Page 1 of 2
Cannot verify password on login
Posted: Fri Apr 18, 2008 10:00 am
by khushbush
I am trying to verify a user's password when they login, but I can't seem to get the user's password to match that of the password that they created upon registration (the one now stored in the database). I keep getting the error message that I want the form to show when the user enters an invalid password. Except, this time I'm entering the CORRECT password by checking the database and it still keeps telling me that I have entered an invalid password.
Here is the problematic piece of code:
Code: Select all
/**
* confirmUserPass - Checks whether or not the given
* username is in the database, if so it checks if the
* given password is the same password in the database
* for that user. If the user doesn't exist or if the
* passwords don't match up, it returns an error code
* (1 or 2). On success it returns 0.
*/
function confirmUserPass($username, $password){
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($_POST['username']);
$password = addslashes($_POST['userPassword']);
}
/* Verify that user is in database */
$q = "SELECT userPassword FROM user WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_num_rows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve userid from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['username'] = stripslashes($dbarray['username']);
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['userPassword'] = stripslashes($dbarray['userPassword']);
/* Validate that password is correct */
if($password == $dbarray['userPassword']){
return 0; //Success! Username and password confirmed
}
else{
if($password !== $dbarray['userPassword']){
return 2; //Indicates password failure
}
}
}
Am I missing anything here?
Thanks in advance.

Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 10:26 am
by pickle
A few things:
- Don't use
addslashes() to escape data for the database, use
mysql_real_escape_string().
- The slashes added by PHP if magic_quotes_gpc is turned on, might not always be the same as those added by
mysql_real_escape_string(), so you should run your POST data through
stripslashes() if magic_quotes_gpc is turned on, then run them through
mysql_real_escape_string().
- Don't bother retrieving the password from the database - use it in your query. Build your query to return accounts identified not just by the username, but by the password as well. That will really simplify your function.
- Is your password hashed? If not, it really needs to be. Plaintext passwords are a bad idea.
- If a string is run through
mysql_real_escape_string() before it's put in the database, it won't have those escaping slashes when you pull the data out of the database. You don't need to run the data you pull from the db through
stripslashes()
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 10:28 am
by aceconcepts
What I tend to do when comparing input and db values is to output the input value in the state that it would be compared to the db value to make sure there are no unwanted characters etc...
Also, I would use a new variable to store the username from the database:
Code: Select all
//instead of:
$dbarray['username'] = stripslashes($dbarray['username']);
//i would use:
$dbUsername=stripslashes($dbarray['username']);
//just for clarity and to ensure minimal errors
I think your problem is simply a matter of ensuring the username state is "cleaned" (i.e. make sure no slashes etc are left) before comparison
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 11:48 am
by khushbush
Thanks for your replies, guys.
I tried to follow pickle's advice, and decided to change everything to mysql_real_escape_string() just to simplify things and to ensure all variables are being 'cleaned' in the same way. Also, I've already tried identifying a user's account by querying their username and password and that doesn't seem to work at all.
In response to aceconcepts, I used var_dump() on $_POST so that I could see if I was entering both username and password correctly without any extra characters or even just the wrong spelling...my input variables are fine.
I've also simplified the variables as you showed me.
Code as of now:
Code: Select all
function confirmUserPass($username, $password){
/* Clean variables */
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['userPassword']);
/* Verify that user is in database */
$q = "SELECT userPassword FROM user WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_num_rows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve userid from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbusername = mysql_real_escape_string($dbarray['username']);
/* Retrieve password from result, strip slashes */
$dbarray=mysql_fetch_array($result);
$dbpassword=mysql_real_escape_string($dbarray['userPassword']);
var_dump($_POST);
/* Validate that password is correct */
if($password == $dbpassword){
return 0; //Success! Username and password confirmed
}
else{
if($password !== $dbpassword){
return 2; //Indicates password failure
}
}
}
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 2:14 pm
by aceconcepts
You don't need line 21 as you've alreaddy executed it on line 17.
Also, remove mysql_real_escape_string from lines 18 and 22.
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 4:33 pm
by khushbush
Oops...my bad.
But it didn't work...I still can't login

Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 6:19 pm
by aceconcepts
Try quering for the username by literally specifying the username in the query.
Code: Select all
$q = "SELECT userPassword FROM user WHERE username = 'USERNAME'";
If it works like this there there is obvioulsy something going wrong with the $username variable passed as the where clause
or
you are not handling the return value correctly
Let me know how it goes
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 6:30 pm
by khushbush
Thanks for your help...
Erm...no, it doesn't work like that. I've tried echoing the original query and it shows that the username variable is the correct one. I even tried echoing the password that the query is retrieving and that works too...it retrieves the correct password. But unfortunately, it doesn't seem to be matching the typed password with the password in the database.

Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 6:48 pm
by aceconcepts
Dont clean the variable before using them in the query, just use them "raw".
It seems as though there is a inconsistencies in the data variable and the db value.
Re: Cannot verify password on login
Posted: Fri Apr 18, 2008 6:57 pm
by RobertGonzalez
Don't just var_dump() the post array, var_dump() the data return to see if you are getting back the result set data you are expecting.
Re: Cannot verify password on login
Posted: Sat Apr 19, 2008 6:43 am
by khushbush
Thanks for the replies, everybody!
Ok, so having taken your advice, my code is now as follows:
Code: Select all
function confirmUserPass($username, $password){
/* Clean variables */
$username = $_POST['username'];
$password = $_POST['userPassword'];
/* Verify that user is in database */
$q = "SELECT userPassword FROM user WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_num_rows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve username and password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbusername = $dbarray['username'];
$dbpassword = $dbarray['userPassword'];
var_dump($dbusername);
var_dump($dbpassword);
var_dump($password);
var_dump($username);
var_dump($q);
/* Validate that password is correct */
if($password == $dbpassword){
return 0; //Success! Username and password confirmed
}
else{
if($password !== $dbpassword){
return 2; //Indicates password failure
}
}
}
As you can see, I have used var_dump() on all the variables and the query and received the following result:
NULL string(6) "dbpassword" string(6) "password" string(6) "username" string(55) "SELECT userPassword FROM user WHERE username = 'username'"
(I've changed my username and password). It appears that the variable $dbusername is being output as null...could that pose as a problem? $dbpassword and $password are outputting exactly the same strings, so why aren't they matching?
Re: Cannot verify password on login
Posted: Sat Apr 19, 2008 6:51 am
by aceconcepts
Ok, lets start from the top.
Are the function parameters (username, password) actually being passed correctly to the function?
The majority of the time the error exists when something very simple has been overlooked - make sure you are passing valid variables to the function.
Re: Cannot verify password on login
Posted: Sat Apr 19, 2008 7:03 am
by khushbush
How can I check if these variables are being passed to the function?
Re: Cannot verify password on login
Posted: Sat Apr 19, 2008 7:20 am
by aceconcepts
Code: Select all
function login($username, $password)
{
$login=$username . " | " . $password;
return $login;
}
Re: Cannot verify password on login
Posted: Sat Apr 19, 2008 7:33 am
by khushbush
It works...so it seems like the variables are being passed to the function. But I still can't seem to log in.