Authenticating with database (using sessions)

K0108788

Hi All,

I have created a user_login.php file to act as a login page for users accessing the application. However if I type a username and password into the login form, the script displays incorrect username/password. I have checked the database and when I register a user and then try and login with that user, the script doesn't recognise the user. I don't know whether it is down to the session expiring or the database isn't being accessed. Any help appreciated.

<?php
session_start();
include "conn.inc.php";

if (isset($_POST['submit']) && $_POST['submit'] == "Login") {
	$query =		"SELECT * FROM lecturer " .
						"WHERE username = ' " . $_POST['username'] . " ' " .
						"AND password = (PASSWORD(' " . $_POST['password'] . " '))";
	$result =	mysql_query($query)
		or die(mysql_error());

if (mysql_num_rows($result) == 1) {
	$_SESSION['user_logged'] = $_POST['username'];
	$_SESSION['user_password'] = $_POST['password'];
	header ("Refresh: 5; URL=" . $_POST['redirect'] . " ");
	echo 	"You are being redirected to your original page request!<br>";
	echo 	"(If your browser doesn't support this, " .
				"<a href=\" " . $_POST['redirect'] . "\">Click here</a>)";
} else {
?>
<html>
<head>
<title>Final Year Project Application - Login</title>
</head>
<body>
<p>
	<font color="#FF0000"><b> You have entered an incorrect username and/or password</b></font>
	<form action="user_login.php" method="post">
		<input type="hidden" name="redirect"
			value="<?php echo $_POST['redirect']; ?>">
		Username: <input type="text" name="username"><br>
		Password: <input type="password" name="password"><br><br>
		<input type="submit" name="submit" value="Login">
</form>
</p>
</body>
</html>
<?php
	}
} else {
	if(isset($_GET['redirect'])) {
		$redirect = $_GET['redirect'];
	} else {
		$redirect = "index.php";
	}
?>
<html>
<head>
<title>Final Year Project Application - Login</title>
</head>
<body>
<p>
	Please enter your username and password below:<br><br><br>
	<form action="user_login.php" method="post">
		<input type="hidden" name="redirect"
			value="<?php echo $redirect; ?>">
		Username: <input type="text" name="username"><br>
		Password: <input type="password" name="password"><br><br>
		<input type="submit" name="submit" value="Login">
	</form>
</p>
</body>
</html>
<?php
}
?>

Here is the lecturer table layout:

id int(5) auto_increment

username varchar(9)
first_name varchar(30)
last_name varchar(50)
password varchar(8)

email varchar(50)

Roger_Ramjet

You should not be using the password() hashing function for this, it has too many version problems. It is not intended for this purpose either - it is for the internal mysql user system. Just use sha1() or md5() hashing instead. Read the manual if you don't believe me password hashing

K0108788

Never used hashing on passwords before. Is this correct for using md5() on my code:

..."AND password = (md5(' " . $_POST['password'] . " '))"; ...

Roger_Ramjet

No, wrong syntax

$hash = md5($_POST['password']);
..."AND password = '" . $hash . "'"; ... 

// some people like to salt the password with another string to make cracking it even harder
$salt = 'B8&g!ajS^dui0';
$hash = md5($salt . $_POST['password']);

Remember, the output is a 32 chars long so just store it in a char field with a length of 32. Be aware that it is a hex number and can be cast to a numeric type by accident or design.