Missing Password check

Posted by AAA on Stack Overflow See other posts from Stack Overflow or by AAA
Published on 2010-12-28T21:51:44Z Indexed on 2010/12/29 1:54 UTC
Read the original article Hit count: 611

Filed under:
|
|
|
|

I am using the code below, it checks for empty fields and verifies email, but even if the password is correct it won't login. the password has been inserted with md5 protection, below is the code. I am new to this so please bare with me. Thanks!

PHP:

      session_start(); 




      //Checks if there is a login cookie

      if(isset($_COOKIE['ID_my_site']))


     //if there is, it logs you in and directes you to the members page

     { 
       $email = $_COOKIE['ID_my_site']; 

        $pass = $_COOKIE['Key_my_site'];

           $check = mysql_query("SELECT * FROM accounts WHERE email = '$email'")or              die(mysql_error());

        while($info = mysql_fetch_array( $check ))  

        {

           if ($pass != $info['password']) 

                    {

                          }

           else

             {

               header("Location: home.php");



               }

            }

        }


     //if the login form is submitted 

    if (isset($_POST['submit'])) { // if form has been submitted



     // makes sure they filled it in

           if(!$_POST['email'] | !$_POST['password']) {

           die('You did not fill in a required field.');

          }

          // checks it against the database



           if (!get_magic_quotes_gpc()) {

             $_POST['email'] = addslashes($_POST['email']);

          }

          $check = mysql_query("SELECT * FROM accounts WHERE email = '".$_POST['email']."'")or die(mysql_error());



        //Gives error if user dosen't exist

     $check2 = mysql_num_rows($check);

     if ($check2 == 0) {

               die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');

            }

            while($info = mysql_fetch_array( $check ))  

        {

         $_POST['password'] = stripslashes($_POST['password']);

     $info['password'] = stripslashes($info['password']);

      $_POST['password'] = md5($_POST['password']);



     //gives error if the password is wrong

        if ($_POST['password'] != $info['password']) {

          die('Incorrect password, please try again.');

        }

         else 

        { 


              // if login is ok then we add a cookie 

           $_POST['email'] = stripslashes($_POST['email']); 

           $hour = time() + 3600; 

              setcookie(ID_my_site, $_POST['email'], $hour); 

              setcookie(Key_my_site, $_POST['password'], $hour);     



                //then redirect them to the members area 

              header("Location: home.php"); 

          } 

           } 

        } 

     else 

  {  



      // if they are not logged in 



     <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

      <table border="0"> 

    <tr><td colspan=2><h1>Login</h1></td></tr> 

    <tr><td>email:</td><td> 

    <input type="text" name="email" maxlength="40"> 

     </td></tr> 

       <tr><td>Password:</td><td> 

    <input type="password" name="password" maxlength="50"> 

    </td></tr> 

     <tr><td colspan="2" align="right"> 

    <input type="submit" name="submit" value="Login"> 

    </td></tr> 

  </table> 

   </form> 

}

Here is the registration code:

PHP:

       // here we encrypt the password and add slashes if needed
        $_POST['password'] = md5($_POST['password']);
         if (!get_magic_quotes_gpc()) {
      $_POST['password'] = mysql_escape_string($_POST['password']);
     $_POST['email'] = mysql_escape_string($_POST['email']);
      $_POST['full_name'] = mysql_escape_string($_POST['full_name']);
     $_POST['user_url'] = mysql_escape_string($_POST['user_url']);
        }


        // now we insert it into the database
    $insert = "INSERT INTO accounts (Uniquer, Full_name, Email, Password, User_url)
  VALUES ('".$uniquer."','".$_POST['full_name']."', '".$_POST['email']."','".$_POST['password']."', '".$_POST['user_url']."')";
    $add_member = mysql_query($insert);

After using ini_set function i got to see the error, i am getting this message but not sure what it means:

          Notice: Undefined index: password in /var/www/domain.com/htdocs/login.php on line 103 
          Notice: Use of undefined constant password - assumed 'password' in /var/www/domain.com/htdocs/login.php on line 11

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql