I have searched for a few days for the answer for this, so I figured I would try to come here to try to learn where I went wrong, rather than scrap the code and rewrite everything.
I have a user registration form and a mysql db with all relevant user login field... Username, name, password (sha1), etc. When I register a user, with the same information from the connectdb.php that connects to my database, it works, and enters all information into the database (with the password encrypted as well).
However... here it comes.. when I try to login with some credentials that I know should match, my code is returning my message from my code below, "This Information does not match any records; please try again."
/////////// Here is the code for my login, truncated:
<?php
include_once('connectdb.php');
include_once('global.php');
include_once('validate.php');
?>
<form action="?action=userlogin" method="post">
<input type="text" name="username" placeholder="Enter Your Username" required /><br>
<input type="password" name="password" placeholder="Password" required /><br>
<input type="checkbox" name="remember" value="yes" checked="checked" /> Remember Me<br>
<input type="Submit" value="Login" />
////////// Here is the code for my form validation:
<?php
$action = $_REQUEST["action"];
switch($action){
/////// START USER LOGIN ACTION /////////
case "userlogin":
if(isset($_POST['username'])) {
$message = '';
$username=$_POST['username'];
$password=$_POST['password'];
$remember=$_POST['remember'];
// Error handling
if( (!$username) || (!$password) ){
$message = 'Please fill in both username and password';
} else {
//secure the data
$username = mysql_real_escape_string($username);
$password = sha1($pass1);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1") or die('Could not check member');
$count=mysql_num_rows($query);
if($count == 0){
$message ='This Information does not match any records; please try again.';
} else {
//start the sessions
$_SESSION['password'] = $password;
while($result = mysql_fetch_array($query)){
$id = $result['id'];
}
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
if($remember == "yes"){
//create the cookies
setcookie("id_cookie",$id,time()+60*6*24*90, "/");
setcookie("pass_cookie",$password,time()+60*6*24*90, "/");
}
// Eventually point this to the member page
header("location: http://www.example.com/loggedin/");
$message ='Thank you for logging in!';
} // End if email and password match records
} // End if email and password are both filled out
} // End userlogin case
} // End switch statement
?>
/////////// Here is my global/sessions
<?php
session_start();
include_once('connectdb.php');
//checking if the sessions are set
if(isset($_SESSION['username'])) {
$session_username = $_SESSION['username'];
$session_pass = $_SESSION['password'];
$session_id = $_SESSION['id'];
// check if the member exists
$query = mysql_query("SELECT * FROM users WHERE id='$session_id' AND password='$session_pass' LIMIT 1") or die(mysql_error());
$count = mysql_num_rows($query);
if($count > 0){
// logged in stuff here
$logged =1;
} else {
header("Location: http://www.example.com/logout.php");
exit();
}
} else if(isset($_COOKIE['id_cookie'])) {
$session_id = $_COOKIE['id_cookie'];
$session_pass = $_COOKIE['pass_cookie'];
$query = mysql_query("SELECT * FROM users WHERE id='$session_id' AND password='$session_pass' LIMIT 1") or die(mysql_error());
$count = mysql_num_rows($query);
if($count > 0){
while($result = mysql_fetch_array($query)){
$session_username = $result['username'];
}
//create sessions
$_SESSION['username'] = $session_username;
$_SESSION['id'] = $session_id;
$_SESSION['password'] = $session_pass;
// logged in stuff here
$logged =1;
} else {
header("Location: http://www.example.com/logout.php");
exit();
}
} else {
// if the user is not logged in
$logged = 0;
}
?>
I have also heard I should switch to mysqli and am trying to research on translating my code to include that, but would like to try to focus on getting this working at all first, before securing it. If anyone has time to assist with the main problem, as well as show how I could integrate mysqli, that would be much appreciated as well! :-)
