authentication not working

[deleted]

I'm not receiving any errors, but the below code is rejecting my username and password. I have the username and password that I'm using echoed when prompted to login the second time and the it is correct. I'm not sure why this is not working.

Any ideas?

<?php
session_start();


include("common.php");
include("sql_layer.php");
include("functions.php");
include("header.php");

if(!isset($_POST["email"])){
?>
<?php head(); ?>
	<form method="Post" action="<?=$_SERVER['PHP_SELF']?>?mod=<?php echo $_GET['mod'];?>">
		<span class="name_text">Login. <br/></span>
			e-mail: 
			<br/>
			<input class="login_field" type="text" name="email" />
			<br/>
			<br/>
			password: 
			<br/>				
			<input class="login_field" type="password" name="pwd" />
			<br/>
			<br/>
			<input class="login_button" type="submit" name="submitok" value="Sign in">
	</form>

<?php
exit;
}
$_SESSION["email"] = $_POST['email'];
$_SESSION["pwd"]= $_POST['pwd'];

//connect to database
dbConnect('crc');
$email = $_POST['email'];
$password = $_POST['pwd'];
$pass = md5('$password');
$sql = "SELECT * FROM tblusers WHERE emailaddress = '$email' AND password = '$pass'";
$result = mysql_query($sql) or die ("Error in query: $sql. " . mysql_error());

if (sql_num_rows($result) == 0) {

?>
<?php head(); ?>
	<body style="background-color: #CCCC99; text-align: center">
<?php echo $_POST['email'];?>
	<br/>
	<?php echo $passw=  $_POST['pwd']; ?>
	<br/>
	<form method="Post" action="<? $_SERVER['PHP_SELF']?>?mod=<?php echo $_GET['mod'];?>">
		<span class="name_text">Login.<br/></span>
			<div style="width: 200px; padding: 3px; border-style: solid; border-width:1px; border-color: #999999; background-color: #E9E9E9;color:#FF0000;">You have entered an incorrect username or password.Please try again. </div>
			<br/>
				e-mail: 
			<br/>
			<input class="login_field" type="text" name="email" />
			<br/>
			<br/>
				password: 
			<br/>
			<input class="login_field" type="password" name="pwd" />
			<br/>
			<br/>
			<input class="login_button" type="submit" name="submitok" value="Sign in">
	</form>							
</body>

<?php
exit;
}
$roleid = mysql_result($result,0,"role_id");
?>

matt_4013

Are you sure your MD5 hash is the same between the database and the page? Try echoing it just before you run the query, and compare the MD5 hash to the one in your database. It would probably be better to be using MySQL's MD5 encryption anyway (SELECT blah FROM table WHERE password=MD5('$password')). If you have any special characters in your usernames or passwords then make sure gpc_magic_quotes isn't escaping them, because that will change the md5 hash as well 🙂

[deleted]

I confirmed that md5 hash of the password being passed is the same as what is in the database.

matt_4013

If both the email address and the password are being passed to the database exactly the same as the recorded data, then there's absolutely no reason it shouldn't work. The only thing I can suggest is to change the sql_num_rows() (is that a function!?!) to mysql_num_rows() which is the correct one to be using in this situation.

[deleted]

I changed my sql query to include the md5 hash

$sql = "SELECT * FROM tblusers WHERE emailaddress = '$email' AND password = md5('$password')";

This worked, but I am now prompted to enter my e-mail address and password for each page. I think this is because I do not have a function to check to see if I'm logged in or not. I do believe that my sessions are being registered.

Thanks.