Code should work, but doesn't

PedroBusby

[FONT="Courier New"]<?php

$username = $POST['username'];
$password = $POST['password'];
$self = $SERVER['PHP_SELF'];
$referer = $SERVER['HTTP_REFERER'];

if either form field is empty return to the log-in page

if( ( !$username ) or ( !$password ) )
{ header( "Location:$referer" ); exit(); }

#connect to MySQL
$conn=@mysql_connect( "localhost", "root", "rootpassword" )
or die( "Could not connect" );

#select the specified database
$rs = @mysql_select_db( "user_test", $conn )
or die( "Could not select database" );

#create the query
$sql = "select * from users where user_name=\"$username\" and password=password( \"$password\" )";

#execute the query
$rs = mysql_query( $sql, $conn )
or die( "Could not execute query" );

#get number of rows that match username and password
$num = mysql_num_rows($rs)
or die( "number of rows query failed");

#if there is a match the log-in is authenticated
if( $num != 0 )
{
$msg = "<h3>Welcome $username - your log-in succeeded!</h3>";
}
else
{
$msg = "no match found";
}
?>

<html>

<head>
<title>Log-In Authenticated</title>
</head>

</html>[/FONT]

This code dies at the "$num = mysql_num_rows($rs)" row even though my hostname is correct, my mysql-username is correct and my mysql-password is correct and all the variables and text boxes on the previous page are all correctly named

interestingly enoughin this line:

"[FONT="Courier New"]$sql = "select * from users where user_name=\"$username\" and password=password( \"$password\" )";[/FONT]"

if i remove the password cirteria so it's only looking for username, it all works.

I'm incredibly confused because this is an example from a book "PHP5 in easy steps" by Mike McGrath and I've named my database and copied the code exactly (but fixing his typo that sed "[FONT="Courier New"]mysql_numrows[/FONT]" instead of "[FONT="Courier New"]mysql_num_rows[/FONT]") and it simply refuses to work

rsmith

Try this:

$sql = "select * from users where user_name='".$username."' and password='".$password."'";

I would hope you are using some sort of encryption, either md5 or aes with a salt to store the pw's in the db. If that's the case you have to make sure that when you get the password that you set $password = md5($_POST['password']) or whichever method you used to encrypt to compare the password pulled from the db with the one submitted.

PedroBusby

i arn't sure mate, all i know is that when i created the table, and named the field "password" it automatically encrypted it (I'm using the latest version of Apache2Triad, so I presume the ecryption'll be wotever is default, any ideas?)

igorlopez

Seeing this is your first post I will recommend you to put the 'php' tags around your code.
It makes it easier to view.

To your problem,
In your query you are comparing field password with the output of the function
password($password) and you are saying that when removing this check you will not get an empty result.
If you before performing the query just would echo out the result from the password function and compare with what actually is in the db.

echo password($password);

it can help you on your way to figuring out the problem.

PedroBusby

just tried that, I get a blank screen, isnt this part an SQL function rather than a PHP function neway?

 password($password)

PedroBusby

i tried just getting it to print $password and it comes up correct, i think its the password() function that just isnt working

rsmith

I personally would set the password field in your table as a varchar that way you can determine what encryption to use. Here's a sample of a script I wrote to check login. Maybe you can adapt it to fit your needs and as some insight on login systems. Keep in mind that the password stored is already hashed with md5 so I compare that hash to the hash of the submitted pw. If they match, I set session information (omitted).

<?
	$username = trim($_POST['username']);
	$password = md5(trim($_POST['password']));
	$referer = $_POST['referer'];

$login_query = "SELECT username, password FROM users WHERE LOWER(username)='".strtolower($username)."'";
$login_query_result = mysql_query($login_query);

$info = mysql_fetch_array($login_query_result, MYSQL_ASSOC);

if(strtolower($username) === strtolower($info['username']) && $password === $info['password']){
		//ommitted
else{
	header("Location: /login-error.php?error=bad_user_or_password");
}

?>

Hope this helps in some way!

PedroBusby

cheers man, could you maybe explain a couple of things for me tho please (if u dont mind):

wot is the strtolower command?

what are the triple equals for? (===)

wot does "trim" do when dementioning the password variable at the beginning

and what does "hash" mean?

Alsom the password field is set to "Varchar" but I don't know how to check which encryption is used

igorlopez

You are right, password is a mySQL function.
Googling around pointed me into this site:
http://www.weberdev.com/get_example-3503.html
But since you copied the code from a book the table should be OK.
You could of course move out the hashing to the outside and add some salt as well before entering the password without the mySQL password function

PedroBusby

sorry but i dont understand what "hash" and "adding some salt" mean? I'm very new to web-database stuff, and the example from the book I'm using is, well, shit.

