0

Can anyone tell me why this simple PHP/MySQL login code is always showing "Wrong username or password" even if I type in the correct username/pass combo? I have spent a ton of time trying to figure this out.

<?php
// Database Connection
mysql_connect("IP", "charlesfries", "Password") or die(mysql_error());
mysql_select_db("charlesfriessdatabase") or die(mysql_error());

// Variables
$username = $_POST["username"]; 
$password = $_POST["password"];

$result = mysql_query("SELECT * FROM accounts WHERE username = '$username' and password = '$password'");

// Success
$count = mysql_num_rows($result);
if ($count == 1) // Checks for Single Record of Given Username & Password
{
    session_register("username"); // Registers Username Key in Session
    session_register("password"); // Registers Password Key in Session
    header("location:http://charliefries.tk/");
}

// Failure
else
{
    echo "Wrong Username or Password";
}
?>

Also, please don't tell me my code is injectable. I know it is.

Here is my form code:

<form action="signinprocess.php" method="post"> <!-- Sign In Process -->
Username: <input type="text" name="username" style="width:150">
<br />
Password: <input type="password" name="password" style="width:153">
<br />
<br />
<input type="submit" value="Sign In">
</form>
Charles Fries
  • 368
  • 2
  • 12

2 Answers2

4

Try LIMIT 1 in SELECT to ensure you only have 1 row.

Messy Coder
  • 328
  • 2
  • 12
  • Turns out I had duplicate entries. – Charles Fries Mar 02 '13 at 03:40
  • if ($count == 1) // Checks for Single Record of Given Username & Password. your database data may contain a duplicated username or password that returns a greater than 1 result. try to filter and make username unique so that no duplication of accounts and encrypt your password. :) – Snippet Mar 02 '13 at 03:43
  • @user2113739 : No problem! Glad to be of help. :) – Messy Coder Mar 02 '13 at 03:45
  • that's an answer no one expect, since everyone assumed there would be no duplicate accounts – kennypu Mar 02 '13 at 03:48
  • 1
    @user2113739 fix your database accounts this will cause more problems in the future if the user can enter the same username and password. Duplication is Evil – Snippet Mar 02 '13 at 03:49
  • He said the code is always showing "Wrong username or password". The condition for it to be executed is anything other than $count == 1. :) – Messy Coder Mar 02 '13 at 03:55
1

There are a few "bad ideas" in your code:

  1. Don't use mysql_* for new projects. This is outdated. Switch to mysqli_* http://php.net/manual/en/book.mysqli.php

  2. Selecting by username and password is not always a good idea. In most cases, it is better to search for the username and check, if the password is correct. With prepared statements, you will get something like this

    SELECT * FROM accounts WHERE username=?

    In the next step, you can check, if your password is the same as in the database, e. g. with a if statement $_POST['password']==$dataFromDB['password'].

  3. Currently you are saving the password in plain text. This is a really bad idea. Take a look at bcrypt. See How do you use bcrypt for hashing passwords in PHP?

  4. session_register is outdated. Use something like

    $_SESSION['username']=$dataFromDB['username']

As I see, the problem is in the (not existing) LIMIT. Hope these hints will help you anyway.

Community
  • 1
  • 1
Oliver
  • 2,864
  • 1
  • 16
  • 27