Page 1 of 1
Why isn't this login working?
Posted: Sun Feb 12, 2012 5:23 pm
by DevonL
Code: Select all
<?php
// Start session
session_start();
// Include database connection details
include "config.php";
include "functions.php";
// Validation error flag
$errflag = false;
// Strip the POST values of any potential SQL injections
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$cryptpass = crypt($password);
// Did we get a user and or pass?
if($username == '') {
errormsg(1);
$error = true;
}
if($password == '') {
errormsg(2);
$error = true;
}
// If the user/pass fails, back to index.php
if($error) {
session_write_close();
header("location: index.php");
exit();
}
// Query the DB
$qry = "SELECT * FROM users WHERE username='$username' AND password='$cryptpass'";
$result = mysql_query($qry);
// Check whether the query was successful or not
if ($result){
if (mysql_num_rows($result) == 1){
// Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['FNAME_NAME'] = $member['fname'];
session_write_close();
header("location: home.php");
exit();
}else {
// Login failed
echo "Username or Password was incorrect.<br>";
echo $username;
echo "<br>";
echo $cryptpass;
exit();
}
}else {
die("Query failed");
}
?>
I appreciate any insight here! The prompt keeps coming up, but it wont bring me to home.php!
EDIT: With the outputted variables, the password shows that it changes every time I try to login, so it will not match what is in the database.
To insert my username/pass into the DB what I had done was created a simple script:
Code: Select all
<?
include "config.php";
$username = "Devon";
$password = crypt('pass');
$fname = "Devon";
$lname = "L";
$email = "mine@gmail.com";
$query = "INSERT INTO users(`username`, `password`, `fname`, `lname`, `email`)
VALUES('$username', '$password', '$fname', '$lname', '$email')";
mysql_query($query);
?>
Re: Why isn't this login working?
Posted: Sun Feb 12, 2012 6:34 pm
by Eric!
I assume you've deleted code there to try to make it easier to read. I suggest you echo out your $PHP variables and $password to see what you're really searching for. You might also want to echo out mysql_error() as part of your debugging.
Re: Why isn't this login working?
Posted: Sun Feb 12, 2012 7:44 pm
by DevonL
No, that's the entire script, the connection to MySQL is made in the config file. I'll give a try echoing to see what the variables are outputting. Also, mysql_error() is included already, not returning anything.
This is a script that worked with an older version of PHP, but I have made some modifications to it now to make it more secure.
Re: Why isn't this login working?
Posted: Sun Feb 12, 2012 9:46 pm
by Celauran
You're not passing a salt to crypt(), so it's choosing a random one which will be different every time.
Re: Why isn't this login working?
Posted: Mon Feb 13, 2012 8:29 am
by Eric!
Also I don't even see where you define $PHP_AUTH_PW, $PHP_AUTH_USER or $password. If they are session data, you have to read them from the $_SESSION array.
DevonL wrote:...I have made some modifications to it now to make it more secure.
Definitely. Now no one can get in. Sorry, bad joke.
Re: Why isn't this login working?
Posted: Mon Feb 13, 2012 9:46 am
by DevonL
Eric! wrote:Also I don't even see where you define $PHP_AUTH_PW, $PHP_AUTH_USER or $password. If they are session data, you have to read them from the $_SESSION array.
DevonL wrote:...I have made some modifications to it now to make it more secure.
Definitely. Now no one can get in. Sorry, bad joke.
I ended up changing the entire script, basing it slightly off of a tutorial I had found, also making it a bit cleaner.
Heh, a bad joke .. but true.
The new script is edited into the original post above.
Re: Why isn't this login working?
Posted: Mon Feb 13, 2012 9:57 am
by Celauran
Looks like you're still not salting crypt() so you're going to run into the same problem.
Re: Why isn't this login working?
Posted: Tue Feb 14, 2012 12:20 pm
by Eric!
The call to crypt should look like crypt($password,$salt_value). Without a salt the manual has this appropriate comment: "An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results." I.e. random hash results will almost never be the same twice so no one can log in. See Mordred's post on picking a good sized salt for your hash
viewtopic.php?f=34&t=127891
And why are you doing a session_start() and then using $_POST data? Have you echoed back out those variables to make sure you're setting them properly?
Re: Why isn't this login working?
Posted: Tue Feb 14, 2012 11:08 pm
by DevonL
Yeah I echoed the variables and they are indeed returning properly. I read up more on the PHP manual in regard to crypt() and am reading Mordred's post now as well. I should be able to get it running, the last time I did this md5() was the chosen way to encrypt passwords!
I appreciate the help/link.
Re: Why isn't this login working?
Posted: Thu Feb 16, 2012 8:21 am
by Eric!
Since your using $_POST and if you are not using session variables you don't need session_start().
Crypt() is the same as MD5, just with better algorithms and requires a salt to improve randomness. You could also salt MD5(), but not a lot of people did it.
Re: Why isn't this login working?
Posted: Thu Feb 16, 2012 8:33 am
by Celauran
If you're already reading up about crypt() and hashing algorithms, take five minutes and give this a read:
Use bcrypt().