Weird MySQL Encryption

javawizkid

Hi,
I'm having a problem with my PHP/MySQL encryption in a log in form.

  $sql = "insert into users (first_name,last_name,user_name,password)
  values (\"$firstname\",\"$lastname\",\"$username\",password(\"$password\") )";

That code creates the users account in the database, the password is encrypted. However when I run the login code:

$sql = "select * from users where user_name=\"$username\" and password = password( \"$password\" )";

The log in result says incorrect password. What is going on? It's the same encryption being sent then decoded. Help would be appreciated.
Thanks.

NogDog

Are you sure it's an issue with the query, or could it be something else in the code (logic error, mistyped variable name, etc.) that is causing the problem? Maybe try echoing out $sql after you create it and then copy-and-paste it into a MySQL command prompt or phpMyAdmin SQL window and see what errors -- if any -- you get.

Pikachu2000

javawizkid;10889571 wrote:
Hi,
I'm having a problem with my PHP/MySQL encryption in a log in form.
  $sql = "insert into users (first_name,last_name,user_name,password)
  values (\"$firstname\",\"$lastname\",\"$username\",password(\"$password\") )";
That code creates the users account in the database, the password is encrypted. However when I run the login code:
$sql = "select * from users where user_name=\"$username\" and password = password( \"$password\" )";
The log in result says incorrect password. What is going on? It's the same encryption being sent then decoded. Help would be appreciated.
Thanks.

Try stripping the whitespace out of the password( \"password\" ) in the SELECT statement, so it matches the INSERT statement. I'm not certain that's the problem, but it's worth trying.

javawizkid

The removing of the spaces didn't work. I think ill just start again from scratch, I'm getting really annoyed with errors. I get this error when I sign in:

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\authenticate.php:3) in C:\xampp\htdocs\authenticate.php on line 39

Here is all of the code:

<?php

$username = $_POST['username'];
$password = $_POST['password'];
$self =     $_SERVER['PHP_SELF'];
$referer =  $_SERVER['HTTP_REFERER'];

# if either form field is empty return to the log-in page
if( ( !$username ) or ( !$password ) )
{ header( "Location:$referer" ); exit(); }

#connect to MySQL
$conn=@mysql_connect( "localhost", "username", "password" )
		 or die( "Could not connect" );

#select the specified database
$rs = @mysql_select_db( "my_database", $conn ) 
		or die( "Could not select database" );

#create the query 
$sql = "select * from users where user_name=\"$username\" and password = password(\"$password\")";

#execute the query
$rs = mysql_query( $sql, $conn ) 
		or die( "Could not execute query" );

#get number of rows that match username and password
$num = mysql_numrows( $rs );

#if there is a match the log-in is authenticated
if( $num != 0 )
{ 
  $msg = "<h3>Welcome $username - your log-in succeeded!</h3>";
}
else
{
  header( "Location:$referer" ); exit(); 
}
?>

<html>

 <head>
  <title>Log-In Authenticated</title>
  </head>

  <body>
   <?php echo( $msg ); ?>
  </body>

</html>

and the create user code is:

<html><head><title>Adding a User</title></head>
<body>
<?php

$self = $_SERVER['PHP_SELF'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$password = $_POST['password'];

if( (!$firstname) or (!$lastname) or (!$username) or (!$password) )
{
  $form ="Please enter all new user details...";
  $form.="<form action=\"$self\"";
  $form.=" method=\"post\">First Name: ";
  $form.="<input type=\"text\" name=\"firstname\"";
  $form.=" value=\"$firstname\"><br>Last Name: ";
  $form.="<input type=\"text\" name=\"lastname\"";
  $form.=" value=\"$lastname\"><br>User Name: ";
  $form.="<input type=\"text\" name=\"username\"";
  $form.=" value=\"$username\"><br>Password: &nbsp; ";
  $form.="<input type=\"text\" name=\"password\"";
  $form.=" value=\"$password\"><br>";
  $form.="<input type=\"submit\" value=\"Submit\">";
  $form.="</form>";
  echo($form);
}
else
{
  #connect to MySQL
  $conn = @mysql_connect("localhost","username","password")
		        or die("Could not connect to MySQL");
  #select a database
  $db = @mysql_select_db("my_database",$conn)
		        or die("Could not select database");
  #create the SQL query
  $sql = "insert into users (first_name,last_name,user_name,password)
  values (\"$firstname\",\"$lastname\",\"$username\",password(\"$password\"))";
  #execute the query
  $result = @mysql_query($sql,$conn)
		        or die("Could not execute query");
  if($result)
  { echo("New user $username added"); }
}
?>
</body></html>

