user login fails

stew

hey there guys the following code is part of a user login form to validate the member... however... it always fails at the if($do == $pass1) stage and the user fails to log in...

function authenticate() {
global $pass, $db_name, $_POST;
$login = $_POST["login1"];
$pass = $_POST["pass"];
$do = crypt($pass,$login);
    if(($login != null) && ($pass != null)) {
        $auth1 = mysql_query("SELECT member_pass FROM members WHERE member_login = '$login'");
        $auth2 = mysql_fetch_array($auth1);
        $pass1 = $auth2["member_pass"];
	if($do == $pass1) {

	$val = $login . '&&' . $pass;
            $epxr = time()+3600;
            $that = setcookie("biffy", $val, $expr, "/");
            if(!$that) {
		echo("something buggered up.... hold on a minute...!");
	} else {
		echo("you are logged in! <BR>$pass1<BR>$do");
	}


    } else {
            echo("Sorry the username and password didn't match, please try again<BR>$pass1<BR>$do");
            login_form();
    }
} else {
    echo("You MUST enter both user name and password!!<BR>");
    login_form();
}

}

does anyone have any ideas...?

Wynder

It looks like you're trying to compare an encrypted password against an unencrypted password?

Maybe have like:

$pass = crypt($_POST["pass"], $_POST["login"]) ; 
$do = crypt($pass,$login);

I'm assuming that password is coming in without being changed from it's plain text format.

stew

yeah...

when it fails it prints out $pass1 and $do on:

echo("Sorry the username and password didn't match, please try again<BR>$pass1<BR>$do"); 
                login_form();

and they are both the same...

thought i should add... $do is made in the same way that you suggested! and no the password is coming out of the database unchanged!

portaloo

When I first started encrypting the passwords and comparing them against what was held in the database I made an error so ovbious that it took me ages to actually see where I was going wrong.

Although I tend to use md5 rather than crypt I'd only made the password field varchar(20).
Well all the correct coding in the world would not make this work as md5 produces a 32 bit password. Comparing that against a field only 20 chars long was always doomed to failure.

Could this be your problem?

stew

hmmm thanks, but no thats not the problem...

when the login fails it prints out what is stored in the database (password) and what that is being compared to ie crypt($pass,$login) and they are both the same...

im still stuck!!!