Can't find the error in my code! :(

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Leandro-AL
Forum Newbie
Posts: 23
Joined: Thu Sep 04, 2008 10:05 am
Location: Albania

Can't find the error in my code! :(

Post by Leandro-AL »

Hello. I have created a login system and there is a function by which a user types into a form his email and a new password is sent to them. I am testing it but the new password won't work! I keep getting the "user & pass don't match" message. I can't find out where i'm mistaken... Please help!

This is my registration validation & account creation code (only the part that interests us):

Code: Select all

 
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if ((preg_match($clean['match'], $trimmed['password'])) && (preg_match($clean['match'], $trimmed['passconfirm']))){
  if ($trimmed['password'] == $trimmed['passconfirm']){
    $clean['salt'] = mysql_real_escape_string($trimmed['password']);
  }else{
    $clean['salt'] = '';
  }
}
$clean['match'] = '/^[A-Za-z]+(-|_)?[A-Za-z]+(-|_)?[A-Za-z]+[0-9]*$/';
if (preg_match($clean['match'], $trimmed['username'])){
  $clean['username'] = mysql_real_escape_string($trimmed['username']);
  $clean['user'] = mysql_real_escape_string(sha1(sha1($clean['username'] . $clean['salt'] . 'hhuFjn-3C4#$sdf!@#adS')));
  $clean['query'] = mysql_query("SELECT first_name from users WHERE username = '{$clean['user']}'");
  if (mysql_num_rows($clean['query']) == 1){
    $errors[] = 'That user name is not available.';
  }
}else{
  $errors[] = 'That is not a valid user name!';
}
$clean['match'] = '/^[A-Za-z]+(?:[0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*)@(?:[A-Za-z0-9]+)\.(?:[A-Za-z]{2,6})(\.)?(?(1)[A-Za-z]{2,6})$/';
if (preg_match($clean['match'], $trimmed['email'])){
  $clean['address'] = mysql_real_escape_string($trimmed['email']);
  $clean['email'] = mysql_real_escape_string(sha1(sha1($clean['address'] . 'ADuiku^%w2--dgh#%fg45')));
  $clean['query'] = mysql_query("SELECT first_name from users WHERE email = '{$clean['email']}'");
  if (mysql_num_rows($clean['query']) == 1){
    $errors[] = 'That email address is already being used.';
  }
}
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if ((preg_match($clean['match'], $trimmed['password'])) && (preg_match($clean['match'], $trimmed['passconfirm']))){
  if ($trimmed['password'] == $trimmed['passconfirm']){
    $clean['password'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
  }
}
if (empty($errors)){
  $clean['activation_string'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['email'] . 'as5435DHFGH%#$assd--sdfmmm')));
  mysql_query("INSERT INTO users (first_name, last_name, username, password, email, activation_key, user_level, registration_date, last_activity)
  VALUES ('{$clean['first']}', '{$clean['last']}', '{$clean['user']}', '{$clean['password']}', '{$clean['email']}', '{$clean['activation_string']}', '1', NOW(), NOW())");
}
 
This is from the login script:

Code: Select all

 
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if (preg_match($clean['match'], $trimmed['password'])){
  $clean['salt'] = mysql_real_escape_string($trimmed['password']);
}else{
  $clean['salt'] = '';
}
$clean['match'] = '/^[A-Za-z]+(-|_)?[A-Za-z]+(-|_)?[A-Za-z]+[0-9]*$/';
if (preg_match($clean['match'], $trimmed['username'])){
  $clean['username'] = mysql_real_escape_string($trimmed['username']);
  $clean['user'] = mysql_real_escape_string(sha1(sha1($clean['username'] . $clean['salt'] . 'hhuFjn-3C4#$sdf!@#adS')));
}else{
  $errors[] = 'That is not a valid user name.';
}
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if (preg_match($clean['match'], $trimmed['password'])){
  $clean['password'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
}
if (empty($errors)){
  $clean['query1'] = mysql_query("SELECT first_name FROM users WHERE username = '{$clean['user']}' AND password = '{$clean['password']}'");
  if (mysql_num_rows($clean['query1']) == 1){
    $clean['query2'] = mysql_query("SELECT first_name, user_level FROM users WHERE username = '{$clean['user']}' AND password = '{$clean['password']}' AND activation_key IS NULL");
    if (mysql_num_rows($clean['query2']) == 1){
//
// stuff here
//
}
 
And the password reset script:

Code: Select all

 
$clean['match'] = '/^[A-Za-z]+(?:[0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*)@(?:[A-Za-z0-9]+)\.(?:[A-Za-z]{2,6})(\.)?(?(1)[A-Za-z]{2,6})$/';
if (preg_match($clean['match'], $trimmed['email'])){
  $clean['address'] = mysql_real_escape_string($trimmed['email']);
  $clean['email'] = mysql_real_escape_string(sha1(sha1($trimmed['email'] . 'ADuiku^%w2--dgh#%fg45')));
  $clean['query'] = mysql_query("SELECT first_name, username, password FROM users WHERE email = '{$clean['email']}'");
  if (mysql_num_rows($clean['query']) == 0){
    $errors[] = 'That email address was not found in our records.';
  }
}else{
  $errors[] = 'That is not a valid email address!';
}
if (empty($errors)){
  $clean['row'] = mysql_fetch_array($clean['query']);
  mysql_free_result($clean['query']);
  $clean['salt'] = mysql_real_escape_string(substr($clean['row']['password'], 10, 10));
  $clean['password'] = mysql_real_escape_string(sha1(sha1($clean['row']['username'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
  mysql_query("UPDATE users SET password = '{$clean['password']}' WHERE email = '{$clean['email']}' LIMIT 1");
}
 
I don't think the first script is really needed but just put it there in case someone wants to check it out. So basically the reset password script takes a piece of the old hash and uses it as the new password/salt. But it won't work! :(

Thanks in advance to anyone who bothered!

PS: i know double hashing sucks but that's not a priority right now.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Can't find the error in my code! :(

Post by josh »

http://www.ibm.com/developerworks/library/os-debug/
Because functional bugs in your application don't generate errors, knowledge on how to accurately place and use print or die statements to debug your PHP application can be a great asset in your arsenal of debugging strategies
Leandro-AL
Forum Newbie
Posts: 23
Joined: Thu Sep 04, 2008 10:05 am
Location: Albania

Re: Can't find the error in my code! :(

Post by Leandro-AL »

The code works there is no error in it. The "error" is that the various values of $clean['password'] don't match and i can't seem to find out why.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Can't find the error in my code! :(

Post by josh »

bugs arent errors.
Leandro-AL
Forum Newbie
Posts: 23
Joined: Thu Sep 04, 2008 10:05 am
Location: Albania

Re: Can't find the error in my code! :(

Post by Leandro-AL »

Well i found it. The way i had it was that the user hash had the password as salt. So when one changed their password the user hash changed with it. I removed the password salt from the user hash and it works fine.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Can't find the error in my code! :(

Post by josh »

right... if you output values and they aren't what you expected it gives you insight into where your logic was mistaken
Post Reply