Page 1 of 2

help please!

Posted: Tue Nov 04, 2003 8:40 pm
by duranike
ok this is a customer login script that the user types in their name and password and then it directs them to a template page of their personal product. for some reason only the admin user (u:1/p:1) can login in and work but everyone else cant. the values in the mssql database are not seeming to match and their redirected to the the login page. here is the script below. any help?



<?
include("inc/config.php");
$conn = mssql_connect($hostname, $user, $pass) or die('Error: MSSQL connection');
$query = "SELECT * FROM clients WHERE clientid = '$clientid' AND password = PASSWORD('$password')";
$result = mssql_query($database, $query, $connection);

if (num_rows($result) == 1)
{
session_start();

session_register("client_id");
session_register("client_name");

list($clientid, $name) = mssql_fetch_row($result);
$client_id = $clientid;
$client_name = $name;

header("Location: hollywood.php");
mssql_free_result ($result);

mssql_close($conn);
}
else

{
mssql_free_result ($result);
mssql_close($conn);

header("Location: relogin.php");
exit;
}
?>

Posted: Tue Nov 04, 2003 9:28 pm
by m3mn0n
Are the passwords in the database encrypted or just plain text?

plain text

Posted: Tue Nov 04, 2003 9:32 pm
by duranike
plain text

Posted: Tue Nov 04, 2003 9:38 pm
by m3mn0n
What's in config.php and what does the PASSWORD() function do?

Posted: Tue Nov 04, 2003 9:41 pm
by duranike
config php is simply the connection info for the sql database. password relates to the serial number that users type into a form.

Re: plain text

Posted: Tue Nov 04, 2003 9:59 pm
by volka
duranike wrote:plain text
then why do you use mysql's password() function?

password

Posted: Tue Nov 04, 2003 10:03 pm
by duranike
to get the password from the user and compare to the password in the mssql database. right?

Posted: Tue Nov 04, 2003 10:09 pm
by volka
but there's a conflict between "plain text" and "password"
the password() function is used to crypt/hash as password.

see also: http://www.mysql.com/search/index.php?q=password

Posted: Tue Nov 04, 2003 10:09 pm
by duranike
any luck guys?

Posted: Tue Nov 04, 2003 10:10 pm
by duranike
ok so what do we need to change to confirm a password with plain text

Posted: Tue Nov 04, 2003 10:15 pm
by volka
really depends on how the password actually is stored now.
plaintext or password()-hash?
try it without the password-function in your sql-statement...

p.s.: I doubt you read and understood the manual pages that quickly ;)

Posted: Tue Nov 04, 2003 10:18 pm
by JAM
Just abit down on this page, there is some info about password(); http://www.mysql.com/doc/en/Miscellaneo ... tions.html

So...
if ('Foo' == 'Foo') : True
if (password('Foo') == '7c786c222596437b') : True
if ('foo' == password($variable)) : <insert True or False here>, and take actions according to it...

Hope the message was sublime enough to be understandable... ;)

Edit: Gah @ volka, up early are we?

Posted: Tue Nov 04, 2003 10:20 pm
by duranike
well we have to check on that but if it is password()-hash then what are we doing wrong. if its plain text then we should just takeout the password function?

Posted: Tue Nov 04, 2003 10:43 pm
by volka
feel free to try. Can't be worse than not working ;)

Posted: Tue Nov 04, 2003 10:43 pm
by duranike
we traced the problem to the login.php script. what's wrong with this. we are getting an error at "'You must fill in your username and serial" could it possibly be a problem with the form or is it a problem with the script itself?

Code: Select all

<?
include("inc/config.php");

if (!$username || !$serial)
	&#123;
		echo 'You must fill in your username and serial number.';
		exit;
	&#125;
	else
	&#123;
		$conn = mssql_connect($host, $dbusername, $dbpass) or die('Error: MSSQL 
connection');
		mssql_select_db($dbname) or die('Error: Database Selection');
		$query = "SELECT * FROM support_101 where alias = '$username' AND serial = 
'$serial' ";
		$result = mssql_query($query) or die('Error: Query');
		$num_rows = mssql_num_rows($result);
		if ($num_rows > 0)
		&#123;
			mssql_close($conn);
			header ('Location: http://www.go-l.com/support/products/hollywood.php');
		&#125;
		else
		&#123;
			echo 'Your username and/or serial number do not match our records.<br 
/>Please try again.';
			exit;
		&#125;
	&#125;
		$sql = "SELECT ALIAS FROM support_101 WHERE ALIAS='$ALIAS'";
		$sql_result = mssql_query($sql, $connection)
		or die ("Couldn't execute query.");
?>