Page 1 of 1

Login not working

Posted: Thu Nov 10, 2005 9:20 am
by katd
Hi

I hope someone can help as this has been bugging me for two days now. I have a problem with my passwords when logging in. When i register a new user it encrypts the password i've entered using PASSWORD (i've also tried md5). In my login code i encrypt the password the user enters using the same method but i get an error message saying
The username and password entered do not match those on file.
although it does. I've checked that it is definately the password encryption that is causing the problem by taking the encryption out so that it is sored as plain text by doing this the person can login but it obviously isn't very secure.

This is the code i have to register a new user:

Code: Select all

<?php # Script 12.6 - register.php

// This is the registration page for the site.
//Require authentication.
require_once ('../../../authentication.php');

//Set the page title and include the HTML header.
$page_title = 'Register A User';
include_once ('../includes/admin_header.html');

// Include the configurationi file for error management and such.
require_once ('../includes/config.inc');

// Set the page title

$page_title = 'Register';

if (isset($_POST['submit'])) { // Handle the form.

	require_once ('../../../mysql_connect.php'); // Connect to the database.


	// Check for a first name.
	if (eregi ("^[[:alpha:].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) {
		$fn = escape_data($_POST['first_name']);
	} else {
		$fn = FALSE;
		echo '<p><font color="red" size="+1">Please enter your first name!</font></p>';
	}

	// Check for a last name.
	if (eregi ("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) {
		$ln = escape_data($_POST['last_name']);
	} else {
		$ln = FALSE;
		echo '<p><font color="red" size="+1">Please enter your last name!</font></p>';
	}

	// Check for an email address.
	if (eregi ("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", stripslashes(trim($_POST['email'])))) {
		$e = escape_data($_POST['email']);
	} else {
		$e = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid email address!</font></p>';
	}

	// Check for a username.
	if (eregi ("^[[:alnum:]_]{4,20}$", stripslashes(trim($_POST['username'])))) {
		$u = escape_data($_POST['username']);
	} else {
		$u = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid username!</font></p>';
	}

	//Check for a password and match against the confirmed password.
	if (eregi ("^[[:alnum:]]{4,20}$", stripslashes(trim($_POST['password1'])))) {
		if ($_POST['password1'] == $_POST['password2']) {
			$p = escape_data($_POST['password1']);
		} else {
			$p = FALSE;
			echo '<p><font color="red" size="+1">Your password did not match the confirmed password!</font></p>';
		}
	} else {
		$p = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid password!</font></p>';
	}


	if ($fn && $ln && $e && $u && $p) { // If everything's OK.

		//Make sure the username is available.
		$query = "SELECT user_id FROM users WHERE username='$u'";
		$result = @mysql_query ($query);

		if (mysql_num_rows($result) == 0) { // Available.
		
			//Add the user.
			$query = "INSERT INTO users (username, first_name, last_name, email, password) VALUES ('$u', '$fn', '$ln', '$e', PASSWORD('$p') )"; 
			$result = @mysql_query ($query); // Run the query.
			if ($result) { //If it ran OK.

			//Send an email, if desired.
			echo '<p><b>Thank you for registering!</b></p>';
include_once
('../includes/admin_footer.html'); //Use the HTML footer file.
			exit(); //Quit the script.

			} else { // If it did not run OK.
				// Send a message to the error log, if desired.
				echo '<p><font color="red" size="+1">You could not be registered due to a system error. We apologize for any inconvenience.</font></p>';
			}

		} else { // The username is not available.
			echo '<p><font color="red" size="+1">That username is already taken.</font></p>';
		}

			mysql_close(); // Close the database connection.

		} else { // If one of the data tests failed.
			echo '<p><font color="red" size="+1">Please try again.</font></p>';
		}

	} //End of the main Submit conditional.
?>

<h1>Register</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<fieldset>

<p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>

<p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>

<p><b>Email Address:</b> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>

<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" />
 <small>Use only letters and numbers. Must be between 4 and 20 characters long.</small></p>

<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Register" /></div>

</form><!-- End of Form -->

<?php # Script Use the HTML footer file.
include_once ('../includes/admin_footer.html');
?>



And this is the code i have for the login page


Code: Select all

<?php # Script 12.7 - login.php
// This is the login page for the site.
include ('includes/header.html');

// Include the configuration file for error management and such.
require_once ('includes/config.inc');

// Set the page title.
$page_title = 'Login';


if (isset($_POST['submit'])) { // Check if the form has been submitted.

	require_once ('../../mysql_connect.php');
	// Connect to the database.

	if (empty($_POST['username'])) { // Validate the username.
		$u = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your username!</font></p>';
	} else {
		$u = escape_data($_POST['username']);
	}

	if (empty($_POST['password'])) { // Validate the password.
		$p = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
	} else {
		$p = escape_data($_POST['password']);
	}

	if ($u && $p) { // If everything's ok.

