[Resolved] md5 and login problem/register

Mark

My problem is, it seems to be encrypting the password when i register a name, and i dont remember putting md5 into the registration script. and its not letting me login, even when i use the encrypted password from the database, also, it seems to log me in no matter what password i enter

Heres my login script
login.php:

<?

setcookie("username", $username);
setcookie("passwd", $passwd);
$dbuser = '****';
$dbpass = '****';

//connect to the DB and select the database
$connection = mysql_connect('localhost', $dbuser, $dbpass) or die(mysql_error());
mysql_select_db('Hazardnet', $connection) or die(mysql_error());
//set up the query
$query = "SELECT * FROM HN_users
        WHERE username='$username' and passwd='$passwd'";

//run the query and get the number of affected rows
$result = mysql_query($query, $connection) or die('error making query');
$affected_rows = mysql_num_rows($result);

//if there's exactly one result, the user is validated. Otherwise, he's invalid
if($affected_rows == 1) {
print "Thank your for logging in, $username, Please continue into the <a href=\"members.php\">members area</a>";
}
else{
    print 'Sorry, you seem to have entered an incorrect Username/Password.';

}
?>

Heres my registration script
register.php:

<? 
$db = mysql_connect("localhost","****","****");
mysql_select_db ("Hazardnet"); 
if($username=="" || $passwd=="" || $email=="")
	{
     echo "Please fill out all fields.";
	}
else
{
     $check_query = "SELECT * from HN_users WHERE username = '$username'";
     $result = mysql_query($check_query);
     if(mysql_num_rows($result)!=0)
	 	{
         echo "$username is already taken, sorry, please try again.";
     	}
	 else
	 {
            $insert_query = "INSERT INTO HN_users (username, passwd, email)VALUES ('$username', '$passwd', '$email')";
            $result = mysql_query ($insert_query);
            if(mysql_error())
	 		{
                echo "there was a problem";
            }
			else
			{
            echo "Thank you for registering with HazardNet Computers! you may now login $username.";            

            }     

     }
}
mysql_close($db);
?>

and heres just my login table html
user_login.php:

<table align="center" cellspacing="0" cellpadding="0" border="0">
<tr>
	<td>
	<form action="login/login.php" method="post">
	<font size="-2">User:</font><br />
    <input size="20" type="text" name="username" class=login>
	</td>
</tr>
<tr>
	<td>
    <font size="-2">Password:</font><br />
    <input size="20" type="password" name="passwd" class=login>
	</td>
</tr>
<tr>
	<td align="right" valign="baseline">
	<font size="-1"><a href="?HNC=register">Register</a></font>
	<input type="submit" value="" style="border:0;width:60px;height:15;background-image:url('login\login.jpg')">
	</form>
	</td>
</tr>


</table>

darkshady

What column type is the column passwd

Mark

varchar

Mark

so anyone know whats wrong?

drag0n

wow thats weird, I think seriously think is because of the form field in the register section is set to password. and I tried your script with the form field set as regular and insert it it didnt encrpyt it, so I guess mysql has its own little functions 🙂

Mordecai

Does it work if you use TEXT rather than varchar?

Mark

Text works, but i do want it encrypted with md5, i was just confused because i hadnt added it... anyways, my problem now is when i try to login, it accepts any password you enter. it always says Thank you for logging in. it never denies.

stolzyboy

i have built a login script for a book for Wrox i was writing before they went bankrupt, if you want to check it out, email me at jcstolz@msn.com

laserlight

well, I'm not sure about the mysterious md5 hash.
Why dont you calculate the hash of a test password, register a test user with this test password, then compare the stored data?
There could well be some other reason for this strange behaviour.
I might suspect that somehow the $passwd variable is predefined in your server or something.

Storing the username and password as VARCHAR is fine, you shouldnt use TEXT.

Also, I would recommend that you use $_POST[] array to access the variables submitted by your form, and to ensure that quotes do not potentially allow SQL injection in your queries.

Mark

any thoughts on why it accepts any password i use to log in?

and i'm using varchar now for the passwd, and its not encrypting it. wierd...

laserlight

okay... that's good.

now start placing checks.

output the password (the one sent during login) at various points.
check the password of your current test account(s).

Mark

the login works perfectly. but how do i "kill" a cookie if the user logs in incorrectly, or just types in a wrong password?

and.. how would i go about making a "logout" function

laserlight

Read the PHP manual on the setcookie() function.

Actually, in your login script logic, you might want to change it such that cookies are set only on a successful login.

Mark

so something like....

if($affected_rows == 1)
{
    setcookie("username", $username);
    setcookie("passwd", $passwd);
}

😕

also, i have this login script in the middle of the page, and it gives me this header error, how can i fix it?

Warning: Cannot modify header information - headers already sent by (output started at C:\Documents and Settings\Administrator\Desktop\HazardNet\login\login.php:12) in C:\Documents and Settings\Administrator\Desktop\HazardNet\login\login.php on line 443

edit #3:

GREEEATT, i found another error. when i try to register a second name, it says the one i registered first is taken...

example:
1) i register the name Blade
2) login, works (to an extent)
3) i register the name Test
4) login, "Blade is taken, please try again"

laserlight

dont use $username straight away
use $POST['username'] or $username = $POST['username']

likewise access cookies using $_COOKIE['username']

abnfire

i don't know if anyone solve the current problem, but anyway i will help in also.

if you want to delete the cookie then set cookie to 0 value, which will make the cookie value to false.

dont use username straight away
use $POST['username'] or $username = $POST['username']

make sure your register_globals is off in your php.ini file.
you can also trun this off by using ini_alter() or ini_set() function.
ex:

// This is for security resons and can make your script more safers then it is.
ini_alter('register_globals', false);

jimson

first,
don't run this mysql_connect() when your script haven't decide whether to query or not.

second,
mysql_select_db('Hazardnet', $connection) or die(mysql_error());
you don't need explicitly insert the $connection once you have connected to database.
enough with mysql_select_db( 'Hazardnet' ); because mysql will open up the last link identifier. <= follow me unless you are using more than 1 database server.

third,
please trim the input when you want to use it as ID ... and check if they want to have ID like "jimson chang"... 😃

fourth,
consider to use md5 javascript which can enchance your login process at least the id and password not transmitted in a very raw method.

fifth,
the problem you can log on with any password because the cookie problem. Once you have log on, any other attempt to log on will result true. You didn't clear the cookie after successfull log on. So, when you try to register again using other name, the script read your current ID....

sixth,
check php.ini file and do the following...
register_globals = off

Mark

when i turn globals off, my other scripts are messed up, i dont want to redo them... :\

jimson

you like your old style soo much... then...
ok..
i can't do anything...
i want to help you...
but you see....
if you stick with globals = on, you won't grow...

stolzyboy

jimsom, give him a break, just because he was used to the old
register_globals, doesn't mean he won't grow, it just means that he may have more problems in the future, even if register_globals is on, you can still code as if it were off and still have the same effect as if it were off, so if he is doing new scripts, he will be fine