Cannot verify password on login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Cannot verify password on login

Post by khushbush »

I am trying to verify a user's password when they login, but I can't seem to get the user's password to match that of the password that they created upon registration (the one now stored in the database). I keep getting the error message that I want the form to show when the user enters an invalid password. Except, this time I'm entering the CORRECT password by checking the database and it still keeps telling me that I have entered an invalid password.

Here is the problematic piece of code:

Code: Select all

 
   /**
    * confirmUserPass - Checks whether or not the given
    * username is in the database, if so it checks if the
    * given password is the same password in the database
    * for that user. If the user doesn't exist or if the
    * passwords don't match up, it returns an error code
    * (1 or 2). On success it returns 0.
    */
   function confirmUserPass($username, $password){
      /* Add slashes if necessary (for query) */
      if(!get_magic_quotes_gpc()) {
          $username = addslashes($_POST['username']);
          $password = addslashes($_POST['userPassword']);
      }
      /* Verify that user is in database */
        
      $q = "SELECT userPassword FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_num_rows($result) < 1)){
         return 1; //Indicates username failure
      }
 
      /* Retrieve userid from result, strip slashes */
      $dbarray = mysql_fetch_array($result);
      $dbarray['username'] = stripslashes($dbarray['username']);
 
 
 
      /* Retrieve password from result, strip slashes */
      $dbarray = mysql_fetch_array($result);
      $dbarray['userPassword'] = stripslashes($dbarray['userPassword']);
 
 
      /* Validate that password is correct */
      if($password == $dbarray['userPassword']){
         return 0; //Success! Username and password confirmed
      }
      else{
      if($password !== $dbarray['userPassword']){
         return 2; //Indicates password failure
      }
   }
   }
 
Am I missing anything here?

Thanks in advance. :)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Cannot verify password on login

Post by pickle »

A few things:

- Don't use addslashes() to escape data for the database, use mysql_real_escape_string().
- The slashes added by PHP if magic_quotes_gpc is turned on, might not always be the same as those added by mysql_real_escape_string(), so you should run your POST data through stripslashes() if magic_quotes_gpc is turned on, then run them through mysql_real_escape_string().
- Don't bother retrieving the password from the database - use it in your query. Build your query to return accounts identified not just by the username, but by the password as well. That will really simplify your function.
- Is your password hashed? If not, it really needs to be. Plaintext passwords are a bad idea.
- If a string is run through mysql_real_escape_string() before it's put in the database, it won't have those escaping slashes when you pull the data out of the database. You don't need to run the data you pull from the db through stripslashes()
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

What I tend to do when comparing input and db values is to output the input value in the state that it would be compared to the db value to make sure there are no unwanted characters etc...

Also, I would use a new variable to store the username from the database:

Code: Select all

 
//instead of:
$dbarray['username'] = stripslashes($dbarray['username']);
 
//i would use:
$dbUsername=stripslashes($dbarray['username']);
//just for clarity and to ensure minimal errors
 
I think your problem is simply a matter of ensuring the username state is "cleaned" (i.e. make sure no slashes etc are left) before comparison
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Thanks for your replies, guys.

I tried to follow pickle's advice, and decided to change everything to mysql_real_escape_string() just to simplify things and to ensure all variables are being 'cleaned' in the same way. Also, I've already tried identifying a user's account by querying their username and password and that doesn't seem to work at all.

In response to aceconcepts, I used var_dump() on $_POST so that I could see if I was entering both username and password correctly without any extra characters or even just the wrong spelling...my input variables are fine.
I've also simplified the variables as you showed me.

Code as of now:

Code: Select all

 
   function confirmUserPass($username, $password){
      /* Clean variables */
      
          $username = mysql_real_escape_string($_POST['username']);
          $password = mysql_real_escape_string($_POST['userPassword']);
      
      /* Verify that user is in database */
        
      $q = "SELECT userPassword FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_num_rows($result) < 1)){
         return 1; //Indicates username failure
      }
 
      /* Retrieve userid from result, strip slashes */
      $dbarray = mysql_fetch_array($result);
      $dbusername = mysql_real_escape_string($dbarray['username']);
 
      /* Retrieve password from result, strip slashes */
      $dbarray=mysql_fetch_array($result);
      $dbpassword=mysql_real_escape_string($dbarray['userPassword']);
      var_dump($_POST);
 
      /* Validate that password is correct */
      if($password == $dbpassword){
         return 0; //Success! Username and password confirmed
      }
      else{
      if($password !== $dbpassword){
         return 2; //Indicates password failure
      }
   }
   }
 
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

You don't need line 21 as you've alreaddy executed it on line 17.

Also, remove mysql_real_escape_string from lines 18 and 22.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Oops...my bad. :oops:

But it didn't work...I still can't login :(
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

Try quering for the username by literally specifying the username in the query.

Code: Select all

 
       $q = "SELECT userPassword FROM user WHERE username = 'USERNAME'";
 
If it works like this there there is obvioulsy something going wrong with the $username variable passed as the where clause

or

you are not handling the return value correctly

Let me know how it goes
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Thanks for your help... :)

Erm...no, it doesn't work like that. I've tried echoing the original query and it shows that the username variable is the correct one. I even tried echoing the password that the query is retrieving and that works too...it retrieves the correct password. But unfortunately, it doesn't seem to be matching the typed password with the password in the database. :?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

Dont clean the variable before using them in the query, just use them "raw".

It seems as though there is a inconsistencies in the data variable and the db value.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Cannot verify password on login

Post by RobertGonzalez »

Don't just var_dump() the post array, var_dump() the data return to see if you are getting back the result set data you are expecting.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Thanks for the replies, everybody!

Ok, so having taken your advice, my code is now as follows:

Code: Select all

 
   function confirmUserPass($username, $password){
      /* Clean variables */
     
          $username = $_POST['username'];
          $password = $_POST['userPassword'];
     
      /* Verify that user is in database */
       
      $q = "SELECT userPassword FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_num_rows($result) < 1)){
         return 1; //Indicates username failure
      }
 
      /* Retrieve username and password from result, strip slashes */
      $dbarray = mysql_fetch_array($result);
      $dbusername = $dbarray['username'];
      $dbpassword = $dbarray['userPassword'];
      var_dump($dbusername);
      var_dump($dbpassword);
      var_dump($password);
      var_dump($username);
      var_dump($q);
 
      /* Validate that password is correct */
      if($password == $dbpassword){
         return 0; //Success! Username and password confirmed
      }
      else{
      if($password !== $dbpassword){
         return 2; //Indicates password failure
      }
   }
   }
 
As you can see, I have used var_dump() on all the variables and the query and received the following result:

NULL string(6) "dbpassword" string(6) "password" string(6) "username" string(55) "SELECT userPassword FROM user WHERE username = 'username'"
(I've changed my username and password). It appears that the variable $dbusername is being output as null...could that pose as a problem? $dbpassword and $password are outputting exactly the same strings, so why aren't they matching?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

Ok, lets start from the top.

Are the function parameters (username, password) actually being passed correctly to the function?

The majority of the time the error exists when something very simple has been overlooked - make sure you are passing valid variables to the function.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

How can I check if these variables are being passed to the function?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

Code: Select all

 
function login($username, $password)
{
   $login=$username . " | " . $password;
 
   return $login;
}
 
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

It works...so it seems like the variables are being passed to the function. But I still can't seem to log in.
Post Reply