, so the script should be erroring there.
Try putting the line:
error_reporting(E_ALL);

at the top of the script while you're debugging, but remove it when you're finished.

I agree with Henry0, there's no reason to store pword2 in the database, you just want to use it to validate the form data.

There's nothing magical about a form field named 'password' (or <input type="password") - you don't need to do any md5ing until the actual insert.

Looks like Henry0 is giving the user the password 'password'. Once you remove all the md5() done to the variables beforehand you should be able to use md5('$pword') in his example.

I'm not seeing anything wrong with:
if ($_POST['pword']!= $_POST['pword2']) {
die('Your passwords did not match. ');
}

All I can think is maybe something's not quite right in the html form, maybe you did a copy/paste and wound up with two fields being named 'pword2' or something silly like that.

Ok, i verified all form fields. Check.

I took out the additional portion of where i was MD5'ing" my password twice....that i totally understand. Check.

I removed the "pword2" column from my table. Check.

I changed my INSERT statement to the syntax you suggested. Check.
Data is being stored, i have 3 test records, and i see pure alpah numeric characters in my table. Check.

I took out the area that was adding slashes, as per Cameraman's suggestion.

I STILL AM GETTING MY ERROR "incorrect password, please try again" in my loginpage.php

i am posting the entire "loginpage.php" and i will show you where and why i think the error is. Please look at my comment lines within the code...(sorry just bare with me)

//loginpage.php

<?php
$dbhost = "localhost";
$dbname = "name";
$dbuser = "user";
$dbpass = "password";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

if(isset($_COOKIE['ID_my_site']))

{
$username = $_COOKIE['ID_my_site'];
$pword = $_COOKIE['Key_my_site'];

$check = mysql_query("SELECT * FROM userinfo WHERE username = '$username'")or die(mysql_error());

while($info = mysql_fetch_array( $check ))
{
if ($pword!= $info['password'])
{
}

else
{
header("Location: index.html");
}
}
}

if (isset($_POST['submit'])) {

if(!$_POST['username'] ¦!$_POST['pword']) {
die('You need to enter a username and password to continue.');
}

$check = mysql_query("SELECT * FROM userinfo WHERE username = '".$_POST['username']."'")or die(mysql_error());

$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=indextest.php>Click Here to Register</a>');
}
********************************************************************
//I think the error is below, since i removed the addslashes from the
//previous page. Im trying to stripslashes that arent there?
//this While statement i think is causing my errors?
********************************************************************
while($info = mysql_fetch_array( $check ))
{

$_POST['pword'] = stripslashes($_POST['pword']);
$info['password'] = stripslashes($info['password']);
$_POST['pword'] = md5($_POST['pword']);

//gives error if the password is wrong

if ($_POST['pword']!= $info['password']) {
die('Incorrect password, please try again.');
}

else
{

$_POST['username'] = stripslashes($_POST['username']);

$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pword'], $hour);

header("Location: index.html");
}

}

} else {

// if they are not logged in
?>

// HTML login form sits here for the user

<?php
}
?>

Try this to see exactly what is being compared:

if ($_POST['pword']!= $info['password']) {
echo "This '".$_POST['pword']."' should be the same as '".$info['password']."' and if it isn't...why?";
die('Incorrect password, please try again.');
}

JAG

Oh sure, JAG, just hop in with something excellent and worthwhile and simple! ;)

One thing that I didn't notice before is that you're doing:
if(!$_POST['username'] ¦!$_POST['pword'])

This forum changes solid pipes to broken pipes so that above is really a solid pipe.
However, the single pipe character performs a bitwise OR, and what you really want there is a logical OR:
if(!$_POST['username'] ¦¦!$_POST['pword'])

That may be causing some unexpected results.