	// Query the database.
	$query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password=PASSWORD('$p')";
	$result = @mysql_query ($query);
	$row = mysql_fetch_array ($result, MYSQL_NUM);

	if ($row) { // A match was made.
		
		// Start the session, register the values & redirect.
		$_SESSION['first_name'] = $row[1];
		$_SESSION['user_id'] = $row[0];

		ob_end_clean(); // Delete the buffer.

		header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/secret.php");
		exit();

		} else { // No match was made.
			echo '<p><font color="red" size="+1">The username and password entered do not match those on file.</font></p>';
		}

		mysql_close(); // Close the database connection.
	
	} else { //If everything wasn't ok.
		echo '<p><font color="red" size="+1">Please try again.</font></p>';
	}

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to login.</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if(isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
</fieldset>
</form><!-- End of Form -->

<?php // Include the HTML footer.
include ('includes/footer.html');
?>

I really need help sorting the encryption as it's for a website that involves sensitive information.

Thanks :(

Posted: Thu Nov 10, 2005 9:22 am
by Charles256
any chance of changing those code tags to php tags?

sorry

Posted: Thu Nov 10, 2005 9:24 am
by katd

Code: Select all

<?php # Script 12.7 - login.php
// This is the login page for the site.
include ('includes/header.html');

// Include the configuration file for error management and such.
require_once ('includes/config.inc');

// Set the page title.
$page_title = 'Login';


if (isset($_POST['submit'])) { // Check if the form has been submitted.

	require_once ('../../mysql_connect.php');
	// Connect to the database.

	if (empty($_POST['username'])) { // Validate the username.
		$u = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your username!</font></p>';
	} else {
		$u = escape_data($_POST['username']);
	}

	if (empty($_POST['password'])) { // Validate the password.
		$p = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
	} else {
		$p = escape_data($_POST['password']);
	}

	if ($u && $p) { // If everything's ok.

	// Query the database.
	$query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password=PASSWORD('$p')";
	$result = @mysql_query ($query);
	$row = mysql_fetch_array ($result, MYSQL_NUM);

	if ($row) { // A match was made.
		
		// Start the session, register the values & redirect.
		$_SESSION['first_name'] = $row[1];
		$_SESSION['user_id'] = $row[0];

		ob_end_clean(); // Delete the buffer.

		header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/secret.php");
		exit();

		} else { // No match was made.
			echo '<p><font color="red" size="+1">The username and password entered do not match those on file.</font></p>';
		}

		mysql_close(); // Close the database connection.
	
	} else { //If everything wasn't ok.
		echo '<p><font color="red" size="+1">Please try again.</font></p>';
	}

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to login.</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if(isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
</fieldset>
</form><!-- End of Form -->

<?php // Include the HTML footer.
include ('includes/footer.html');
?>

Code: Select all

<?php # Script 12.6 - register.php

// This is the registration page for the site.
//Require authentication.
require_once ('../../../authentication.php');

//Set the page title and include the HTML header.
$page_title = 'Register A User';
include_once ('../includes/admin_header.html');

// Include the configurationi file for error management and such.
require_once ('../includes/config.inc');

// Set the page title

$page_title = 'Register';

if (isset($_POST['submit'])) { // Handle the form.

	require_once ('../../../mysql_connect.php'); // Connect to the database.