PedroBusby

RSMITH, i adapted your code, and it still won't work, im beginning to think it mgiht be a problem with my installation of PHP/MySQL/Apache

<?php


$username = trim($_POST['username']); 
$password = md5(trim($_POST['password'])); 
$referer = $_POST['referer']; 

# if either form field is empty return to the log-in page
if( ( !$username ) or ( !$password ) )
{ header( "Location:/authenticate.html" ); exit(); }

#connect to MySQL
$conn=@mysql_connect( "localhost", "root", "rootpassword" )
		 or die( "Could not connect" );

#select the specified database
$rs = @mysql_select_db( "user_test", $conn ) 
		or die( "Could not select database" );

$login_query = "SELECT username, password FROM users WHERE LOWER(username)='".strtolower($username)."'"; 
$login_query_result = mysql_query($login_query)
		or die ("Query Failed"); 

$info = mysql_fetch_array($login_query_result, MYSQL_ASSOC)
		or die ("fetch array failed"); 

if(strtolower($username) === strtolower($info['username']) && $password === $info['password']){ 
        $msg = "congrats"
else{ 
    $msg = "failure"; 
} 

?>

<html>

 <head>
  <title>Log-In Authenticated</title>
  </head>

  <body>
   <?php echo( $msg ); ?>
  </body>

</html>

This is my new code (adapted from urs) and here is what gets returned to the browser when i send a correct username/password:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"></HEAD>
<BODY></BODY></HTML>

rsmith

PedroBusby wrote:
cheers man, could you maybe explain a couple of things for me tho please (if u dont mind):

wot is the strtolower command?

what are the triple equals for? (===)

wot does "trim" do when dementioning the password variable at the beginning

and what does "hash" mean?

Alsom the password field is set to "Varchar" but I don't know how to check which encryption is used

strtolower() converts a string to entire lowercase

=== means "is exactly"

trim() trims whitespace.

hash is a number generated by applying a mathematical formula to a document or sequence of text. (encryptions)

As for the encryption you use, that's up to you. Look up md5() and crypt() for more information.

PedroBusby

cheers man but look ^ even you're code (adapted to my username/database-name/variable-names) won't work, do u think it might be a problem with my PHP/MySQL/Apache installation? I'm not using the standard package, I'm using the apache2triad server bundle

rsmith

I'm not sure. I don't use apache2triad. I use xampp. PHP, MySQL, Apache bundle similar to the product you're using I'm sure. What's the full table structure in your db?

PedroBusby

database: user_test
1 table: users

first_name varchar(50) latin1_swedish_ci Null=Yes Default=NULL

last_name varchar(50) latin1_swedish_ci Null=Yes Default=NULL

user_name varchar(25) latin1_swedish_ci Null=Yes Default=NULL Unique

password varchar(16) latin1_swedish_ci Null=Yes Default=NULL

ps, i know in the code example iv put up i wrote "username" instead of "user_name" in the database query, iv fixed that and still nothing gets returned

rsmith

well you need to increase the size of your password varchar. and md5 hash is at least 32 characters.

PedroBusby

hmm, im slightly confused, an article the other guy recomended (and the book) says 16, and how do i know that it's being encrypted in md5?

here is a row in the table (the one iv bin using to test it)

from this is there ne way u cud figure out what encryption is currently in use (the real password is "rootpass")

PedroBusby

also, i tried changing it to 32 then readding the user info, sure enough it comes up with a new 32 digit hex number... but ur logon script still wont run (put it back to 16 now, so password is back to the hash listed above)

MOD EDIT: E-mail address removed to fight spambots; contact information can be placed in profile (HINT: there's a little blue guy under posters' names if they add an MSN address).

rsmith

Hmm weird, my md5's are always 32 digits so I just assumed. It should work, I'm not sure why you're having so much trouble. Do you have a script that adds the user? If so can you post the form and the php script that processes it just so we can all see the whole process from start to finish.

bradgrafelman

If you'll read the PHP manual for [man]md5/man you'll see this:

Return Values

Returns the hash as a 32-character hexadecimal number.
The problem with MySQL's PASSWORD() function is this (taken from the MySQL manual here):

Prior to MySQL 4.1, password hashes computed by the PASSWORD() function are 16 bytes long.
...
As of MySQL 4.1, the PASSWORD() function has been modified to produce a longer 41-byte hash value
I would recommend you use a specific hashing algorithm such as [man]SHA1/man (since MD5 isn't as strong these days as it once was). It's probably more secure to use PHP's SHA1() function on the POST'ed password and pass that hash along to SQL, ex.:
```
$password = sha1($_POST['password']);
$query = 'SELECT col1, col2 FROM users WHERE pass = \'' . $password . '\' LIMIT 1';
```