Page 1 of 1
validating encrypted passwords
Posted: Sat Feb 07, 2004 12:44 pm
by bluesman333
New to encryption. Well, new to most php, but expecially encryption.
Can't figure out why this doesn't work. The users password is stored in a mysql database (encrypted). When they login I want to compare that value to the value they entered.
Code: Select all
<?php
require_once("connection.php");
$username = $HTTP_POST_VARS[username];
$sql = mysql_query("SELECT * FROM users WHERE username = '$username'", $link);
$data = mysql_fetch_array($sql);
$encrypted_password = $data[password];
$password = crypt($HTTP_POST_VARS[password], $encrypted_password);
if ($password == $encrypted_password) {
print "login successful";
}else{
print "login failed";
}
?>
Posted: Sat Feb 07, 2004 12:48 pm
by DuFF
What does this output?
Code: Select all
<?php
require_once("connection.php");
$username = $_POST['username'];
$sql = mysql_query("SELECT * FROM users WHERE username = '$username'", $link);
$data = mysql_fetch_array($sql);
$encrypted_password = $data['password'];
$password = crypt($_POST['password'], $encrypted_password);
echo $encrypted_password . "<br />"; //output for debugging!
echo $password;
if ($password == $encrypted_password) {
print "login successful";
}else{
print "login failed";
}
?>
Notice I also changed $HTTP_POST_VARS (now deprecated) with $_POST and I also added quotes to it ( ['password'] ).
Posted: Sat Feb 07, 2004 1:00 pm
by bluesman333
$1$HtZTbH7v$GvfZhAAW
$1$HtZTbH7v$GvfZhAAWVQRczKSDRwTNz0login failed
Posted: Sat Feb 07, 2004 1:28 pm
by Illusionist
try changing
Code: Select all
$password = crypt($_POST['password'], $encrypted_password);
to
Code: Select all
$password = crypt($_POST['password']);
Posted: Sat Feb 07, 2004 1:37 pm
by tsg
Also would it be possible for have the password field in the database set to varachar and Length/Values to 20?
The password going in to the database may be getting cut off.
Tim
Posted: Sat Feb 07, 2004 2:01 pm
by bluesman333
that was it. the password field was only 20 char long.
thanks
Posted: Sat Feb 07, 2004 2:10 pm
by dodga
Why not let the database do the validation for you?
Code: Select all
<?php
$query = sprintf('SELECT * FROM users WHERE username = ''%s'' and password = ''%s''', $_POST['username'], crypt($_POST['password']));
$result = mysql_query($query, $link)
or die('DB-Error: '.mysql_error());
$num_rows = mysql_num_rows($result);
if ($num_rows == 0) { // No such username/password pair in DB
die('Username/Password mismatch!');
} else if ($num_rows > 1) { // More than 1 username/password matches - should not happen..
die('Database inconsistency!');
}
// Otherwise there is exactly 1 row matching the given username/password
$data = mysql_fetch_assoc($result);
echo 'Login successful';
print_r($data);
?>