	// Check for a first name.
	if (eregi ("^[[].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) {
		$fn = escape_data($_POST['first_name']);
	} else {
		$fn = FALSE;
		echo '<p><font color="red" size="+1">Please enter your first name!</font></p>';
	}

	// Check for a last name.
	if (eregi ("^[[].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) {
		$ln = escape_data($_POST['last_name']);
	} else {
		$ln = FALSE;
		echo '<p><font color="red" size="+1">Please enter your last name!</font></p>';
	}

	// Check for an email address.
	if (eregi ("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", stripslashes(trim($_POST['email'])))) {
		$e = escape_data($_POST['email']);
	} else {
		$e = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid email address!</font></p>';
	}

	// Check for a username.
	if (eregi ("^[[]_]{4,20}$", stripslashes(trim($_POST['username'])))) {
		$u = escape_data($_POST['username']);
	} else {
		$u = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid username!</font></p>';
	}

	//Check for a password and match against the confirmed password.
	if (eregi ("^[[]]{4,20}$", stripslashes(trim($_POST['password1'])))) {
		if ($_POST['password1'] == $_POST['password2']) {
			$p = escape_data($_POST['password1']);
		} else {
			$p = FALSE;
			echo '<p><font color="red" size="+1">Your password did not match the confirmed password!</font></p>';
		}
	} else {
		$p = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid password!</font></p>';
	}


	if ($fn && $ln && $e && $u && $p) { // If everything's OK.

		//Make sure the username is available.
		$query = "SELECT user_id FROM users WHERE username='$u'";
		$result = @mysql_query ($query);

		if (mysql_num_rows($result) == 0) { // Available.
		
			//Add the user.
			$query = "INSERT INTO users (username, first_name, last_name, email, password) VALUES ('$u', '$fn', '$ln', '$e', PASSWORD('$p') )"; 
			$result = @mysql_query ($query); // Run the query.
			if ($result) { //If it ran OK.

			//Send an email, if desired.
			echo '<p><b>Thank you for registering!</b></p>';
include_once
('../includes/admin_footer.html'); //Use the HTML footer file.
			exit(); //Quit the script.

			} else { // If it did not run OK.
				// Send a message to the error log, if desired.
				echo '<p><font color="red" size="+1">You could not be registered due to a system error. We apologize for any inconvenience.</font></p>';
			}

		} else { // The username is not available.
			echo '<p><font color="red" size="+1">That username is already taken.</font></p>';
		}

			mysql_close(); // Close the database connection.

		} else { // If one of the data tests failed.
			echo '<p><font color="red" size="+1">Please try again.</font></p>';
		}

	} //End of the main Submit conditional.
?>

<h1>Register</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<fieldset>

<p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>

<p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>

<p><b>Email Address:</b> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>

<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" />
 <small>Use only letters and numbers. Must be between 4 and 20 characters long.</small></p>

<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Register" /></div>

</form><!-- End of Form -->

<?php # Script Use the HTML footer file.
include_once ('../includes/admin_footer.html');
?>
any better?

Posted: Thu Nov 10, 2005 9:33 am
by Charles256
generally what I do is after htey enter in their password when registering and i've all ready checked ot make sure PW1 = PW2 I then md5 encrypt the password,then upload the md5 encrypted into the database. and then when checking i first encrypt then check against the DB. be aware with MD5 it is case sensitive. chances are you're just not uploading the right PW...i.e.

$password= md5 encrypted password

select from blah where password='$password'

Posted: Thu Nov 10, 2005 9:40 am
by katd
Where would i put this is my code, would i just exchange where i have PASSWORD in capitals with md5 or is a variable i have to declar at the beginning.

Thanks for your help

Posted: Thu Nov 10, 2005 9:44 am
by Charles256
okay..when registering..after you check for the wo passwords being equal go...

Code: Select all

$password=md5($postedpassword);
then insert into the password field $password
then when logging in... after they post their password

Code: Select all

$password=md5($postedpassword)
SELECT SOME CRAP FROM WHO CARES WHERE password='$password'
simple enough?:-D

Posted: Thu Nov 10, 2005 9:56 am
by katd
It still isn't working and everything is being entered correctly.

I've now got in my registration code:

Code: Select all

<?php # Script 12.6 - register.php

// This is the registration page for the site.
//Require authentication.
require_once ('../../../authentication.php');

//Set the page title and include the HTML header.
$page_title = 'Register A User';
include_once ('../includes/admin_header.html');

// Include the configurationi file for error management and such.
require_once ('../includes/config.inc');

// Set the page title

$page_title = 'Register';

if (isset($_POST['submit'])) { // Handle the form.

	require_once ('../../../mysql_connect.php'); // Connect to the database.


