PASSWORD function problem

Nibinaear

This is a script to take a user's username and password, compare it with what is in the database, and then set a cookie with the user's username in place. I'm having a problem with the password function though. The username is compared with that in the database correctly, but when using the PASSWORD() function to encrypt the password data, it causes problems.

I have made sure that the password in the database is the same (pass) and that it is also encrypted the same so that the two can be compared.

I know that the PASSWORD function encrypts the data permenantly, so I assume that here the new data would be encrypted in the same way, then compared to make a match. Sadly, know matter what I do it doesn't work. I have tried comparing non-encrypted passwords and it sets the cookie okay so I have pinned down the problem to the password function.

Here is my script:

<?php # Script 7.16 - login.php

if (isset($_POST['submit']))
{
  $odbc = odbc_connect('ownpage', 'root', 'pass') or die( "Could Not Connect to ODBC Database!");

  /*function escape_data ($data)
  {
	global $odbc;
	if (ini_get('magic_quotes_gpc'))
    {
	  $data = stripslashes($data);
    }
	return odbc_real_escape_string($data, $odbc);
  }//end function*/

  $message = NULL;

  if (empty($_POST['username']))
  {
	$u = FALSE;
	$message = '<p>You forgot to enter your username!</p>';
  }
  else
  {
    //$u = escape_data($_POST['username']);
    $u = $_POST['username'];
  }

  if (empty($_POST['password']))
  {
	$p = FALSE;
	$message .= '<p>You forgot to enter your password!</p>';
  }
  else
  {
    //$p = escape1_data($_POST['password']);
    $p = $_POST['password'];
  }

[b]
  if($u && $p)
  { // If everything's OK.
    $input = "SELECT uname FROM ownpage.users where uname = '$u' and pass = PASSWORD('$p')";
    echo "<p/>Input: $input <p/>";
    $query = odbc_exec($odbc,$input);
    $record = odbc_fetch_array($query);

//echo "cookie set to".$record[0]."<p/>";

//if we have a matching username record, create the username cookie
if($record)//if we just pulled out a record, set the cookie to the user's username
{
  setcookie('uname',$record['uname']);
  exit();//exit the script
}[/b]
else
{
  $message = "Your username and/or password were incorrect.";
}
  }//end user and password having data

  //odbc_close();//close connection to db server.

}//end isset if
else
{
    $message = "<p>Please try again.<p/>";
}


$page_title = 'Login';

//include ('templates/header.inc');


if(isset($message))
{
	echo '<font color="red">', $message, '</font>';
}

?>

<form action="

<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset><legend>Enter your information in the form below:</legend>
<p><b>User Name:</b>

<input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username']))
echo $_POST['username'];

?>" /></p>
<p><b>Password:</b>

<input type="password" name="password" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
</form>
<!-- End of Form -->

<?php
//include ('templates/footer.inc');
?>

I hope that makes it clear what the problem is, any replies appreciated.

Daniel.

kburger

A couple of things: What database are you using? Have you tried debugging by spitting out what's in the 'pass' field and spitting out PASSWORD('$p') to see what they look like? I'm assuming they were correctly inserted as PASSWORD('$p').

Nibinaear

The database is just a mysql database.

Yes, the original data was entered with the password function and I simply have two sample users, both of which have 'pass' as their password. I've just reentered the passwords as PASSWORD('$p') though and their have been 2 updated rows and 2 warnings. What are the warnings? I don't know where the mysql logs files are kept so I can't check if there are errors.

Do you know how to spit out the results of the password function though? It's a mysql function, not a php one, so it always just prints out the PASSWORD('$p') bit as the query.

P.S. The problem I'm basically getting is that the password from the database doesn't match the one from the form, even though they are both set to "pass" encrypted.

Nibinaear

The database is just a mysql database.

Do you know how to spit out the results of the password function though? It's a mysql function, not a php one, so it always just prints out the PASSWORD('$p') bit as the query.

P.S. The problem I'm basically getting is that the password from the database doesn't match the one from the form, even though they are both set to "pass" encrypted.

kburger

Is there any reason you're using ODBC rather than the PHP MySQL functions?

Nibinaear wrote:
...and their have been 2 updated rows and 2 warnings. What are the warnings?

Use odbc_error(). Could it be that your field isn't large enough to accomodate the encrypted password?

Nibinaear wrote:
Do you know how to spit out the results of the password function though?

$input = "SELECT PASSWORD('$p1') FROM ownpage.users";
 $query = odbc_exec($odbc,$input);
 $record = odbc_fetch_array($query); // $record[0] will have what you're looking for

Nibinaear

That thing about the field length could explain the problem, my password field is only 16chars long and the encrypted password is exactly 16 chars long: *196BDEDE2AE4F84

I'm using ODBC so that I can run it on localhost, I'll have to change all the functions if I want to upload it.

P.S. I need to use the mysql_real_escape_string but there is no ODBC equivalent that I am aware of, do you know which function to use?

kburger

No, 16 characters is all you need for your 'pass' field.

I'm using ODBC so that I can run it on localhost

Why do you think you can't use the MySQL functions because you're running it on localhost?

Did you use odbc_error() to see the error messages?

Did you compare what's in the database to what PASSWORD('$p1') is?