Here you've got:
while($info = mysql_fetch_array( $check ))
{

$_POST['pword'] = stripslashes($_POST['pword']);
$info['password'] = stripslashes($info['password']);
$_POST['pword'] = md5($_POST['pword']);

//gives error if the password is wrong

if ($_POST['pword']!= $info['password']) {
die('Incorrect password, please try again.');
}

Since you're keeping more than one record with the same username from going into the database, you're only going to get back one record, so you don't need the while. I'd also lose the stripslashes, so that whole segment reduces to these three lines:

$info = mysql_fetch_array($check);
if(md5($_POST['pword'])!= $info['password'])
die('Incorrect password, please try again.');

See what that does for you. If it still doesn't work, try using phpMyAdmin to md5 the password on one of the records directly and try this page again. If that works then we know to go back to that other script. If that still doesn't work (this'll make you groan) try starting with a fresh two scripts that are just absolutely bare bones, like the insert becomes:
"INSERT INTO userinfo (username,password) values ('" . $_POST['username'] . "','" . md5($_POST['pword'] . "')";
That's just going to populate those two fields and nothing more. With the bare bones versions don't do any slashing, unslashing, cookies, nothing. Get two scripts working and then expand them.

I know you just want to get this going and anything else is irrelevant at this point, but once you do get it going you really should go over to [phpsec.org ] and read that whole article. Anything you don't understand, gloss over it and return in a month and reread.

Oh sure, JAG, just hop in with something excellent and worthwhile and simple! ;)

- Ha :-)

Let's see if it helps. Tonynoriega...what did you see?

JAG

WOW...something isnt correlating correctly...

here is the echo from Jag's suggestion:

This 'abc' should be the same as '' and if it isn't...why?Incorrect password, please try again.

Hmmm, at a very quick glance you might check two values that could never be equal
one is from a POST the other is already md5
if this is the case; we alway check PW before going that far in a script.

Again if I did read correctly :)

So it looks like the query is failing or the value from the query is blank. Next add the echo like so:

********************************************************************
//I think the error is below, since i removed the addslashes from the
//previous page. Im trying to stripslashes that arent there?
//this While statement i think is causing my errors?
********************************************************************
while($info = mysql_fetch_array( $check ))
{
echo "My password from the db is: ".$info['password'];

JAG

If that fails then echo the query to make sure it is OK and if it is run it against the db directly to see what you get back.

echo "SELECT * FROM userinfo WHERE username = '".$_POST['username']."'";

JAG

//I really do appreciate the help with this..
//so....from your first option...here is what i got...

My password from the db is: This 'abc' should be the same as '' and if it isn't...why? Incorrect password, please try again.

//The second option returned this, which returned the correct username:

SELECT * FROM userinfo WHERE username = 'abc123'This 'abc' should be the same as '' and if it isn't...why?Incorrect password, please try again.

//Now here is my logic, and please correct me....
//From the line below:

$check = mysql_query("SELECT * FROM userinfo WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Arent I assigning the variable "$check" to be the username?

//Then below in the While statement, am i not stating that "$info" is
//assigned the username, from the variable "$check"?

while($info = mysql_fetch_array( $check ))

//then this section below in the While statement is basically saying
//compare 'pword' with $info which is like saying compare the
//username and password against eachother? Which is why i can not
//validate the password?

$_POST['pword'] = stripslashes($_POST['pword']);
$info['password'] = stripslashes($info['password']);
$_POST['pword'] = $_POST['pword'];

if ($_POST['pword']!= $info['password'])

$check is the mysql resource identifier for that query.
$info receives 'the next row' returned from the query each pass through the while, and ends up being an array.

$info['username'] is an element of the array, the username
$info['password'] is an element of the array, the password

Right below $check = mysql_query(...

do this:
$info = mysql_fetch_array($check);
print_r($info);
echo "<br />";
echo "Posted user name: " . $_POST['username'] . "<br />";
die();

print_r($info);

As cameraman says - that'll print out all the values in the array and tell you if the one you are after is indeed there or not.

JAG

Here is the output:

Array ( [0] => New User Registration [subject] => New User Registration [1] => Donald [fname] => Donald [2] => Trump [lname] => Trump [3] => DonaldTrump [username] => DonaldTrump [4] => 94c18c63faa9e67f9f1090c172ab8c78 [pword] => 94c18c63faa9e67f9f1090c172ab8c78 [5] => 2525 Rich Way [address] => 2525 Rich Way [6] => Millions [city] => Millions [7] => MI [state] => MI [8] => 25252 [zip] => 25252 [9] => 9879879879 [phone] => 9879879879 [10] => tonynoriega@cableone.net [email] => tonynoriega@cableone.net [11] => Trump Towers [company] => Trump Towers [12] => Your Fired! [message] => Your Fired! [13] => 0000-00-00 00:00:00 [datetime] => 0000-00-00 00:00:00 [14] => 45 [id] => 45 )
Posted user name: DonaldTrump

We know it's getting the record there, then. Replace the print_r & echo with your if:
if(md5($_POST['pword'])!= $info['password']) {
die('Incorrect password, please try again.');
}

and comment anything between that and your cookie/redirect segment:
/*
don't know if you knew this but
this commments several lines of
code.
*/

Same thing....