	// Check for a first name.
	if (eregi ("^[[].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) {
		$fn = escape_data($_POST['first_name']);
	} else {
		$fn = FALSE;
		echo '<p><font color="red" size="+1">Please enter your first name!</font></p>';
	}

	// Check for a last name.
	if (eregi ("^[[].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) {
		$ln = escape_data($_POST['last_name']);
	} else {
		$ln = FALSE;
		echo '<p><font color="red" size="+1">Please enter your last name!</font></p>';
	}

	// Check for an email address.
	if (eregi ("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", stripslashes(trim($_POST['email'])))) {
		$e = escape_data($_POST['email']);
	} else {
		$e = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid email address!</font></p>';
	}

	// Check for a username.
	if (eregi ("^[[]_]{4,20}$", stripslashes(trim($_POST['username'])))) {
		$u = escape_data($_POST['username']);
	} else {
		$u = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid username!</font></p>';
	}

	//Check for a password and match against the confirmed password.
	if (eregi ("^[[]]{4,20}$", stripslashes(trim($_POST['password1'])))) {
		if ($_POST['password1'] == $_POST['password2']) {
			$p = escape_data($_POST['password1']);
			$password = md5('$p');
		} else {
			$p = FALSE;
			echo '<p><font color="red" size="+1">Your password did not match the confirmed password!</font></p>';
		}
	} else {
		$p = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid password!</font></p>';
	}


	if ($fn && $ln && $e && $u && $p) { // If everything's OK.

		//Make sure the username is available.
		$query = "SELECT user_id FROM users WHERE username='$u'";
		$result = @mysql_query ($query);

		if (mysql_num_rows($result) == 0) { // Available.
					$password = md5('$p');
			//Add the user.
			$query = "INSERT INTO users (username, first_name, last_name, email, password) VALUES ('$u', '$fn', '$ln', '$e', '$password')"; 
			$result = @mysql_query ($query); // Run the query.
			if ($result) { //If it ran OK.

			//Send an email, if desired.
			echo '<p><b>Thank you for registering!</b></p>';
include_once
('../includes/admin_footer.html'); //Use the HTML footer file.
			exit(); //Quit the script.

			} else { // If it did not run OK.
				// Send a message to the error log, if desired.
				echo '<p><font color="red" size="+1">You could not be registered due to a system error. We apologize for any inconvenience.</font></p>';
			}

		} else { // The username is not available.
			echo '<p><font color="red" size="+1">That username is already taken.</font></p>';
		}

			mysql_close(); // Close the database connection.

		} else { // If one of the data tests failed.
			echo '<p><font color="red" size="+1">Please try again.</font></p>';
		}

	} //End of the main Submit conditional.
?>

<h1>Register</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<fieldset>

<p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>

<p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>

<p><b>Email Address:</b> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>

<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" />
 <small>Use only letters and numbers. Must be between 4 and 20 characters long.</small></p>

<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Register" /></div>

</form><!-- End of Form -->

<?php # Script Use the HTML footer file.
include_once ('../includes/admin_footer.html');
?>
And in my login code

Code: Select all

<?php # Script 12.7 - login.php
// This is the login page for the site.
include ('includes/header.html');

// Include the configuration file for error management and such.
require_once ('includes/config.inc');

// Set the page title.
$page_title = 'Login';


if (isset($_POST['submit'])) { // Check if the form has been submitted.

	require_once ('../../mysql_connect.php');
	// Connect to the database.

	if (empty($_POST['username'])) { // Validate the username.
		$u = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your username!</font></p>';
	} else {
		$u = escape_data($_POST['username']);
	}

	if (empty($_POST['password'])) { // Validate the password.
		$p = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
	} else {
		$p = escape_data($_POST['password']);
		$password = md5('$p');
	}

	if ($u && $p) { // If everything's ok.

	// Query the database.

	$query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password='$password'";
	$result = @mysql_query ($query);
	$row = mysql_fetch_array ($result, MYSQL_NUM);

	if ($row) { // A match was made.
		
		// Start the session, register the values & redirect.
		$_SESSION['first_name'] = $row[1];
		$_SESSION['user_id'] = $row[0];

		ob_end_clean(); // Delete the buffer.

		header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/secret.php");
		exit();

		} else { // No match was made.
			echo '<p><font color="red" size="+1">The username and password entered do not match those on file.</font></p>';
		}

		mysql_close(); // Close the database connection.
	
