login; always incorrect username ande pasword

[Robbedoesie]

Hello,
i follow the register and login tutorials but this is not easy for me. Earlier on i tested the register page and there were some mistakes(my mistakes obviously) and now i am testing the login page and again there is something not good. When i lo in the message incorrect username and password always appears. But i know that the username and password are right.
I don't know really where to look for any mistakes so i looked everywhere and especially by the function valid_credentials in user.inc.php and the login.php but i don't see any errors. After a while i saw only {} [''];:"'@$&<>/\. And maybe that is why i missed a mistake.
Here is the code;
user.inc.php

<?php
//bestaat de gebruikersnaam in de database
function user_exists($user){
	$user = mysql_real_escape_string($user);
	$total = mysql_query("SELECT COUNT('user_id') FROM `user_system` WHERE `user_name` = '{$user}'");
	return (mysql_result($total, 0) == '1') ? true : false;
}
//is de gebruikersnaam en paswoord combinatie correct
function valid_credentials($user, $pass){
	$user = mysql_real_escape_string($user);
	$pass = sha1($pass);
	
	$total = mysql_query("SELECT COUNT('user_id') FROM `user_system` WHERE `user_name` = '{$user}' AND `user_password` = '{$pass}'");
	
	return (mysql_result($total, 0) == '1') ? true : false;
}
function is_active($user){
	$user = mysql_real_escpe_string($user);
	
	$sql = "SELECT
			COUNT(`user_activations`. `user_id`)
			FROM `users`
			INNER JOIN `user_activations`
			ON `users`, `user_id` = `user_activations`,`user_id`
			WHERE `users`,`user_name` = '{$user}'";
			
	$result = mysql_query($sql);
	return (mysql_result($result, 0) == '0') ? true : false;
}
function activate_account($aid){
		$aid = mysql_real_escape_string($aid);
		
		mysql_query("DELETE FROM `user_activations` WHERE `activations_code` = '{$aid}'");
		
}
//paswoord vergeten 
function random_string($length){
	$charset = array_flip(array_merge(range('a', 'z'), range('A', 'Z'), range(0, 9)));
	
	shuffle($charset);
	$password = array_slice($charset, 0, $length);
	return implode('', $password);
}
//voegt een gebruiker toe aan de database
function add_user($user, $email, $pass){
	$user  = mysql_real_escape_string(htmlentities($user));
	$email = mysql_real_escape_string($email);
	$pass  = sha1($pass);
	
	$charset = array_flip(array_merge(range('a', 'z'), range('A', 'Z'), range(0, 9)));
	$aid = implode('', array_rand($charset, 10));
	
	$body = <<<EMAIL
	Hallo,
	dank voor het registreren, voordat je gaat inloggen is het nodig dat je je account gaat activeren.
	omdat de doen kan je gewoon op deze link klikken, http://www.robcnossen.nl/activate.php?aid={$aid}
EMAIL;
mail($email, 'je nieuwe account in robbcnossen.nl', $body, 'From: robcnossen@quicknet.nl');	
	
	mysql_query("INSERT INTO `user_system` (`user_name`, `user_password`, `user_email`) VALUES ('{$user}', '{$pass}', '{$email}')");
	$user_id = mysql_insert_id();
	mysql_query("INSERT INTO `user_activations` (`user_id`, `activations_code`) VALUES ({$user_id}, '{$aid}')");
}

?>

login.php

<?php 
include('init.inc.php');
$errors = array();
if (isset($_POST['username'], $_POST['password'])){
	if (empty($_POST['username'])){
		$errors[] = 'De gebruikersnaam mag niet leeg wezen.';
	}
	if (empty($_POST['password'])){
		$errors[] = 'Het paswoord mag niet leeg zijn.';
	}
	if (valid_credentials($_POST['username'], sha1($_POST['password'])) === false){
		$errors[] = 'Gebruikersnaam/paswoord zijn niet goed ingevuld.';
	}
	if (empty($errors) &&is_active($_POST['username']) === false){
		$errors[] = 'Deze account is niet geactiveerd.';
	}
	if (empty($errors)){
		if(isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1'){
			setcookie('username', $_POST['username'], time() + 684800);
			setcookie('password', sha1($_POST['password']), time() + 684800);
		}
		$_SESSION['username'] = htmlentities($_POST['username']);
	header('location:beschermd.php');
	die();
	}
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<div>
<?php 
if (empty($errors) === false){
	?>
    <ul>
    <?php
		foreach ($errors as $error){
			echo"<li>{$error}</li>";
		}
	?>
   </ul>
   <?php
}else{
	echo 'Wil je je inschrijven? <a href="register.php">Schrijf je hier in</a>';
}
?>

</p>
<form action="" method="post">
	<p>
	<label for="username">Gebruikersnaam:</label>
    <input type="text" name="username" id="username" value="<?php if (isset($_POST['username'])) echo htmlentities($_POST['username'])?>" />
    </p>
    <p>
	<label for="password">Paswoord:</label>
    <input type="password" name="password" id="password" />
    </p>
    	<p>
        <label for="set_cookie">Onthoud mij:</label>
        <input type="checkbox" name="set_cookie" id="set_cookie" value="1" />
        </p>
    <p>
    <input type="submit" value="Login" />
    </div>
    <a href="forgot_pass.php">Paswoord vergeten? Klik hier.</a>

</body>
</html>

The table structure is;
user_id int(6) auto_increment;
user_name varchar(24);
user_password char(40);
user_email varchar(128);

I hope someone can help me.
Thanks in advance.
Robbedoesie

[jacek]

You need to use backticks around column and table names, so

$total = mysql_query("SELECT COUNT('user_id') FROM `user_system` WHERE `user_name` = '{$user}' AND `user_password` = '{$pass}'");

should be

$total = mysql_query("SELECT COUNT(`user_id`) FROM `user_system` WHERE `user_name` = '{$user}' AND `user_password` = '{$pass}'");

[Robbedoesie]

Sorry for my late reaction.
Oke, i have now the backtics around the user_id's, but unfortunately i still get the same message that the username/password are incorrect. I see that i am the only one with this problem, exept jaysus7, but there where error messages. Here there are no error messages. I can find the user_id's, user_names and user_passwords in the database but can it be that the script can't somehow find the user_name or user_password in the database? Even when the tablenames and all are written in correctly?

[Temor]

Line 11:

if (valid_credentials($_POST['username'], sha1($_POST['password'])) === false){

you're applying sha1 to password, and then you're doing the same thing inside the function which will generate a whole new string. Remove the one in your login page and keep the one in your function.

[Robbedoesie]

Thanks, everything works fine now but still i have a question.
I watched the tutorials again because i where i went wrong. Jacek removed the sha1 for mysql_real_escape_string($pass); against sql injection and keep the sha1 in the login page and still can log in. My question is, it all works but is it save.
I tried also the other way around, keep the sha1 in the login page and have the mysql_real_escape_string($pass); in the user.inc page, but then i can't log in anymore. I know he is a much better php-man than i am but why does it work by Jacek and not with me?