"Incorrect password, please try again"

I just need to take you advice and start fresh with 2 fields and try to build up on that...i dont know what i did wrong or where....
this is killing me.....

im going to try for a few more hours to see what i might be able to see...but after that....its square one.

OK...now is the new issue....

Cameraman i removed what you just had me put in....and i wish i knew what exactly i did...BUT

now when i login, it does not give me an error, BUT the login page goes blank...?

Here is the entire loginpage.php script one more time:

<?php

$dbhost = "localhost";
$dbname = "name";
$dbuser = "user";
$dbpass = "password";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

if (isset($_POST['submit'])) {

if(!$_POST['username'] ¦¦!$_POST['pword']) {
die('You need to enter a username and password to continue.');
}

$check = mysql_query("SELECT * FROM userinfo WHERE username = '".$_POST['username']."'")or die(mysql_error());
$info = mysql_fetch_array($check);

$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=indextest.php>Click Here to Register</a>');
}

while($info = mysql_fetch_array( $check ))
{

$_POST['pword'] = stripslashes($_POST['pword']);
$info['password'] = stripslashes($info['password']);
$_POST['pword'] = $_POST['pword'];

if ($_POST['pword']!= $info['password']) {
echo "This '".$_POST['pword']."' should be the same as '".$info['password']."' and if it isn't...why?";
die('Incorrect password, please try again.');
}

else
{

$_POST['username'] = stripslashes($_POST['username']);

$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pword'], $hour);

header("Location: http://www.example.com/Home/index.php");
}

}

}
else {

?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
//HTML Login stuff goes here
</form>
<?php
}
?>

[edited by: jatar_k at 4:46 am (utc) on Jan. 29, 2007]
[edit reason] examplified [/edit]

strike that, didn't refresh before posting.
ok, looking at previous post now..

Just to clarify, AFTER i hit the login submit button does the page go blank....

its not blank to start, just after i submit...

You've still got
$info = mysql_fetch_array($check);

in there, so when it gets to the while there aren't any more records and it doesn't enter the while. Then there's nothing left for it to do so you stare at a blank screen.
But it looks like your removed the md5() when checking $_POST['pword'] against $info['password'] - from the array echo, $info['password'] definitely isn't plain text.

i got it....i got it....

sweet lord i got it....

CAMERAMAN...JAG....HENRY0.....

thanks for all your help, insight, guidance....etc....

problem solved.

thanks for staying up on this with me....im continuing the rest of the site...

thanks

Next question....

Once a user registers, logs in, and gets to the meat of the site...

What can i use to implement to keep anyone from just typing the URI directly and getting into the meat of the site?

i used a "invalid referrer" script, but that was only for a single page....

What can i implement on every page that will keep unwanted visitors out who have not registered or logged in?

you need an auth check script

check this thread out
[webmasterworld.com...]

So, tn, will you be sharing what the problem turned out to be?

I have a sessions table. When someone logs in, s/he gets INSERTed into the table with login time and last activity time. As the person moves around the web site, last activity time gets updated. The same routine takes the opportunity to delete any records whose last activity was older than x minutes (so no cron jobs needed). If the person isn't authorized for the page (either from permissions based bits or not logged in) the appropriate message is displayed instead of page contents.

I store the table record identifier in the cookie, so it's pretty much meaningless on the other side - someone would have to come up with both a valid PHP session id as well as valid table id that match.

I was so fet up with the fact that the passwords were not validating correctly that i just dumped the table, started fresh with a new table and poof....!

i have no idea why that would have done it but it did....

I do not think i put a specific "type" on the password column....but just setting up a new table seemed to fix it...

Glad you did it :)
Before dumping the previous table your problem was that you were inserting not updating (Which is fine)
so depending on the "ORDER BY" or no order you were calling the first "funky" set of PW