help please!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

help please!

Post by duranike »

ok this is a customer login script that the user types in their name and password and then it directs them to a template page of their personal product. for some reason only the admin user (u:1/p:1) can login in and work but everyone else cant. the values in the mssql database are not seeming to match and their redirected to the the login page. here is the script below. any help?



<?
include("inc/config.php");
$conn = mssql_connect($hostname, $user, $pass) or die('Error: MSSQL connection');
$query = "SELECT * FROM clients WHERE clientid = '$clientid' AND password = PASSWORD('$password')";
$result = mssql_query($database, $query, $connection);

if (num_rows($result) == 1)
{
session_start();

session_register("client_id");
session_register("client_name");

list($clientid, $name) = mssql_fetch_row($result);
$client_id = $clientid;
$client_name = $name;

header("Location: hollywood.php");
mssql_free_result ($result);

mssql_close($conn);
}
else

{
mssql_free_result ($result);
mssql_close($conn);

header("Location: relogin.php");
exit;
}
?>
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Are the passwords in the database encrypted or just plain text?
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

plain text

Post by duranike »

plain text
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

What's in config.php and what does the PASSWORD() function do?
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

Post by duranike »

config php is simply the connection info for the sql database. password relates to the serial number that users type into a form.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Re: plain text

Post by volka »

duranike wrote:plain text
then why do you use mysql's password() function?
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

password

Post by duranike »

to get the password from the user and compare to the password in the mssql database. right?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

but there's a conflict between "plain text" and "password"
the password() function is used to crypt/hash as password.

see also: http://www.mysql.com/search/index.php?q=password
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

Post by duranike »

any luck guys?
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

Post by duranike »

ok so what do we need to change to confirm a password with plain text
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

really depends on how the password actually is stored now.
plaintext or password()-hash?
try it without the password-function in your sql-statement...

p.s.: I doubt you read and understood the manual pages that quickly ;)
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

Just abit down on this page, there is some info about password(); http://www.mysql.com/doc/en/Miscellaneo ... tions.html

So...
if ('Foo' == 'Foo') : True
if (password('Foo') == '7c786c222596437b') : True
if ('foo' == password($variable)) : <insert True or False here>, and take actions according to it...

Hope the message was sublime enough to be understandable... ;)

Edit: Gah @ volka, up early are we?
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

Post by duranike »

well we have to check on that but if it is password()-hash then what are we doing wrong. if its plain text then we should just takeout the password function?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

feel free to try. Can't be worse than not working ;)
duranike
Forum Newbie
Posts: 17
Joined: Tue Nov 04, 2003 8:40 pm

Post by duranike »

we traced the problem to the login.php script. what's wrong with this. we are getting an error at "'You must fill in your username and serial" could it possibly be a problem with the form or is it a problem with the script itself?

Code: Select all

<?
include("inc/config.php");

if (!$username || !$serial)
	&#123;
		echo 'You must fill in your username and serial number.';
		exit;
	&#125;
	else
	&#123;
		$conn = mssql_connect($host, $dbusername, $dbpass) or die('Error: MSSQL 
connection');
		mssql_select_db($dbname) or die('Error: Database Selection');
		$query = "SELECT * FROM support_101 where alias = '$username' AND serial = 
'$serial' ";
		$result = mssql_query($query) or die('Error: Query');
		$num_rows = mssql_num_rows($result);
		if ($num_rows > 0)
		&#123;
			mssql_close($conn);
			header ('Location: http://www.go-l.com/support/products/hollywood.php');
		&#125;
		else
		&#123;
			echo 'Your username and/or serial number do not match our records.<br 
/>Please try again.';
			exit;
		&#125;
	&#125;
		$sql = "SELECT ALIAS FROM support_101 WHERE ALIAS='$ALIAS'";
		$sql_result = mssql_query($sql, $connection)
		or die ("Couldn't execute query.");
?>
Post Reply