Browser MMO Video #5

[Nexus]

For the authenticate.php it keeps saying wrong username or password when I KNOW what I am entering is correct.
Here is my authenticate.php

Code: Select all

<link href="style.css" rel="stylesheet" type="text/css" />
<div id="authenticate" align="center">
<?php
include 'logo.php';
?>
<?php
    include_once 'connect.php';
    session_start();

    if (isset($_POST['submit']))
    {
      $player=$_POST['name'];
      $password=$_POST['password'];
      $player=strip_tags($player);
      $password=strip_tags($password);
      $password=md5($password);

      $query = "select name,password from players where name='$player' and password='$password'";
      $result = mysql_query($query) or die("Could not query players");
      $result2 = mysql_fetch_array($result);
      if ($result2)
      {
        $_SESSION['player']=$player;
       
        echo "Logged in successfully<br/>";
        echo "<A href='index.php'><input type='button' value='Enter the game!' name='button'";
      }
      else
      {
       echo "Wrong username or password.<br/>";
	   echo	"<A href='login.php'><input type='button' value='Go Back!' name='button'>";
      }
    }
    ?>

Here is my login.php aswell

Code: Select all

<?php
include 'logo.php';
?>
<link href="style.css" rel="stylesheet" type="text/css" />
<form method="POST" action="authenticate.php">
<div id="login" align="center">
Username: <input type="text" name="name" size="21" /><br />
Password: <input type="password" name="password" size="12" mask="x" /><br />
<input type="submit" value="Login" name="submit" /><br />
</form>
Not registered? Register here! <a href="register.php"><input type="button" value="Register" name="button" />
 </div>

[ConceptDestiny]

You need to check that the db username and db password equals what the user typed in. Here's a quick way you can achieve that:

Code: Select all

replace your if($result2) with:
if ($result2['name'] == '$player' AND $result2['password'] == '$password')

Don't forget to protect your $_POST and $_GET methods from SQL injections
http://php.net/manual/en/security.datab ... ection.php

appending mysql_real_escape_string on your $_POST covers most sql injections, if not all I believe? For example:
$username = mysql_real_escape_string($_POST['username']);

[hallsofvallhalla]

is your password field in the DB set to 32 characters or more?

[Nexus]

its set to 12

[ConceptDestiny]

Ah, then you must change it to 32 character length, as the MD5 encryption create a 128-bit hash value which requires 32 characters for the field.

[Nexus]

I changed it and I'm still getting the problem :/

[ConceptDestiny]

Show us your updated code.

[Nexus]

here it is (authenticate.php)

Code: Select all

<link href="style.css" rel="stylesheet" type="text/css" />
<div id="authenticate" align="center">
<?php
include 'logo.php';
?>
<?php
    include_once 'connect.php';
    session_start();

    if (isset($_POST['submit']))
    {
      $player=$_POST['name'];
      $password=$_POST['password'];
      $player=strip_tags($player);
      $password=strip_tags($password);
      $password=md5($password);

      $query = "select name,password from players where name='$player' and password='$password'";
      $result = mysql_query($query) or die("Could not query players");
      $result2 = mysql_num_rows($result);
      if ($result2['name'] == '$player' AND $result2['password'] == '$password')
      {
        $_SESSION['player']=$player;
       
        echo "Logged in successfully<br/>";
        echo "<A href='index.php'><input type='button' value='Enter the game!' name='button'";
      }
      else
      {
       echo "Wrong username or password.<br/>";
	   echo	"<A href='login.php'><input type='button' value='Go Back!' name='button'>";
      }
    }
    ?>

[ConceptDestiny]

Check the existing value for the password you're trying to use, as it may be truncated.

[Nexus]

so check code or my database?