Pikachu2000

javawizkid;10889625 wrote:

The removing of the spaces didn't work. I think ill just start again from scratch, I'm getting really annoyed with errors. I get this error when I sign in:

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\authenticate.php:3) in C:\xampp\htdocs\authenticate.php on line 39

Here is all of the code:

<?php

$username = $_POST['username'];
$password = $_POST['password'];
$self =     $_SERVER['PHP_SELF'];
$referer =  $_SERVER['HTTP_REFERER'];

# if either form field is empty return to the log-in page
if( ( !$username ) or ( !$password ) )
{ header( "Location:$referer" ); exit(); }

#connect to MySQL
$conn=@mysql_connect( "localhost", "username", "password" )
		 or die( "Could not connect" );

#select the specified database
$rs = @mysql_select_db( "my_database", $conn ) 
		or die( "Could not select database" );

#create the query 
$sql = "select * from users where user_name=\"$username\" and password = password(\"$password\")";

#execute the query
$rs = mysql_query( $sql, $conn ) 
		or die( "Could not execute query" );

#get number of rows that match username and password
$num = mysql_numrows( $rs );

#if there is a match the log-in is authenticated
if( $num != 0 )
{ 
  $msg = "<h3>Welcome $username - your log-in succeeded!</h3>";
}
else
{
  header( "Location:$referer" ); exit(); 
}
?>

<html>

 <head>
  <title>Log-In Authenticated</title>
  </head>

  <body>
   <?php echo( $msg ); ?>
  </body>

</html>

and the create user code is:

<html><head><title>Adding a User</title></head>
<body>
<?php

$self = $_SERVER['PHP_SELF'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$password = $_POST['password'];

if( (!$firstname) or (!$lastname) or (!$username) or (!$password) )
{
  $form ="Please enter all new user details...";
  $form.="<form action=\"$self\"";
  $form.=" method=\"post\">First Name: ";
  $form.="<input type=\"text\" name=\"firstname\"";
  $form.=" value=\"$firstname\"><br>Last Name: ";
  $form.="<input type=\"text\" name=\"lastname\"";
  $form.=" value=\"$lastname\"><br>User Name: ";
  $form.="<input type=\"text\" name=\"username\"";
  $form.=" value=\"$username\"><br>Password: &nbsp; ";
  $form.="<input type=\"text\" name=\"password\"";
  $form.=" value=\"$password\"><br>";
  $form.="<input type=\"submit\" value=\"Submit\">";
  $form.="</form>";
  echo($form);
}
else
{
  #connect to MySQL
  $conn = @mysql_connect("localhost","username","password")
		        or die("Could not connect to MySQL");
  #select a database
  $db = @mysql_select_db("my_database",$conn)
		        or die("Could not select database");
  #create the SQL query
  $sql = "insert into users (first_name,last_name,user_name,password)
  values (\"$firstname\",\"$lastname\",\"$username\",password(\"$password\"))";
  #execute the query
  $result = @mysql_query($sql,$conn)
		        or die("Could not execute query");
  if($result)
  { echo("New user $username added"); }
}
?>
</body></html>

As far as the header error, nothing can be output to the browser before header info is sent. Are either of the above files used as an included file in another file?

javawizkid

They are separate files from each other and the html files.

Weedpacket

The error message would have been generated by line 37 (or maybe line 10); not line 39. Are you sure that's the whole code and there isn't, for example, another couple of lines at the top?

That notwithstanding, the only way line 3 could cause output to be sent is if your error reporting is cranked up so high that it would issue notices if you try and use a non-existent variable (such as a username form field when no form had been submitted). But then you'd see the notice.

javawizkid

I downloaded my book example code and it produces the same error? Is it something to do with the version of MySQL and PHP I'm using. I'm using the latest version of XAMPP by Apache Friends.

javawizkid

I have changed the code so the login matches, but I still cannot login. What is wrong!?!

