Page 1 of 1

login script issue

Posted: Sat Aug 30, 2003 7:51 pm
by m3rajk
i don't understand why i'm getting an error with this script.. i added a debugging line. the result of that was:
debug:
pw: 9cc9e1f6a22e05307d6831087ef5d1e6
db: 9cc9e1f6a22e05307d6831087ef5d1e6
the script causing the error keeps stating that the passwords don't match, yet they clearly do. the pws are stored in a md5 mask

Code: Select all

<?php
include("/home/joshua/includes/fyd.incs.php"); # includes file
# variables used
$pass=MD5($_POST['pass']); $login=FALSE; $duration=NULL; $title='Login Page'; $error=FALSE; $gmto=NULL;
$uid=NULL; 

if(isset($_POST['un'])){ # check the db if this isn't the first loading of the page
  $un=$_POST['un']; # what was the passed username?
  $db=mysql_connect($host, $login2, $pass2) or die("cannot access mysql"); # connect
  $fyd=mysql_select_db('findyourdesire', $db) or die("cannot connect to db"); # select the db
  $lookup=mysql_query("SELECT * FROM users WHERE username='$un'", $db);
  if(mysql_num_rows($lookup)==0){ $error=TRUE; } # there was no user by that name
  else{ # retrieve the info
    $info=mysql_fetch_array($lookup); # get all the info associated with the user
    if($pass==$info['password']){ # the passwords match
      $sa=$info['site_access'];
      if((contains($sa, $regulars))||(contains($sa, $desireds))){ # you're not suspended
	$login=TRUE; $duration=$info['login_duration']; # set login to true, cookie duration code
	$gmto=$info['gmt_offset']; $rtds=$info['tds']; $utds=$tds[$rtds]; # set the gmt offset & time display
	$currip=$_SERVER['REMOTE_ADDR']; # get the new ip
	$update=mysql_query("UPDATE users SET last_login_ip='$currip',last_login_date='$now' WHERE uid='$uid'", $db); # update login date and ip
	$expire=time()+(60*$durr[$duration]); # set expiration by formula time()+seconds*minutes*hrs*days*yrs
	setcookie(un, $un, $expire); # set username
	setcookie(pw, $pass, $expire); # set password
	setcookie(login, TRUE, $expire); # set login
	setcookie(gmto, $gmto, $expire); # set the gmt offset
	setcookie(utds, $rtds, $expire); # set the time display style
      }
    }
  }
}
the rest is merely creating the page depending on what that part does, so the error is there

Posted: Sat Aug 30, 2003 8:44 pm
by McGruff
That looks OK which makes me wonder if your debug code is performing properly.

Try echoing out $_POST['pass'] and then $info['password'] immediately after the $info=mysql_fetch_array($lookup); line.

Another issue: do your scripts allow more than one person with the same user name? If so, $lookup could have several rows (with different passwords).

Posted: Sat Aug 30, 2003 10:47 pm
by leoden
it might be a daft suggestion but have you tried to trim the two passwords?? If they read right and php says they dont mactch then there has to be some hidden chars in there somewhere!

Posted: Sun Aug 31, 2003 9:41 am
by m3rajk
with the debug line:

Code: Select all

if(isset($_POST['un'])){ # check the db if this isn't the first loading of the page
  $un=$_POST['un']; # what was the passed username?
  $db=mysql_connect($host, $login2, $pass2) or die("cannot access mysql"); # connect
  $fyd=mysql_select_db('findyourdesire', $db) or die("cannot connect to db"); # select the db
  $lookup=mysql_query("SELECT * FROM users WHERE username='$un'", $db);
  if(mysql_num_rows($lookup)==0){ $error=TRUE; } # there was no user by that name
  else{ # retrieve the info
    $info=mysql_fetch_array($lookup); # get all the info associated with the user
    echo "<p>debug: pw: $pass <br />db: ".$info['password']."</p>";
    if($pass==$info['password']){ # the passwords match
      $sa=$info['site_access'];
      if((contains($sa, $regulars))||(contains($sa, $desireds))){ # you're not suspended
        $login=TRUE; $duration=$info['login_duration']; # set login to true, cookie duration code
        $gmto=$info['gmt_offset']; $rtds=$info['tds']; $utds=$tds[$rtds]; # set the gmt offset & time display
        $currip=$_SERVER['REMOTE_ADDR']; # get the new ip
        $update=mysql_query("UPDATE users SET last_login_ip='$currip',last_login_date='$now' WHERE uid='$uid'", $db); # update login date and ip
        $expire=time()+(60*$durr[$duration]); # set expiration by formula time()+seconds*minutes*hrs*days*yrs
        setcookie(un, $un, $expire); # set username
        setcookie(pw, $pass, $expire); # set password
        setcookie(login, TRUE, $expire); # set login
        setcookie(gmto, $gmto, $expire); # set the gmt offset
        setcookie(utds, $rtds, $expire); # set the time display style
      }
    }
  }
}
no i haven't tried trimming, and the usename is a unique key, so, as christopher lambert says throught the highlander movies, there can be only one. i'll try trimming....ok... i changed the pw checking line to

Code: Select all

if(trim($pass)==trim($info['password'])){ # the passwords match
i'd consider using where username='$un' AND password='$pass' in the query, but since it's the login, i want to be able to tell the difference between a bad username and a bad password



one sec... i just had a thought, "did i update the site access in mysql via command line after i fixed the issue with length of the md5 encoding?"

if i didn't, then this is actually suppossed to be ahppening because the default site access is for an unapproved account, incase something placedinto the bio or pictures is something that's not wanted....



edit: the answer was no, but that doesn't seem to have fixed anything.....it's still telling me i have the password wrong

Posted: Sun Aug 31, 2003 9:51 am
by m3rajk
nevermind. i figured it out. i thought of something i had accidentally done with a different page and overwrote a variable... well, as it turns out similar thing here... in the incclude file withthe db stuff, i forgot to put the administration db code into the two user group arrays.