Mysqli Login not working

blinkitout · July 19, 2012, 11:38pm

I am recoding my site to mysqli however I am having trouble with switching my login page over. I would appreciate any help I could get.

login.php - nothing should have to be changed here.
[php]<?php
$pagetitle = “Login”;
include “header.inc.php”;

if($stmt = $mysqli->prepare(“UPDATE stats SET logins=logins+1, lastupdated = ? WHERE id = ?”));
{
$stmt->bind_param(‘di’, $datestamp5, $one);
$stmt->execute();
$stmt->close();
}

ECHO <<<END

Login

Email
Password
Register Free \| Forgot Password

END;

include “footer.inc.php”;
?>[/php]

login.pro.php
[php]<?php
include “connect.inc.php”;

$useremail = mysqli_real_escape_string ($mysqli, $_POST["usr_email"]);
$useremail = htmlspecialchars (strip_tags (strip_mq_gpc( trim($useremail))));

$password = mysqli_real_escape_string ($mysqli, $_POST["pwd"]);
$password = htmlspecialchars (strip_tags (strip_mq_gpc($password)));

if (strpos($useremail,’@’) === false) {
$usercond = “username”;
} else {
$usercond = “useremail”;

}

$login = $mysqli->prepare(“SELECT id, username, pwd, approved FROM users WHERE $usercond = ? AND banned = ‘0’”);
$login->bind_param(‘s’, $useremail);
$login->execute();
$login->store_result();
$numcheck = $login->num_rows;
$login->bind_result($id, $user, $pass, $approved);
$login->fetch();

$id = mysqli_real_escape_string ($mysqli, $id);
$id = htmlspecialchars (strip_tags (strip_mq_gpc( trim($id))));

$user = mysqli_real_escape_string ($mysqli, $user);
$user = htmlspecialchars (strip_tags (strip_mq_gpc( trim($user))));

$pass = mysqli_real_escape_string ($mysqli, $pass);
$pass = htmlspecialchars (strip_tags (strip_mq_gpc( trim($pass))));

$approved = mysqli_real_escape_string ($mysqli, $approved);
$approved = htmlspecialchars (strip_tags (strip_mq_gpc( trim($approved))));

// Match row found with more than 1 results - the user is authenticated.
if ( $numcheck > 0 ) {

list($id, $user, $pass, $approved) = mysql_fetch_row($login);

if(!$approved) {header("Location: login.php?error=Your+account+is+not+activated.+Please+check+your+email+for+your+activation+code.");}
 
	//check against salt
if ($pass === PwdHash($password,substr($pass,0,9))) {
 // this sets session and logs user in  
   session_start();
   session_regenerate_id (true); //prevent against session fixation attacks.

   // this sets variables in the session 
	$_SESSION['user_id']= $id;  
	$_SESSION['username'] = $user;
	//$_SESSION['rank'] = $rank;
	$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
	
	//update the timestamp and key for cookie
	$stamp = time();
	$ckey = GenKey();
	
	$result = $mysqli->prepare("UPDATE users SET ctime = ?, ckey = ? WHERE id = ?");
	$result->bind_param('sii', $stamp, $ckey, $id);
	$result->execute();
	$result->close();

   //set a cookie
	setcookie("14182525_mwapass", $pass, time()+3600*24);
	setcookie("54865421545_mwauser", $user, time()+3600*24);
	header("Location: myaccount.php");
	}
	else
	{
	header("Location: login.php?error=Invalid+login.+Please+try+again+with+your+correct+email+and+password.");
	}
} else {
	header("Location: login.php?error=Invalid+login.+No+such+user+exists.");
  }

$login->close();
?>[/php]

If you need any more information let me know. This has been a problem I been trying to solve for a few days.

wilson382 · July 20, 2012, 12:44am

I did not run your code,
but what is exactly not working

blinkitout · July 20, 2012, 4:58am

I probably should have mentioned that the problem is when I enter a correct login it will say “Invalid login. Please try again with your correct email and password.” - and not log me in.

wilson382 · July 20, 2012, 5:13pm

why are you using === to compare the password?

blinkitout · July 21, 2012, 12:28am

Well “===” is what I used when I was using mysql and it worked fine. Just now I did test that part of the code for the password and it didn’t work with just “==” but it did do something different when entering just a single equal sign. . . . it still didn’t log me in like it was supposed to though. Now it seems to attempt to go to myaccount.php but fails to and returns to the homepage with the error “You do not have access to that page. Sorry for the inconvenience.”

It seems to not be setting the cookies or something? - I am not sure.

