Page 1 of 1

problem logging in when checking against md5 encrypted passw

Posted: Wed Dec 18, 2002 8:33 pm
by portaloo
this is starting to peev me off.

here is the script:

if(isset($username) | isset($password)) {
session_register("username");
session_register("password");


$database = "m2b";
$db_select = @mysql_select_db($database);

$sql = "SELECT * FROM users WHERE username = '$username'" or die("ERROR 1");

$fetch_em = mysql_query($sql) or die("ERROR 2");
$encryptedpassword = md5($password);
$dat = mysql_fetch_array($fetch_em);

$user = $dat["username"];
$numrows = mysql_num_rows($fetch_em);

if($numrows != "0" & $encryptedpassword == $dat["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

whenever i try to log on it comes up with incorrect login. i am trying to get it to verify the password entered into a form against an md5 encrypted password in the database.

if i remove the md5 section and use the following it will work with non encrypted passwords.

if(isset($username) | isset($password)) {
session_register("username");
session_register("password");


$database = "m2b";
$db_select = @mysql_select_db($database);

$sql = "SELECT * FROM users WHERE username = '$username'" or die("ERROR 1");

$fetch_em = mysql_query($sql) or die("ERROR 2");
$dat = mysql_fetch_array($fetch_em);

$user = $dat["username"];
$numrows = mysql_num_rows($fetch_em);

if($numrows != "0" & $password == $dat["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

how do i get this to work?

cheers

Posted: Thu Dec 19, 2002 12:11 am
by protokol
The first obvious things that I noticed are you invalid uses of & and |

You most definitely want to use && and ||, "AND" and "OR" respectively.

BAD:
if ($first == true | $second == false & $third == true) {}

CORRECT:
if ($first == true || $second == false && $third == true) {}

Notice that I used || and && instead of | and &

Hopefully this fixes your code big time.

Posted: Thu Dec 19, 2002 12:53 am
by nathus
the use of | and & should be ok. they're the short-circuting versions of || and &&.

using | if the first is true, it doesn't check the second, as it will have evaluated the if statement as true.

using & will stop evaluating when it finds a false, as then it wont need to continue.

as far as the problem with the encryption, not really sure on that.

Posted: Thu Dec 19, 2002 7:16 am
by portaloo
thanks for trying protokol,

but no joy. i know i could have used OR as well, but all i want to check is whether either had been passed to the page.
hell i could of used and as well to ensure that both username and password had been passed.

i just dont get why the password won't check against the database.

here's the entire code if it helps.

<?
$username = $_POST['username'];
$password = $_POST['password'];
if(!isset($username) && !isset($password)) {
?>
<form method="POST" action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>"><table><tr>
<td align=right><font color="black"><nobr>login&nbsp;user:</font>
</td>
<td><input type="text" name="username" style="font-family:verdana; font-size: 11px;" size="15" autocomplete="off" value="login">
</td>
<td><font color="black"><nobr>password:</font>
</td>
<td><input type="password" name="password" size="15" style="font-family:verdana; font-size: 11px;">
</td>
<td><input type="submit" value="go" color="black">
</td>
</tr></table></form>

<?

}

// If all is well so far.
if(isset($username) && isset($password)) {
session_register("username");
session_register("password");


$database = "m2b";
$db_select = @mysql_select_db($database);

$sql = "SELECT * FROM users WHERE username = '$username'" or die("ERROR 1");

$fetch_em = mysql_query($sql) or die("ERROR 2");
$encryptedpassword = md5($password);
$dat = mysql_fetch_array($fetch_em);

$user = $dat["username"];
$numrows = mysql_num_rows($fetch_em);

if($numrows != "0" && $encryptedpassword == $dat["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

// If the username exists and pass is correct, don't pop up the login code again.
// If info can't be found or verified....

if (!($valid_user))
{
?>
<form method="POST" action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>"><table><tr>
<td align=right><font color="black"><nobr>incorrect login&nbsp;user:</font>
</td>
<td><input type="text" name="username" style="font-family:verdana; font-size: 11px;" size="15" autocomplete="off" value="login">
</td>
<td><font color="black"><nobr>password:</font>
</td>
<td><input type="password" name="password" size="15" style="font-family:verdana; font-size: 11px;">
</td>
<td><input type="submit" value="go">
</td>
</tr></table></form>
<?

}
if (($valid_user)){
?>
<table><tr>
<td><td width="1"><img src="images/spacer.gif" width="1" height="15"></td>
<td><font color="black">Welcome <?echo $dat["username"]?>&nbsp;&nbsp;&nbsp;</font><a href="logout.php"><font color="black">logout</font></a></td>
</tr></table>
<?
}}
?>

well here's hoping

Posted: Thu Dec 19, 2002 2:34 pm
by daven
I was having a similar problem. I got around it by placing the password check in the SQL statement.

$encryptedpassword=md5($password);
$sql = "SELECT * FROM users WHERE username = '$username' AND password='$encryptedpassword'" or die("ERROR 1");

$fetch_em = mysql_query($sql) or die("ERROR 2");
$numrows = mysql_num_rows($fetch_em);

if($numrows > 0) {
$valid_user = 1;
}
else {
$valid_user = 0;
}