Cannot verify password on login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

Code: Select all

 
function login($username, $password)
{
$q = "SELECT * FROM user WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
$row=mysql_fetch_array($result);
 
$login = $row['username'] . " | " . $row['userPassword'];
 
return $login; //echo this from where you call the function
}
 
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Ok, here is the result of that function:

user | password

(real username and password have been changed).

Something has come to my attention. It appears that the database is matching the passwords, but not logging me in. When I type in the correct password, the page just refreshes back to the usual login page. However, when I enter an incorrect password, the page shows me the 'Invalid password' error. I think there may now be a problem with my being logged in.
Should I start another thread seeing as the problem is now seemingly unrelated to the thread title or should I continue to try to fix it here with help from you guys?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

so "user" and "password" are the literal values in the database?
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Something has come to my attention. It appears that the database is matching the passwords, but not logging me in. When I type in the correct password, the page just refreshes back to the usual login page. However, when I enter an incorrect password, the page shows me the 'Invalid password' error. I think there may now be a problem with my being logged in.
Should I start another thread seeing as the problem is now seemingly unrelated to the thread title or should I continue to try to fix it here with help from you guys?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

So your query works and it's just going back to the login page?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Cannot verify password on login

Post by RobertGonzalez »

Ok, you are doing way too much for this little action. If all you want is to see if data passed from the form results in a known user this will work:

Code: Select all

<?php
function checkUserLogin() {
  // To make sure it matches wrap the username is real escape like you do on inserts
  $user = mysql_real_escape_string($_POST['username']);
 
  // Now hash the password like you do on inserts
  $pass = md5($_POST['password']);
 
  // Now run the query
  $sql = "SELECT * FROM `userTable` WHERE `userName` = '$user' AND `userPass` = '$pass'";
  if (!$result = mysql_query($sql)) {
    return 0;
  }
 
  // Return the number of found rows. This can be evaluated in the calling code
  return mysql_num_rows($results);
}
?>
All this does is see if the user is in the table using the data they presented. This does not get user data or anything else.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Thanks for your help so far, everyone...

ok...

aceconcepts - yes, my query works, it's just going back to the login page as opposed to logging in...

Everah - your code logged me in, but it keeps changing the password in the database to the one I type in...so if the password was originally 'apple' and I type 'orange' into the password field, 'orange' is also inserted into the password field of the database instead of giving me the invalid password error. So weird. :?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Cannot verify password on login

Post by RobertGonzalez »

There has to be other code added to what I provided then because a Select query will not update anything.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Yes, I just checked my code...and I had to remove an unnecessary function that I had included earlier that kept being called upon login and updating the password field. So now that problem is out of the way...and the password doesn't keep changing...another problem seems to have appeared. I'm able to login...however, the password I've entered to log into my account is different to the password stored in the database...so anyone could log into my account using any password they wanted.
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: Cannot verify password on login

Post by aceconcepts »

You're using md5 encryption for your password variable used in the query.

Is your password in the database encrypted?

e.g. password variable = £$t3rtg%££%TY345g4%Gw45## (something encrypted like this)

your password in the database is probably not encrypted e.g. "orange" - so they won't match.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Cannot verify password on login

Post by RobertGonzalez »

<rant>MD5 is not encryption it is a one way hash</rant>

Passwords should always be masked in some way. Encryption or hashing works. Just be consistent.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

aceconcepts wrote:So your query works and it's just going back to the login page?
Forgot to answer your question. Yes, my query works, and it yes it keeps going back to the login page.
User avatar
khushbush
Forum Commoner
Posts: 99
Joined: Tue Mar 11, 2008 11:50 am

Re: Cannot verify password on login

Post by khushbush »

Everah wrote:<rant>MD5 is not encryption it is a one way hash</rant>

Passwords should always be masked in some way. Encryption or hashing works. Just be consistent.
Weeeeellll...just to put things in context...this is part of a university project, and not really part of an official website...so I'm not putting emphasis on MD5 hashing...although, I do emphasise the importance of MD5...many security failings are due to lack of MD5-ing passwords...digital authentication doesn't always work.

I must add...LOL at <rant> tags.
Post Reply