Page 1 of 2
hashing problems[SOLVED, thanks]
Posted: Thu May 24, 2007 2:20 pm
by toby_c500
Hi,
I have added a hash to my user registration form. The script works fine and the password is hashed in my mysql db.
I am now testing the login page and trying to log in but seem to have problems. I have an html form bellow this php which is exited to if the user is not recognized (see bellow).
When I log in, with a user that has md5 hashing, it exits the script and just displays the html form. There are no errors and no other echo's. Just the html form.
Any ideas???
The script:
Code: Select all
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $password)) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(hash('md5', $pass,TRUE), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
Thanks
Posted: Thu May 24, 2007 2:28 pm
by feyd
Is there a reason you're using binary hash results?
Posted: Thu May 24, 2007 2:33 pm
by toby_c500
Nope. To be honest I'm not even sure what that means. I'm still learning. I have searched around to find examples of hashing and used that.
Should I set it to FALSE on both login and register pages? What does it actually mean when you use binary?
Posted: Thu May 24, 2007 2:40 pm
by feyd
Hashing functions internally form a binary string of bits that compose the result. Often the result is then converted to a more manageable form such as a hexadecimal string. The database needs them to be encoded the same at any rate. Whether it's using
md5() or
hash() doesn't overly matter. The spot where you run into trouble is that hash() is a very new function to PHP, md5() is not.
Posted: Thu May 24, 2007 2:44 pm
by toby_c500
Brilliant, Thanks Feyd.
I will test with md5().
Thanks for the guidance.
Posted: Thu May 24, 2007 2:53 pm
by toby_c500
I have just tested the md5 (bellow) and had the same result.
Am I missing the point here? Is there fault with my code? I don't understand why it just exits.
Code: Select all
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $password)) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
[/syntax]
Posted: Thu May 24, 2007 3:01 pm
by feyd
You have $pass and $password.. which one is the correct one?
Posted: Thu May 24, 2007 3:03 pm
by toby_c500
I've just noticed an error in my code. While I have been testing I changed a few things round with the isset at the top.
It now reads:
Code: Select all
if ( isset($_POST['loginid'], $_POST['password'])) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
I login and get the else statement at the bottom:
Code: Select all
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
Posted: Thu May 24, 2007 3:05 pm
by toby_c500
New code:
Code: Select all
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $_POST['password'])) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
Posted: Thu May 24, 2007 3:41 pm
by feyd
Have you verified that the query generated by your logging in is correct?
Posted: Thu May 24, 2007 4:14 pm
by toby_c500
everything was working fine before I put in the hash. I've just checked over it and see anything out of place.
New code:
e
Code: Select all
rror_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $_POST['password'])) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($_POST['password']), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
Posted: Thu May 24, 2007 4:22 pm
by feyd
Can you post a "SHOW CREATE TABLE" result of the table you are interacting with?
Posted: Fri May 25, 2007 10:44 am
by toby_c500
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi Feyd, Thanks again for sticking with me and giving me this help. I have been playing around with phpMyAdmin and got this. I hope it is what you need:
[syntax="sql"]members CREATE TABLE `members` (\n
`loginid` varchar(20) collate latin1_bin NOT NULL,\n
`password` varchar(20) collate latin1_bin NOT NULL,\n
`firstname` varchar(50) collate latin1_bin NOT NULL,\n
`surname` varchar(50) collate latin1_bin NOT NULL,\n
`email` varchar(50) collate latin1_bin NOT NULL,\n
`trade` varchar(50) collate latin1_bin NOT NULL,\n
`address1` varchar(50) collate latin1_bin NOT NULL,\n
`address2` varchar(50) collate latin1_bin NOT NULL,\n
`address3` varchar(50) collate latin1_bin default 'no info supplied',\n
`address4` varchar(50) collate latin1_bin default 'no info supplied',\n
`postzip` varchar(50) collate latin1_bin default 'no info supplied',\n
`country` varchar(50) collate latin1_bin NOT NULL,\n
`yearsexp` varchar(50) collate latin1_bin default 'no info supplied',\n
`about` varchar(255) collate latin1_bin NOT NULL,\n
`other` varchar(255) collate latin1_bin default NULL,\n
PRIMARY KEY (`loginid`),\n
KEY `firstname` (`firstname`)\n) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_bin
I must admit, the limited time I have to learn web development has been mainly concentrated on PHP not MySQL.
Thanks again
feyd | Please use[/syntax]Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Fri May 25, 2007 11:17 am
by RobertGonzalez
Have you viewed the MD5 hash of the string you are checking to make sure it is an exact match to that in the database?
Posted: Fri May 25, 2007 11:43 am
by toby_c500
Woo Hoo! That has sorted it. Thanks Everah. The varchar was set to 20 an the hash was too long to fit in so cut off short. The query couldn't match it.
Thats great. Thank you guys.
BTW, when you hash something, is there a rule as to how long the hash will be in relation to the password? ie: 1 letter in a string = 5 char in a hash.
Thanks again.