<?php

$username = $_POST['username'];
$password = $_POST['password'];
$self =     $_SERVER['PHP_SELF'];
$referer =  $_SERVER['HTTP_REFERER'];

# if either form field is empty return to the log-in page
if( ( !$username ) or ( !$password ) )
{ header( "Location:$referer" ); exit(); }

#connect to MySQL
$conn=@mysql_connect( "localhost", "username", "password" )
		 or die( "Could not connect" );

#select the specified database
$rs = @mysql_select_db( "my_database", $conn ) 
		or die( "Could not select database" );

#create the query 
$sql = "select * from users where user_name='$username' and password = password('$password')";

#execute the query
$rs = mysql_query( $sql, $conn ) 
		or die( "Could not execute query" );

#get number of rows that match username and password
$num = mysql_numrows( $rs );

#if there is a match the log-in is authenticated
if( $num != 0 )
{ 
  $msg = "<h3>Welcome $username - your log-in succeeded!</h3>";
}
else
{
  $msg = "<h3>Could not log in. Make sure the username and password are correct.</h3>";
}
?>

<html>

 <head>
  <title>Log-In Authenticated</title>
  </head>

  <body>
   <?php echo( $msg ); ?>
  </body>

</html>

<html><head><title>Adding a User</title></head>
<body>
<?php

$self = $_SERVER['PHP_SELF'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$password = $_POST['password'];

if( (!$firstname) or (!$lastname) or (!$username) or (!$password) )
{
  $form ="Please enter all new user details...";
  $form.="<form action='$self'";
  $form.=" method='post'>First Name: ";
  $form.="<input type='text' name='firstname'";
  $form.=" value='$firstname'><br>Last Name: ";
  $form.="<input type='text' name='lastname'";
  $form.=" value='$lastname'><br>User Name: ";
  $form.="<input type='text' name='username'";
  $form.=" value='$username'><br>Password: ";
  $form.="<input type='text' name='password'";
  $form.=" value='$password'><br>";
  $form.="<input type='submit' value='Submit'>";
  $form.="</form>";
  echo($form);
}
else
{
  #connect to MySQL
  $conn = @mysql_connect("localhost","username","password")
		        or die("Could not connect to MySQL");
  #select a database
  $db = @mysql_select_db("my_database",$conn)
		        or die("Could not select database");
  #create the SQL query
  $sql = "insert into users (first_name,last_name,user_name,password)
  values ('$firstname','$lastname','$username',password('$password'))";
  #execute the query
  $result = @mysql_query($sql,$conn)
		        or die("Could not execute query");
  if($result)
  { echo("New user $username added"); }
}
?>
</body></html>

Weedpacket

The second script is for adding a new user; there is nothing there that has anything to do with logging in. The first script is for logging in, but you have no login form.

javawizkid

I have got the login form. I just didn't post it. Here:

 <head>
  <title>Log-In Page</title>
 </head>

 <body>
 Please enter your user details to log-in here...

 <form action = "authenticate.php" method = "post">
 Username:<br>
 <input type = "text" name = "username">
 <br><br>
 Password:<br>
 <input type = "text" name = "password">
 <br><br>
 <input type = "submit" value = "Log In">
 </form>

 </body>

</html>

javawizkid

So what's wrong?

javawizkid

Anyone?

Pikachu2000

Did you make sure your field in the database is of sufficient length to hold the result of running the password through the password() function? If it's too short, it will be truncated and won't match when it's queried.

javawizkid

I uninstalled everything and reinstalled a fresh copy of Xampp, and copied exactly what my book said, still got the error logging in and the header thing is still wrong. I installed an older version of Xampp and the login worked like a charm. I have no idea why it doesn't work on a newer version. The header error still exists if I enter a wrong password. I'm sure I can make a work around. But why doesn't the login work with a newer version of MySQL and PHP?

javawizkid

I logged into my MySQL account and previewed the table or users, I noticed something. On the newer version of MySQL, the password encryption had a * in front of the encrypted password. On the older version of MySQL it didn't. Does that have anything to do with the login sequence not working? Is the PHP version incompatible with that version of MySQL for the encryption not to work?

javawizkid

What's wrong?