PHP is lying

Reformed

I am having a problem with a comparison operator in an if statement. I get a value from a database, an md5 value and compare it to an md5'd input password. Pretty standard stuff. No matter what password I enter though, the if statement, with the comparison, always evaluates to true. Here's the code:

include('include/constants.php');
include('classes/services/QueryServices.php');

class LoginDBServices extends QueryServices
{
	/*
	* All queries for logins are handled here
	*/
	function authenticate($username, $password)
	{
		//user login query
		$query = "SELECT id, CONCAT(first_name, ' ',last_name), security_level, password
		FROM users
		WHERE email = '$username'";

	$this->_assocQuery($query);

	$inputPass = md5($password);
	$resultSetPass = $this->result[1]['password'];

	//check the password against the md5 hash
	if($resultSetPass === $inputPass)
	{
		return $this->result;
	}
	elseif($resultSetPass !== $inputPass)
	{
		$_SESSION['valError'] = 'Wrong username or password';
		header('location:'.LOGIN_FORM_VIEW);
	}
}
}

It always returns my result even though the two variables $resultSetPass and $inputPass are totally different. When I print them out, they are different. Anyone know what could be going on here? Something to do with the fact that its in a class?

laserlight

Print the values and check.

btw, shouldnt it be
$this->result[0]['password']
instead?

Reformed

I have printed out the values. If the password is entered correctly, i get two perfectly matched md5 hashes. If I enter the wrong password, I get two totally different hashes.

It's as if the if statement is totally failing. I can echo out the value of $this->result[1]['password'], so I know it's working. This is a mind boggling problem.

laserlight

You're saying that the values of $resultSetPass and $inputPass are different, but when compared using PHP, they are the same?

Incredible.

Stop, create a new script, and test:

<?php
$pass1 = md5("hello world");
$pass2 = md5("world hello");
if ($pass1 === $pass2) {
	echo 'something is wrong';
} else {
	echo 'all is ok, so far';
}
?>

Reformed

No, no. Sorry. I didn't make that very clear. I mean that if I submit the form that calls this class and and put an echo statement in front of each variable, I can see both values in my browser.

If I enter the correct password, both hashes match perfectly, but If I enter an incorrect password, the hashes don't match, which is what you would expect.

The crazy part is that the if statement that compares those two variables is either not being executed or is somehow ignoring the values of the variables regardless of whether they match or not. My if statement is returning both the error session and the $this->result;

It should only return the result if the passwords match.

laserlight

Just a guess:
Change the elseif to else.

Reformed

Yeah, tried that. Didn't change. It must have something to do with the location of the if statement in the class or something. Well, it's late. Tomorrow's another day. Thank you for your help.:bemused:

tuf-web_co_uk

in your code you have === (3 equal signs!!) isn't it meant to be 2?

same as with the elseif statement !==, isnt it meant to be !=

try it

<?
if($resultSetPass == $inputPass) 
        { 
            return $this->result; 
        } 
        elseif($resultSetPass != $inputPass) 
        { 
            $_SESSION['valError'] = 'Wrong username or password'; 
            header('location:'.LOGIN_FORM_VIEW); 
        } 
?>

if this is completely wrong, then i best go out and buy a php book!

laserlight

Read the PHP Manual, tuf-web.co.uk

http://www.php.net/manual/en/language.operators.comparison.php

Weedpacket

Just as a check: have you looked at the values of $inputPass and $resultSetPass?

  $inputPass = md5($password);
        $resultSetPass = $this->result[1]['password']; 
echo 'Form-supplied password:'.$inputPass.'<br>';
echo 'Db-supplied password:'.$resultSetPass.'<br>';

Napster

make sure the row in the database that holds this is the right length. Like varchar(255) and not varchar(20)