[RESOLVED] Password problems please help

andysag

Hi I am new to php and am trying to make a login page which I have used before and it worked last time. I am having trouble getting it to recognise the password. I know the password is correct as I have double, double, double checked in my sql tables. I suspect it may have something to do with the md5 password thingy but not sure. Any help would be much appreciated and I can finally get some sleep!
here is the code

<?php
/* 
 * Desc:    Login program for the Admin section login
 *          using an existing LOGIN NAME and PASSWORD
 */

  include("cnxion.inc");                                 

  switch (@$_GET['do'])                                  

  {
    case "login":                                        

      $connection = mysql_connect($host, $user, $password)
               or die ("Couldn't connect to server.");
      $db = mysql_select_db($database, $connection)
               or die ("Couldn't select database.");     

  $sql = "SELECT username FROM admin 
          WHERE username='$_POST[fusername]'";       
  $result = mysql_query($sql)
              or die("Couldn't execute query.");      
  $num = mysql_num_rows($result);                     
  if ($num == 1)  
// login name was found             

      {
         $sql = "SELECT username FROM admin 
                 WHERE username='$_POST[fusername]'
                 AND password=md5('$_POST[fpassword]')";
         $result2 = mysql_query($sql)
                   or die("Couldn't execute query 2.");   

         $num2 = mysql_num_rows($result2);
         if ($num2 > 0)  

// password is correct           

         {
           $_SESSION['auth']="yes";                       

           $logname=$_POST['fusername']; 
           $_SESSION['logname'] = $logname;               

           $today = date("Y-m-d h:i:s");                  

           $sql = "INSERT INTO login (loginName,loginTime)
                   VALUES ('$logname','$today')";
           mysql_query($sql) or die("Can't execute query.");
           header("Location: tyre_admin_page.php");           

         }
         else    

// password is not correct               

         {
           unset($_GET['do']);                            

           $message="Your User Name 
                     exists, but you have not entered the 
                     correct password! Please try again.<br>";
           include("adminlogin.inc");                     

         } 
      }                                                   

      elseif ($num == 0) 
// login name not found         

      {   

         unset($_GET['do']);                              

         $message = "The User Name you entered does not 
                     exist! Please try again.<br>";
         include("adminlogin.inc");
      }
	break;
	}

  ?>

<?php
	include_once("adminlogin.inc");
?>

Also here is the code for adminlogin.inc

<!-- INCLUDE form to login to the admin section -->
<form action= "admin_login.php?do=login" method="post">
  <div align="center">
  <?php
		if (isset($message))
			echo "<tr><td colspan='2'><b>$message</b>
						</td></tr>";
?>
    <label>Username:</label>
    <input type="text" name="fusername"
size="20"  maxsize="20" />
    <br />
    <br />
    <label>Password:</label>
    <input name="fpassword" type="password" id="fpassword" size="20" maxlength="20" />
    <br />
    <br />
    <input name="log" type="submit" id="log" value="Login" />
  </div>
</form>
<p>&nbsp;</p>

Thank You

dalecosp

If you are sure of the database's content for the password field, then, for debugging, print the string you are checking and do a "visual diff" 😃 to see if they match:

echo md5('$_POST[fpassword]');

If they don't match, I'd suggest looking at whether or not PHP is cleaning GPC vars automatically and messing things up ... you might need to do a stripslashes() or somesuch....

sandthipe

this is just a quick thought. you said you've "double checked" your password against the DB, but your password is hashed in the DB. did you hash your password (using a php script) and then compare the 2 strings? sorry if you've already done that.

also, what kind of error are you receiving? is it a PHP or MySQL error or is the script simply not accepting your password?

andysag

The error message I am getting is from the php code

       $message="Your User Name
                 exists, but you have not entered the
                 correct password! Please try again.<br>";

when I "select * from admin" in sql query sender I can see the usernames and passwords, but the passwords are not 'hashed'.
I inserted the username and password into the database using sql query sender, is this the wrong way to do it?
Sorry if I'm being a bit dumb. I'm thinking that maybe I should have made a form for putting the username and password into the database.

dalecosp

So, the problem is:

Your database contains a non-hashed password.
Your PHP script is hashing the password with md5.
Comparing a md5 hash of the password with the actual unhashed password fails.

Or am I misunderstanding something still?

andysag

Yes that about right

dalecosp

Well then, you have two choices.

Don't hash the password in your PHP script (don't call [man]md5/man or similar on it).

OR:

Use a different tool to convert the password stored in the database to the hash that will be given to it by PHP.

I guess there's a third:

Give up and retire somplace with warm mountain to sit on and contemplate the meaning of life, etc.

Of course, that last isn't too practical 😃

andysag

I think I sorted it. I created a form for entering a new username and password into the database, this encrypts the password and now the login page works.
probably basic stuff but now i know. thanks for trying to help

dalecosp

Well, not sure that we only "tried", I think we did help. Of course, that is why we come here 🙂

And, thanks for marking it resolved. And, feel free to come back with more questions as needed. 😃