I need to use the mysql_real_escape_string but there is no ODBC equivalent

At the very least you could use addslashes() if you're using ODBC, but again, I'd use the MySQL functions.

Nibinaear

I assumed that I couldn't use mysql functions due to it being on localhost. I've tried it before and I just kept getting mysql result resource errors. I know that odbc is for connecting mysql to programs (such as php), but you're saying that I don't need it? That I can just use mysql?

I can't use the odbc_error() function because I entered the passwords via mysqlcc, due to not having a register user script (i.e. I just made a couple of sample test users just to try logging in aggainst.) The warnings came from mysqlcc and that's why I was trying to find some error logs to find out what they meant. My biggest problem is knowing what to use the function on. I've tried it with the $record variable and query to no avail.

I ran this code (although I don't understand why you've used PASSWORD($p) as a column when it isn't. Would the query here end up as a "select *196BDEDE2AE4F84 from ownpage.users"?: That isn't a column either so god knows what it means.

In any case I know that the password doesn't match that in the database otherwise it would work. I know that the password is encrypted in the db as I ran an "update users set pass = PASSWORD('pass');" to make sure.

      $input = "SELECT PASSWORD('$p') FROM ownpage.users";
      $query = odbc_exec($odbc,$input);
      $record = odbc_fetch_array($query); // $record[0] will have what you're looking for
      echo "Password: ".$record[0];

The result of this is that no value is printed out.

Edited: If you want something done, do it yourself. I've just found the show warnings; command. It gave me a warning of:

1265: data truncated for column 'pass' at row 1. This means that the field is getting cut down when I add the data. Trouble is, it's supposed to provide a 16 byte entry for PASSWORD.

Nibinaear

Bloody hell!!! Excuse my french. I've just decided to change the length of the varchar character field from 16 chars long to 30. That didn't work either. I decided to check the length of the data entered and I was presented with 30 chars, the same warning, and the whole field was filled. I then changed it to 100 and guess what? I checked it again and it turns out that the PASSWORD function provides a 40character value!!!! Then why the heck does it say in the manual somewhere that it's 16 chars? And why in my php 4 book is the guy using a 16char field? It must have been recently changed for php5 or something. Anyway, I think I may have fixed the problem, a new one for computer forums.

kburger

Nibinaear wrote:
... but you're saying that I don't need it? That I can just use mysql?

Yes. The MySQL functions work fine on localhost.

Nibinaear wrote:
I ran this code (although I don't understand why you've used PASSWORD($p) as a column when it isn't. Would the query here end up as a "select *196BDEDE2AE4F84 from ownpage.users"?: That isn't a column either so god knows what it means.

The same way you can use something like 'SELECT NOW() FROM table'.

Nibinaear wrote:
I checked it again and it turns out that the PASSWORD function provides a 40character value!!!! Then why the heck does it say in the manual somewhere that it's 16 chars? And why in my php 4 book is the guy using a 16char field? It must have been recently changed for php5 or something.

PASSWORD() is a MySQL function that has nothing to do with PHP. (I'd actually suggest using either MD5() or SHA1(), by the way.) But from what I can see PASSWORD() should hash to a 16 character value, so I'm surprised to hear your response about it being 40 characters. But whatever -- I'm glad to hear you got it working.

Nibinaear

So what is the point in the odbc functions then? I'll have to change my scripts to that effect, but I'm glad to hear I can use mysql functions now though, it'll mean a lot less work when the time comes for uploading.

kburger wrote:
PASSWORD() is a MySQL function that has nothing to do with PHP. (I'd actually suggest using either MD5() or SHA1(), by the way.) But from what I can see PASSWORD() should hash to a 16 character value, so I'm surprised to hear your response about it being 40 characters.

And yes PASSWORD is definitely producing a 40char value, try it out if you want. Also, I've heard that you can use these other functions in place of PASSWORD(), why do people do this? Is it more secure? Is PASSWORD depreciated?

KBURGER wrote:
The same way you can use something like 'SELECT NOW() FROM table'.

So it's a built in mysql function and has nothing to do with the structure of my db.

laserlight

Is it more secure?

Generally, yes.

Is PASSWORD depreciated?

I dont think so, but then cryptographic hashes like SHA1 may prove more portable.

kburger

Nibinaear wrote:
So what is the point in the odbc functions then?

I almost never use them. But they could be used for accessing databases like PostgreSQL, mSQL, Microsoft Access (ugh, if you must), and lots of other databases. Because MySQL is commonly used in a LAMP enviroment, the creators of PHP built in lots of MySQL functions.

Nibinaear wrote:
So it's a built in mysql function and has nothing to do with the structure of my db.

Correct.

Weedpacket

kburger wrote:
...the creators of PHP built in lots of MySQL functions.

And nearly twice as many PostgreSQL functions 🙂
Really, though, the ODBC functions are there for those DBMSs for which PHP extensions aren't available (such as Access and FoxPro, if you can call them DBMS's); if you want to use a DBMS which does have a PHP-native API, you might as well either use it yourself or use a database abstraction class.

The principal reason why there are separate API's is because using an abstraction class forces you down to use only the lowest common denominator features of all of the DBMSs abstracted - if one DBMS doesn't support a feature, then the class has to either fake it for the others or not allow you to use it.

Nibinaear

Well thanks for all your help Kburger (and to those late comers also.)

Nibinaear