	} else { //If everything wasn't ok.
		echo '<p><font color="red" size="+1">Please try again.</font></p>';
	}

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to login.</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if(isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
</fieldset>
</form><!-- End of Form -->

<?php // Include the HTML footer.
include ('includes/footer.html');
?>
I'm not sure what i'm doing wrong

Sorry for keep asking

Posted: Thu Nov 10, 2005 10:00 am
by Maugrim_The_Reaper

Code: Select all

$password=md5($postedpassword)
SELECT SOME CRAP FROM WHO CARES WHERE password='$postedpassword'
small correction. ;)

But that's pretty much it - I prefer to use md5() outside of any SQL. You could probably simple make sure to echo the hashed password at all steps to identify the point where it suddenly changes (causing a mismatch).

Just to note I would suggest sha1(), or even better sha256 (see snippets forum for feyd's implementation - its not a native PHP function unfortunately). MD5 and SHA1 are both less secure than they were a few years ago - I hear there are even sets of MD5 collision tables on the internet...

Posted: Thu Nov 10, 2005 10:13 am
by RobertGonzalez
What version of MySQL are you using? Versions after 4.6 (I believe, might be a little earlier) use a different encryption algorithm for PASSWORD. This could possibly be causing your problems in your original code.

Also, in either case (whether you are using the DB PASSWORD function or the PHP MD5 hash function) echo out your two comparisons. Make sure that what the script is seeing is accurate. Don't look at the script value for one and the DB value for the other. If you are comparing $value 1 == $value 2, echo both $value 1 and $value 2 to verify that the two value are / are not equal.

Posted: Fri Nov 11, 2005 3:05 am
by katd
I just don't see where i'm going wrong. I'm using MySQL version 4.1.12-standard. This is the code that i've got now which still isn't working.

For the login page

Code: Select all

<?php # Script 12.7 - login.php
// This is the login page for the site.
include ('includes/header.html');

// Include the configuration file for error management and such.
require_once ('includes/config.inc');

// Set the page title.
$page_title = 'Login';


if (isset($_POST['submit'])) { // Check if the form has been submitted.

	require_once ('../../mysql_connect.php');
	// Connect to the database.

	if (empty($_POST['username'])) { // Validate the username.
		$u = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your username!</font></p>';
	} else {
		$u = escape_data($_POST['username']);
	}

	if (empty($_POST['password'])) { // Validate the password.
		$p = FALSE;
		echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
	} else {
		$p = escape_data($_POST['password']);
	}

	if ($u && $p) { // If everything's ok.

	// Query the database.

	$password = md5('password');
	$query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password='$password'";
	$result = @mysql_query ($query);
	$row = mysql_fetch_array ($result, MYSQL_NUM);

	if ($row) { // A match was made.
		
		// Start the session, register the values & redirect.
		$_SESSION['first_name'] = $row[1];
		$_SESSION['user_id'] = $row[0];

		ob_end_clean(); // Delete the buffer.

		header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/secret.php");
		exit();

		} else { // No match was made.
			echo '<p><font color="red" size="+1">The username and password entered do not match those on file.</font></p>';
		}

		mysql_close(); // Close the database connection.
	
	} else { //If everything wasn't ok.
		echo '<p><font color="red" size="+1">Please try again.</font></p>';
	}

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to login.</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if(isset($_POST['username'])) echo $_POST['username']; ?>" /></p>
<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
</fieldset>
</form><!-- End of Form -->

<?php // Include the HTML footer.
include ('includes/footer.html');
?>
And for the registration page:

Code: Select all

<?php # Script 12.6 - register.php

// This is the registration page for the site.
//Require authentication.
require_once ('../../../authentication.php');

//Set the page title and include the HTML header.
$page_title = 'Register A User';
include_once ('../includes/admin_header.html');

// Include the configurationi file for error management and such.
require_once ('../includes/config.inc');

// Set the page title

$page_title = 'Register';

if (isset($_POST['submit'])) { // Handle the form.

	require_once ('../../../mysql_connect.php'); // Connect to the database.


