+ 2

How to create a login system using php and sql

I want to create a login system but whenever I try to login it always shows password incorrect error

1st Oct 2017, 6:27 AM
Shubham Bauskar
Shubham Bauskar - avatar
16 Réponses
+ 2
1 - Get password from database (It's in md5) - $passuserdb = "SELECT ......" 2 - $md5pass=md5($pass) - You convert user writing pass to md5. 3 - If $passuserdb == $md5pass
2nd Oct 2017, 8:18 PM
Daniel
Daniel - avatar
+ 6
Post your code so people can help you.
30th Sep 2017, 4:28 PM
Ipang
+ 5
Adding a point after @Daniel's answer, you can also use md5 function on the server through the SQL query like : SELECT email, password FROM users WHERE email='$email' AND password=MD5('$password') Then check if there is any records in query result, if not, it means no record matched the user (Invalid user) Hth, cmiiw
2nd Oct 2017, 10:08 PM
Ipang
+ 5
@Daniel your solution was excellent as well, as a side note, I read a notice about how md5 and sha1 exploits are becoming more prevalent, that MySql dev now recommends the use of sha2. I guess what we thought was secure is not all that secure anymore :) https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html
2nd Oct 2017, 10:53 PM
Ipang
+ 5
Glad to know your problem is solved :)
3rd Oct 2017, 9:06 AM
Ipang
+ 4
Maybe you are checking in bad way or with data type incorrect. Share your code
30th Sep 2017, 4:42 PM
Daniel
Daniel - avatar
+ 4
@Daniel that is so true, I agree with you :)
2nd Oct 2017, 11:42 PM
Ipang
+ 4
thank u ipang and Daniel finally fixed it
3rd Oct 2017, 9:00 AM
Shubham Bauskar
Shubham Bauskar - avatar
+ 3
I think you should focus on the password_verify function, as that is the one that confirms password validity. If it's possible could you post the password_verify code also? I will assume that there's no problem in connection and SQL query execution process for now.
1st Oct 2017, 8:10 AM
Ipang
+ 3
Excellent Ipang, more directly, without using other variables or instructions.
2nd Oct 2017, 10:36 PM
Daniel
Daniel - avatar
+ 3
Could be Ipang. As always I said, all which man create, same man destroy. In this case I think MD5 is exploited maybe with brute force with dictionaries. Currently you can search by the internet some websites where you can "hack" passwords but really it has a great database
2nd Oct 2017, 11:02 PM
Daniel
Daniel - avatar
+ 2
What encryption method do you use to save password in database?
2nd Oct 2017, 12:28 PM
Daniel
Daniel - avatar
+ 1
login page code <?php include("connect.php"); include("functions.php"); if(logged_in()) { header("location:profile.php"); exit(); } $error = ""; if(isset($_POST['submit'])) { $email = mysqli_real_escape_string($con, $_POST['email']); $password = mysqli_real_escape_string($con, $_POST['password']); $checkBox = isset($_POST['keep']); if(email_exists($email,$con)) { $result = mysqli_query($con, "SELECT password FROM users WHERE email='$email'"); $retrievepassword = mysqli_fetch_assoc($result); if(!password_verify($password, $retrievepassword['password'])) { $error = "Password is incorrect"; } else { $_SESSION['email'] = $email; if($checkBox == "on") { setcookie("email",$email, time()+3600); } header("location: profile.php"); } } else { $error = "Email Does not exists"; } } ?> <!doctype html> <html> <head> <title>Login Page</title> <link rel="stylesheet" href="css/styles.css" /> </head> <body> <div id="error" style=" <?php if($error !=""){ ?> display:block; <?php } ?> "><?php echo $error; ?></div> <div id="wrapper"> <div id="menu"> <a href="index.php">Sign Up</a> <a href="login.php">Login</a> </div> <div id="formDiv"> <form method="POST" action="login.php"> <label>Email:</label><br/> <input type="text" class="inputFields" name="email" required/><br/><br/> <label>Password:</label><br/> <input type="password" class="inputFields" name="password" required/><br/><br/> <input type="checkbox" name="keep" /> <label>Keep me logged in</label><br/><br/> <input type="submit" name="submit" class="theButtons" value="login" /> </form> </div> </div> </body> </html>
1st Oct 2017, 6:18 AM
Shubham Bauskar
Shubham Bauskar - avatar
+ 1
thanks for your reply fixed the problem but I can only get it when I save password as normal text so can someone give me code for decryption the password while login
2nd Oct 2017, 12:01 PM
Shubham Bauskar
Shubham Bauskar - avatar
+ 1
md5
2nd Oct 2017, 2:33 PM
Shubham Bauskar
Shubham Bauskar - avatar
+ 1
If you have your password stored in database with MD5 encryption, when you get it from database to compare with user login, you must to apply md5 function to password which user write. md5($pass) In the same way, because you must to compare password which has database for specific user, which is in MD5 with password which user write in plain text, so for that reason, to compare, you must to convert before.plain text in md5
2nd Oct 2017, 8:15 PM
Daniel
Daniel - avatar