PHP and MySQL password issue...

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
BuzzT
Forum Newbie
Posts: 6
Joined: Thu Jun 13, 2002 9:44 am

PHP and MySQL password issue...

Post by BuzzT »

I recently tried to use a script that I know works. I have used it before, but I cannot figue out the problem.

When I add passwords to a table for login information, I send them to MySQL through PHP as password('$password'). This encrypts them fine. I can see that when I check the database.

When I try to validate the password later during login using the same method, I can't seem to get in. The exact same script works for me on a friend's server. I have installed PHP4 and MySQL on a Win 2K server. Did I miss a setting or something? How come they can be sent, but not retieved?

Also, I can't seem to find an mcrypt.dll that will work. It always locks up when PHP tries to access it. How come?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

If you've got PHP 4.2 (or installed 4.1.x and used the php.ini-recommended), have you read this?

If the stuff from the above thread doesn't help maybe we could see some code to spot anything else that might be going wrong.

Mac
BuzzT
Forum Newbie
Posts: 6
Joined: Thu Jun 13, 2002 9:44 am

Post by BuzzT »

Here the part of the code. The first set is from the PHP to add members to the database and encrypt the password (this works fine). The second set is where I try to validate the user. This works only if I did not encrypt the password in the previous set and do not try to retrieve it with password(password). Keep in mind that this works perfectly on a friend's Apache server. Could there be a setting I missed when installing MySQL or PHP on my Win 2k Server box?

-----------start first set (add user)-----------------

$query = "insert into level1_members values ('NULL','".$username."', password('".$password."'),'".$date."','".$email."')";
$result = mysql_query($query);
$check_user = "select * from level1_members where username = '$username' or password = password('$password') ";

if ($result)
{
echo "User <b>$username</b> with password <b>$password</b> has been inserted into our database on $date"."<br><br>";
exit;
}

else if ($check_user)
{
echo "That username and/or password is already in use.";
exit;
}
else
{
echo "Unable to insert member into database.";
}


----------start second set (check for user)-------------

// query the database to see if there is a record which matches

$query = "select count(*) from level1_members where
username = '$username' and
password = password('$password')";

$result = mysql_query( $query );
if(!$result)
{
echo 'Cannot run query.';
exit;
}

$count = mysql_result( $result, 0, 0 );

$success="schedule.php";
$failure="rejected.php";

if ( $count > 0 )
{
// visitor's name and password combination are correct
header("Location: $success");
}
else
{
// visitor's name and password combination are not correct
header("Location: $failure");
}
User avatar
JadePhp
Forum Newbie
Posts: 5
Joined: Tue Sep 14, 2004 12:35 am
Location: Pakistan
Contact:

I think...................

Post by JadePhp »

$check_user = "select * from level1_members where username = '$username' or password = password('$password') ";




'And' Should come instead of 'OR' in query
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

http://dev.mysql.com/doc/mysql/en/Encry ... tions.html
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application
User avatar
JadePhp
Forum Newbie
Posts: 5
Joined: Tue Sep 14, 2004 12:35 am
Location: Pakistan
Contact:

Well

Post by JadePhp »

timvw wrote:http://dev.mysql.com/doc/mysql/en/Encry ... tions.html
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application

I TRIED ......USING MD5 And SHA1 but it generates different output from that of the value stored in database Encrypted

Code: Select all

<?php

    $password=md5('noor');
$check_user = "select * from info
where  password = password('$password') ";

//$check_user = "select * from info
//where  password = '$password' ";
 echo($check_user) ;
$link=mysql_connect('localhost','root','triadpass');
      mysql_select_db('testdb');
$result= mysql_query($check_user) or die(mysql_error())  ;
  while($arrt= mysql_fetch_array($result, MYSQL_ASSOC )){
      print_r( $arrt)  ;
      echo("asdasdas") ;
  }
?>


still its not working
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If you store PASSWORD($input) it is expected to be unequal to MD5($input).

It will only work if you INSERT values as MD5($input) instead of PASSWORD($input).

Thus if you have already a lot of accounts, you may not want to change this.
User avatar
JadePhp
Forum Newbie
Posts: 5
Joined: Tue Sep 14, 2004 12:35 am
Location: Pakistan
Contact:

Hmmmmmmmm

Post by JadePhp »

Ok then how can i decrypt it to show it to user in this case i have to remember it .......and one more thing then whats the use of SQL Function
i already knew this way of md5 i wanna implement SQL PASSWORD('');
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

you don't

Post by phpScott »

You don't decript it you get the user(that you now want to beat on) to create a new password.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Can you state the password field length and datatype?

for password encrypt I believe it has to be char(16) and for md5 it has to be char(32) if you got different values that might be a problem of spaces added or the password string getting cut of.
Post Reply