Here is the code that brings up “You do not have access to that page. Sorry for the inconvenience.”
[php]if (!$checkrank) { $checkrank = 0; }
if (!$rank) { $rank = 0; }
if ($rank == ’ ') { $rank = 0; }
if ($rank < $checkrank)
{
die(header(error("$baseURL/index.php",“You do not have access to that page. Sorry for the inconvenience.”)));
}[/php]

On myaccount.php page the $checkrank = 2 (which is the default rank for new members).

wilson382 · July 21, 2012, 2:03am

yeah cookie might be is not being set property but is not even going into the password match if statement
im looking into your code i will post back if i find anthing

wilson382 · July 21, 2012, 2:30am

by looking at this
[php]
($pass === PwdHash($password,substr($pass,0,9)))
[/php]
i assume you have a function that accept 2 parameters (password,strings) but i think that’s the problem what you sending with substr.

i dont understand why you use substr can you show the function PwdHash.

Why not use md5 encryption is more secure?

blinkitout · July 21, 2012, 2:56am

I kind of pinned point the problem - or at least a problem. It is the cookies - it is storing the password cookie but not the user cookie.

When I found this out I tried I few other things and eventually got the user cookie to work (meaning I actually got it to be stored in the browser just like the password cookie).

Here is what I changed to get the user cookie to work somewhat. However it is still giving the “You do not have access to that page. Sorry for the inconvenience.” error and not actually logging in the user.
[php]setcookie(“54865421545_mwauser”, sha1($user), time()+3600*24);[/php]

wilson382 · July 21, 2012, 2:59am

i dont know how you got it to setcookies, cookies are set after you pass ($pass === PwdHash($password,substr($pass,0,9))) which is obiously not passing because is giving you the else statement

blinkitout · July 21, 2012, 4:10am

No it is not giving me the else statement - well not anymore that is. Now it uses

[php]header(“Location: myaccount.php”);[/php]

which is in the ($pass === PwdHash($password,substr($pass,0,9)))

wilson382 · July 21, 2012, 4:12am

so is working fine now. the password is matching which is good.

if you still not logging you in is cookies not being set.

blinkitout · July 21, 2012, 5:09am

the user cookie is not being set correctly.

It won’t get set like this:
[php]setcookie(“54865421545_mwauser”, $user, time()+3600*24);[/php]

but it will set the cookie for the user when like this (which I do not know how to work with):
[php]setcookie(“54865421545_mwauser”, sha1($user), time()+3600*24);[/php]

It always sets the pass cookie it seems.

blinkitout · July 21, 2012, 5:16am

Just tested with false information and does the same thing as with correct information. It seems I may just need to restart from scratch (again)?

wilson382 · July 21, 2012, 3:27pm

the problem is just not comparing the password correctly.

how are you incrypting the password in the database?

how about trying storing plain text? and to compare you just compare it with plain text?

blinkitout · July 21, 2012, 8:53pm

I did some tests and you are right it is not encrypting the password correctly. When using plain text for a password the code works correctly - with a false login and a correct one (which is good to know :)).

What I use to hash:
[php]function PwdHash($pwd, $salt = null)
{
if ($salt === null) {
$salt = substr(md5(uniqid(rand(), true)), 0, 9);
}
else {
$salt = substr($salt, 0, 9);
}
return $salt . sha1($pwd . $salt);
}[/php]

Right now I am trying some other hash functions and still seem to have trouble.

blinkitout · July 21, 2012, 9:27pm

WOW! I believe I fixed the problem. I need to do some more tests to make sure it is working exactly like I want it to.

The problem:
[php]$login->bind_param(‘sd’, $useremail, $pass);[/php]

I recoded some of the login so the password would be put in and compared right away. Thanks for all the help! I really appreciate it.

wilson382 · July 22, 2012, 12:25am

please use this function instead.
[php]

<?php function pwhash($password,$iterations=13) { $hash =md5($password); for ($i = 0; $i < $iterations; ++$i) { $hash = md5($hash . $password); } return $hash; } //to call it aruments are password iterations is optional echo pwhash("mypassword"); ?>

[/php]

in your register php file you include the function and encrypt the user password then sotre in database
on the login you call the function again to encrypt the user input and compare with database encrypted password

let me know if it works

blinkitout · July 22, 2012, 5:28am

It works! Yay! Thank you.

wilson382 · July 22, 2012, 6:18am

did you use my function?

so the solution was it was not being encrypted correctly?

blinkitout · July 25, 2012, 12:14am

Yes, I believe that was the problem.