2012-01-25, 12:06 AM
2012-01-25, 12:10 AM
Ok, after invalid login 3 (but still in the else statement) put this:
echo "INVALID LOGIN 3";
echo $hash."<br />";
print_r($resultarr);
2012-01-25, 12:12 AM
hold on when I change my form like this :
I have allways Valid login even when I type wrong password ?
<?php
error_reporting(0);
// Database settings
$host = 'localhost';
$user = '';
$password = '';
$database = '';
$conn = mysql_connect($host,$user,$password) or die ('Error connecting to MySQL database.');
$conn = mysql_select_db($database) or die ('Error selecting database.');
$hwid = mysql_real_escape_string($_GET['hwid']);
if ($hwid == '') {$hwid='?';}
$author = mysql_real_escape_string($_GET['author']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
//get the user info
$query = "SELECT * FROM mybb_users WHERE LOWER(username) = '{$username}';";
//make it into a mysql_assoc_array
$result= mysql_query($query);
$resultarr = mysql_fetch_assoc($result);
$salt = $resultarr['salt'];
$hash = md5(md5($password.$salt).$salt);
//check your hash against the one in the table
if (mysql_num_rows($result) == 1){
// Check membername and HWID
$query = "SELECT member, hwid FROM loginlist WHERE member = '$username'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_array($result);
if ($row[hwid]!=$hwid) {
echo "INVALID LOGIN";
exit;
}
}
// Update loginlist
$ip = $_SERVER['REMOTE_ADDR'];
$lastday = $firstday = time();
$cntr = 1;
$query = "SELECT member, ip, cntr FROM loginlist WHERE member = '$username' AND ip = '$ip'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result)) {
$row = mysql_fetch_array($result);
$row[cntr] += 1;
$lastday = time();
$query = "UPDATE loginlist SET lastday = '$lastday', cntr = '$row[cntr]' WHERE member = '$username' AND ip = '$ip'";
$result=mysql_query($query);
} else {
$query="INSERT INTO loginlist (member, hwid, ip, lastday, firstday, cntr, block) VALUES ('$username', '$hwid', '$ip', '$lastday', '$firstday', '$cntr', '0')";
$result=mysql_query($query);
}
// Check if IP address is blocked
$query = "SELECT * FROM loginlist WHERE ip = '$ip'";
$result = mysql_query($query);
if ($result && mysql_num_rows($result) == 1) {
$row = mysql_fetch_array($result);
if ($row[block] == 1) {
echo "INVALID LOGIN";
exit;
}
}
echo "VALID LOGIN";
} else {
echo "INVALID LOGIN";
}
?>
I have allways Valid login even when I type wrong password ?
2012-01-25, 12:14 AM
Woah, you've gone back over a fair bit there. You've removed all of our recent bug fixes it always validates because you're not checking the password, you're simply getting a row where name = xxx and seeing if that row exists
2012-01-25, 12:19 AM
ok I came back and after that I got error Invalid login3 and the mysql output also
my code looks like this :
} else {
echo "INVALID LOGIN 3";
echo $hash."<br />";
print_r($resultarr);
}
my code looks like this :
} else {
echo "INVALID LOGIN 3";
echo $hash."<br />";
print_r($resultarr);
}
2012-01-25, 12:25 AM
Ok, was something in the MySQL input? Was the hash the same as $hash?
Ahhh, this:
Should be this:
Ahhh, this:
if ($resultarr['hash'] == $hash)
Should be this:
if ($resultarr['password'] == $hash)
2012-01-25, 12:28 AM
yes it was and it was the same
EDIT : there was before the mysql result something that is no where like this
INVALID LOGIN 381d423e365cc80bf64458d0366185fe2
then on next line the mysql result
EDIT : there was before the mysql result something that is no where like this
INVALID LOGIN 381d423e365cc80bf64458d0366185fe2
then on next line the mysql result
2012-01-25, 12:30 AM
Did you change the code?
2012-01-25, 12:31 AM
nope read please my edited post up
2012-01-25, 12:33 AM
Ok, so one last time upload your code