MyBB Community Forums

invalid login3

Ok, after invalid login 3 (but still in the else statement) put this:

echo "INVALID LOGIN 3";
echo $hash."<br />";
print_r($resultarr);

hold on when I change my form like this :

 <?php

error_reporting(0);

// Database settings
$host      = 'localhost';        
$user      = '';    
$password  = '';        
$database  = '';      

$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');

$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';"; 
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);

//check your hash against the one in the table
if (mysql_num_rows($result) == 1){
	// Check membername and HWID 
	$query = "SELECT member, hwid FROM loginlist WHERE member = '$username'";
	$result = mysql_query($query);
	if ($result && mysql_num_rows($result)) {
		$row = mysql_fetch_array($result);
		if ($row[hwid]!=$hwid) {
			echo "INVALID LOGIN";
			exit;
		}
	}
	// Update loginlist
	$ip = $_SERVER['REMOTE_ADDR'];
	$lastday = $firstday = time();
	$cntr = 1;
	$query = "SELECT member, ip, cntr FROM loginlist WHERE member = '$username' AND ip = '$ip'";
	$result = mysql_query($query);
	if ($result && mysql_num_rows($result)) {
		$row = mysql_fetch_array($result);
		$row[cntr] += 1;
		$lastday = time();
		$query = "UPDATE loginlist SET lastday = '$lastday', cntr = '$row[cntr]' WHERE member = '$username' AND ip = '$ip'";
		$result=mysql_query($query);
	} else {
		$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '0')";
		$result=mysql_query($query);			
	}	
	// Check if IP address is blocked
	$query = "SELECT * FROM loginlist WHERE ip = '$ip'";
	$result = mysql_query($query);
	if ($result && mysql_num_rows($result) == 1) {
		$row = mysql_fetch_array($result);
		if ($row[block] == 1) {
			echo "INVALID LOGIN";	
			exit;
		}
	}
	echo "VALID LOGIN";
} else {
	echo "INVALID LOGIN";
}

?>

I have allways Valid login even when I type wrong password ?

Woah, you've gone back over a fair bit there. You've removed all of our recent bug fixes it always validates because you're not checking the password, you're simply getting a row where name = xxx and seeing if that row exists

ok I came back and after that I got error Invalid login3 and the mysql output also
my code looks like this :

} else {
echo "INVALID LOGIN 3";
echo $hash."<br />";
print_r($resultarr);
}

Ok, was something in the MySQL input? Was the hash the same as $hash?

---

Ahhh, this:

if ($resultarr['hash'] == $hash)

Should be this:

if ($resultarr['password'] == $hash)

yes it was and it was the same

EDIT : there was before the mysql result something that is no where like this

INVALID LOGIN 381d423e365cc80bf64458d0366185fe2
then on next line the mysql result

Did you change the code?

nope read please my edited post up

Ok, so one last time upload your code