Authentication Problem

Radon3k

I created a very generic registration script (user name and password, password is md5 hashed). Now I'm trying to create the login script, however, no matter what user name and password you use, tells you invalid user name and/or password. Here's the code:

<html>
<title>WebCp Alpha 1</title>
<body>
<form method="post" action="<?PHP_SELF?>">
User Name: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" name="submit" value="Submit">

<?php

$db = mysql_connect("localhost", "USERNAME", "PASSWORD");
if (!$db) {
	echo("Could not establish a connection to the database server.");
	exit();
}

mysql_select_db("DBNAME");
if(! @mysql_select_db("DBPASSWORD")) {
	echo("Could not establish a connection to the database.");
	exit();
}

$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";

$result = mysql_query($sql);
$num = mysql_num_rows($result);

if($submit == "Submit") {
	if ($num != "0") {
		echo("Logged in!");
		exit();
	} else {
		echo("Invalid user name and/or password. Please try again.");
		exit();
	}
}
?>

The registration script I created works fine, I've tested it out (except logging in, which is what I'm trying to do here).

Any help is greatly appreciated. Thanks! 🙂

Nuno

Hi,

So in the DB the password is encripted right?
When you select it from the DB you are comparing the inserted password (not encripted) with the DB password (encripted)

Thats your problem.

Before the select try doing

$encripted_password=md5($password);
and in the select

... AND password='$encripted_password'

Hope that helps

Nuno

Radon3k

Nuno,

Thanks! That did the trick. I forgot that I had to cross check it against the md5'ed password. Thanks again! 🙂

Radon3k

hmm...Ok so I can't use the header() function, so how do I redirect the user if the user name and password are correct?

Thanks again! 🙂

Weedpacket

Here's a possibility:

Put the login processing script at the very top of the login page, instead of afterwards (which currently means that you sent the browser the login page before you even checked to see if they were already trying to log in). If their login succeeds, you can use header() to redirect them to wherever they're supposed to be redirected to. If it fails, then they'll just drop through to the login page again (you can set an error message on the way and display it on the page if it's appropriate).

Radon3k

Ahh very good idea, and indeed, it does work. Thanks very much! 🙂