[RESOLVED] Login form no longer working.

DaPrince

I've been using this code for a login-form, but its no longer working on a new web-host. The new host runs with Register_globals OFF and a newer version of PHP and Mysql that the old one.

Can some one please help to locate whats wrong.

<?php
// we must never forget to start the session
session_start();
$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
include'./config/config.php'; 
include'./config/opendb.php'; 

$userId   = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT user_id 
        FROM hs_auth_user
		WHERE user_id = '$_POST[txtUserId]' AND user_password = PASSWORD('$_POST[txtPassword]')";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 

if (mysql_num_rows($result) == 1) {
	// the user id and password match, 
	// set the session
	$_SESSION['db_is_logged_in'] = true;
	// after login we move to the main page
	header('Location: admin_page.php');
	exit;
} else {
	$errorMessage = Sorry wrong user or password';
}

include './config/closedb.php';
}
?>
<html>
<head>
<title>login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<LINK href="./style/StyleOne.css" rel="stylesheet" type="text/css">
<script type="text/javascript">
if (top == self) {location.replace('index.php');}
</script>
</head>

<body>
<?php
if ($errorMessage != '') {
?>
<p align="center"><h1><center><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></center></h1></p>
<?php
}
?>
<form action=""  method="post" name="frmLogin" id="frmLogin">
 <table width="400" border="0" align="center" cellpadding="" cellspacing="0">
  <tr>
   <td width="150">UserName</td>
   <td><input name="txtUserId" type="text" id="txtUserId"></td>
  </tr>
  <tr>
   <td width="150">Password</td>
   <td><input name="txtPassword" type="password" id="txtPassword"></td>
  </tr>
  <tr>
   <td width="150">&nbsp;</td>
   <td><input name="btnLogin" type="submit" id="btnLogin" value="Login"></td>
  </tr>
 </table>
</form>
</body>
</html>

Clarkey_Boy

Try setting $sql to the following:

$sql = "SELECT user_id FROM hs_auth_user WHERE user_id = '".$POST["txtUserId"]."' AND user_password = '".$POST["txtPassword"]."')";

(Copy and paste it - there are "triple" quotes in some places where you have to use a single quote to make sure that an entire variable is used - otherwise it only uses up to the first space (ie the first word)). Reply about whether it works or not.

Also try putting error reporting on - use error_reporting(E_ALL); at the beginning of the document. This will tell you any errors which occur when try to load the page.

Clarkey

DaPrince

Sorry, but that was not it, with the new SQL-statement I just get redirected to the Wrong password section.

I have an idea, that its this part that doesn't resolve correct.

if (mysql_num_rows($result) == 1) {
		// the user id and password match, 
		// set the session
		$_SESSION['db_is_logged_in'] = true;
		// after login we move to the main page
		header('Location: admin_page.php');
		exit;
	} else {
		$errorMessage = 'Sorry wrong username or password';
	}

The exact same code is working fine one the old site, just tried your suggestion.

Clarkey_Boy

In which case its either the "exit;" (ive never used exit before, so do not know what it does) or its all fine. Its probably something else.

Clarkey

sagee

i can see any reason for the problem,
but here are some suggestions to maybe help you find the problem.

if you use a different sql like :

SELECT user_id
FROM hs_auth_user
WHERE user_id = 4 AND user_password = PASSWORD('44fsdsd)

does it work?

the exit command should be any problem to use.

DaPrince

Okay, I'm getting confused now.

if I do this:

SELECT user_id 
FROM hs_auth_user
WHERE user_id = 4 AND user_password = '44fsdsd'

I can login.

If I do like this:

SELECT user_id 
FROM hs_auth_user
WHERE user_id = '$userid' AND user_password = '$password'

I can login.

But only if the password is not 'encrypted' in the database, it is in clear text.

Now if I use:

SELECT user_id 
FROM hs_auth_user
WHERE user_id = '$userid' AND user_password = PASSWORD('$password')

and the password has been encrypted with the PASSWORD function i phpMyadmin, it is not working anymore.

sagee

so, you are one step closer for solution.
the problem is somewhere in the PASSWORD function.

can you give me on this function, i am not familiar with it.

DaPrince

Sorry cannot do that, it is a function from MySQL, that can be used in a SQL-statement.

In phpMyadmin (database interface) you can choose from different functions (MD5, PASSWORD, OLD_PASSWORD, etc.) on a field. E.g. I can convert/ encrypt your name sagee to *B790A6A42B46BDF6339D9B45A9C2D88

sagee

check your new host if the MYSQL version supports this function

DaPrince

The host supports it, it is a part of MySQL (also ver. 5.x.x) :-), if it wasn't supported it wouldn't be available in the myphpadmin, at least thats what I guess.

I think its a problem with the variables that cannot be compared somehow. I've read that some have a similar problem with MD5.

sagee

i would think it is something with the Apostrophes

try something like

"SELECT user_id
FROM hs_auth_user
WHERE user_id = ".$POST['txtUserId']." AND user_password = 'PASSWORD(\' ".$POST['txtPassword']." \')";

Clarkey_Boy

Or try something like...

"SELECT user_id
FROM hs_auth_user
WHERE user_id = ".$POST['txtUserId']." AND user_password = PASSWORD('".$POST["txtPassword"]."')";

Notice the single quote followed by double quote at the beginning of $_POST["txtPassword"], followed by a double quote and single quote.

Clarkey

DaPrince

I am SO SORRY.

I just found the bug. It just came to me, when I compared the two encrypted passwords (the old server and the new server). The length on the old password were less than 32 chars. But with the new server the password require a lot more, so I changed the record type from varchar(32) to varchar(255) on the table and VOILA - everything is just fine.

Sorry for wasting your time on the PHP-part, when the problem was on the MySQL database.