	// Check for a first name.
	if (eregi ("^[[].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) {
		$fn = escape_data($_POST['first_name']);
	} else {
		$fn = FALSE;
		echo '<p><font color="red" size="+1">Please enter your first name!</font></p>';
	}

	// Check for a last name.
	if (eregi ("^[[].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) {
		$ln = escape_data($_POST['last_name']);
	} else {
		$ln = FALSE;
		echo '<p><font color="red" size="+1">Please enter your last name!</font></p>';
	}

	// Check for an email address.
	if (eregi ("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", stripslashes(trim($_POST['email'])))) {
		$e = escape_data($_POST['email']);
	} else {
		$e = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid email address!</font></p>';
	}

	// Check for a username.
	if (eregi ("^[[]_]{4,20}$", stripslashes(trim($_POST['username'])))) {
		$u = escape_data($_POST['username']);
	} else {
		$u = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid username!</font></p>';
	}

	//Check for a password and match against the confirmed password.
	if (eregi ("^[[]]{4,20}$", stripslashes(trim($_POST['password1'])))) {
		if ($_POST['password1'] == $_POST['password2']) {
			$p = escape_data($_POST['password1']);
		} else {
			$p = FALSE;
			echo '<p><font color="red" size="+1">Your password did not match the confirmed password!</font></p>';
		}
	} else {
		$p = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid password!</font></p>';
	}


	if ($fn && $ln && $e && $u && $p) { // If everything's OK.

		//Make sure the username is available.
		$query = "SELECT user_id FROM users WHERE username='$u'";
		$result = @mysql_query ($query);

		if (mysql_num_rows($result) == 0) { // Available.
			$password = md5('password1');
			//Add the user.
			$query = "INSERT INTO users (username, first_name, last_name, email, password) VALUES ('$u', '$fn', '$ln', '$e', '$password')"; 
			$result = @mysql_query ($query); // Run the query.
			if ($result) { //If it ran OK.

			//Send an email, if desired.
			echo '<p><b>Thank you for registering!</b></p>';
include_once
('../includes/admin_footer.html'); //Use the HTML footer file.
			exit(); //Quit the script.

			} else { // If it did not run OK.
				// Send a message to the error log, if desired.
				echo '<p><font color="red" size="+1">You could not be registered due to a system error. We apologize for any inconvenience.</font></p>';
			}

		} else { // The username is not available.
			echo '<p><font color="red" size="+1">That username is already taken.</font></p>';
		}

			mysql_close(); // Close the database connection.

		} else { // If one of the data tests failed.
			echo '<p><font color="red" size="+1">Please try again.</font></p>';
		}

	} //End of the main Submit conditional.
?>

<h1>Register</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<fieldset>

<p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></p>

<p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></p>

<p><b>Email Address:</b> <input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>

<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" />
 <small>Use only letters and numbers. Must be between 4 and 20 characters long.</small></p>

<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Register" /></div>

</form><!-- End of Form -->

<?php # Script Use the HTML footer file.
include_once ('../includes/admin_footer.html');
?>
I just can't see where i'm going wrong now.

Thanks for all your help everyone :cry:

Posted: Fri Nov 11, 2005 9:04 am
by katd
It isn't in the code above but i have changed the $password=md5('$p') to $password=md5($p) and still hasn't worked.

Please any suggestions would be gratefully received.

Posted: Fri Nov 11, 2005 9:12 am
by jayshields
I notice that you are copying the code from Larry Ulman's book, PHP & MySQL for The World Wide Web.

Check the official site http://www.dmcinsights.com/phpmysql/ to see if he made an error when writing the book, or use the forum over there, it's pretty good.

Anyway, I've got the book and definately got all the scripts in it to work, so I'd recommend checking the site.

Posted: Fri Nov 11, 2005 9:59 am
by katd
Thank you for all your help.

I endend up staying with PASSWORD as my method of encryption but because i was using a later version i needed to change my password field to VARCHAR(45) because The PASSWORD() function 4.1.0 actually outputs a 45 character string. 4.1.1 and on produce 41 character strings. In addition, in 4.1.0, "the PASSWORD() function is non-repeatable. That is, with a given argument X, successive calls to PASSWORD(X) generate different results.

I would like to eventually change to a different method of encryption which is safer i am happy for a while in the knowledge that my script now works and as i worked on it for 2 days i am not changing it.

:D