Password and confirmation passw not equal after submit

Hi friends,
I'm writing a login.php script.
I stored the password in mysql db as encrypted format using md5.
(It's in registration.php and it works well).
There is a no problem in registering new users.

When the login form exists, the password and confirm password didn't match always. It shows only "Password didn't match, plz try again".

Can anyone help me.....??? The code which wrongly works is as follows:

while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
if ($_POST['pass'] != $info['password'])
{
die('Incorrect password, please try again.');
}
else
{
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
//header("Location: members.php");//temporarily disable this.
}
}

Plz... Tell me the correct code soon...

I couldn't find any reason for the error...
You can though do one thing...
Just before comparing the passwords, echo both the passwords and see whats the reason.
[PHP]while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);

//add this temporarily
echo "DB password=".$info['password']."<br>Submitted password=".$_POST['pass']."<br>md5 of submitted=";


$_POST['pass'] = md5($_POST['pass']);

//this too
echo $_POST['pass'];

if ($_POST['pass'] != $info['password'])
{
die('Incorrect password, please try again.');
}
else
{
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
header("Location: members.php");
}
}[/PHP]

Also I don't think its a good idea to save password in db in md5. Use md5 just to save password in cookie. And take md5 of password in db each time you compare it with the cookie's password.

Do ask some senior person too, I'm not sure if its a better way. Do tell me also if its not the right way.

Actually, it is best practise to save the md5()'d password into the database, as this if someone were to crack the database, they wouldn't be able to use the passwords. :)

Not even you, the webmaster, should be able to see what the passwords are.

Apart from the correct use of MD5 values and $_POST arrays to store temp values:

Are you sure that $info['password'] is already MD5-ed?
Because you compare an MD5 result value in $_POST['pass'] with it.

Ronald

Hi friends,
I'm writing a login.php script.
I stored the password in mysql db as encrypted format using md5.
(It's in registration.php and it works well).
There is a no problem in registering new users.
When the login form exists, the password and confirm password didn't match always. It shows only "Password didn't match, plz try again".
The whole code for login.php which I wrote is as follows:

Cany any one tell me what is the wrong with this code...???

You read this: http://www.thescripts.com/forum/faq....ask_a_question

while i read your code:


[PHP]
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("mydb") or die(mysql_error());
if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: members.php");
}
}
}
if (isset($_POST['submit']))
{
if(!$_POST['username'] | !$_POST['pass'])
{
die('You did not fill in a required field.');
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 == 0)
{
die('That user does not exist in our database.
<a href=register.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
if ($_POST['pass'] != $info['password'])
{
die('Incorrect password, please try again.');
}
else
{
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
header("Location: members.php");
}
}
}
else
{
?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr>
<td colspan=2>
<h1>Login</h1>
</td>
</tr>
<tr>
<td>Username:</td>
<td>
<input type="text" name="username" maxlength="40">
</td>
</tr>
<tr><td>Password:</td>
<td>
<input type="password" name="pass" maxlength="50">
</td>
</tr>
<tr>
<td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td>
</tr>
</table>
</form>
<?php
}

?>

[/PHP]

Thank U very much.
As i'm new to this site, i didn't know the rules n regulations...
I never do this again.
Thanks again...

Then I suggest you read the Posting Guidelines before you continue!. You have already 16 posts so you are not that new!

Btw this is a double thread from <removed n/a link>

Read the posting guidelines and stop wasting anybody's time with it.

Ronald

Merged.

Please follow the rules or your account may get banned.

Thanks

-Moderator

Then I suggest you read the Posting Guidelines before you continue!. You have already 16 posts so you are not that new!

Btw this is a double thread from <removed n/a link>

Read the posting guidelines and stop wasting anybody's time with it.

Ronald

Thanx.....
I read it and I'm following......
Can u tell me what is meant by PM questions???

Thanx.....
I read it and I'm following......
Can u tell me what is meant by PM questions???

Private Messages.
Click on the users profile link, and follow the link to provate messaging,