Here's the meat and potatoes of this issue. I have a login page, and when I use the query looking only for a username, EVERYTHING works appropriately. As soon as I add the "AND password='$password'" part to the query...it doesn't work at all (in fact comes up with match not found)...I've put in checks to see where it hiccups, but either I've been staring too long at the screen, or I'm "special" in the ways of mysql...or both. Here is the code from the login.php
CODE
<?php
$page_title = "Login.php";
$secured_page = FALSE;
$message=array();
$error=array();
$login = "
<form action='login.php' method='post'>
<div id='text'>
Login <input type='text' name='username' size='15' maxlength='20'/>
Password <input type='password' name='password' size='15' maxlength='20'/>
<input type='submit' name='submit' value='Login'/>
<input type='hidden' name='submitted' value='TRUE'/>
</div>
</form>
";
include('../od_mysql_connect.php');
if(!isset($_COOKIE['username']))
{
if($secured_page)//REQUIRES AUTHENTICATION
{
$message[]="Secured Page";
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
if((substr($url, -1) == '/') OR (substr($url, -1) == '\\'))
{
$url = substr($url, 0,-1);
}
$url .= '/login.php';
header("Location: $url");
exit();
}
elseif(!$secured_page)//GUEST LEVEL
{
$message[]="You are currently not logged in!";
}
}
else
{
$login = "Welcome " . $_COOKIE['username'];
$message[] = "You are currently logged in!";
}
if(isset($_POST['submitted']))
{
if(empty($_POST['username']))
{
$error[]="Username not given! Please try again.";
}
else
{
$username=escape_data($_POST['username']);
}
if(empty($_POST['password']))
{
$error[]="Password not given! Please try again.";
}
else
{
$password=escape_data($_POST['password']);
}
if(empty($error))
{
$message[]="Attempting to connect to database and verify credentials.";
$query = "SELECT username, user_id FROM users WHERE username='$username' AND password=SHA('$password')";
$result = @mysql_query($query);
$row=mysql_fetch_array($result, MYSQL_ASSOC);
if($row)
{
$message[]="Match Found";
setcookie('username', $row['username']);
setcookie('user_id', $row['user_id']);
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
if((substr($url, -1) == '/') OR (substr($url, -1) == '\\'))
{
$url = substr($url, 0,-1);
}
$url .= '/login.php';
header("Location: $url");
exit();
}
else
{
$error[]="No match found!";
}
}
}
include('./includes/header.html');
foreach($_COOKIE as $msg)
{
echo " - $msg";
}
if(!empty($message))
{
echo "<h2>Messages</h2>";
foreach($message as $msg)
{
echo " - $msg<br/>";
}
}
if(!empty($error))
{
echo "<h2>Errors</h2>";
foreach($error as $msg)
{
echo " - $msg<br/>";
}
}
?>
<?php
include('./includes/footer.html');
?>
here is how I setup the database
CODE
CREATE TABLE users
(
user_id MEDIUMINT(8) UNSIGNED NOT NULL AUTO_INCREMENT,
username VARCHAR(20) NOT NULL,
email VARCHAR(40) NOT NULL,
password CHAR(20) NOT NULL,
user_status_id SMALLINT(2) NOT NULL,
user_level_id SMALLINT(2) NOT NULL,
user_rank_id SMALLINT(2) NOT NULL,
registration_date DATETIME NOT NULL,
PRIMARY KEY (user_id)
);
INSERT INTO users (username, email, password, user_status_id, user_level_id, user_rank_id, registration_date)
VALUES
('testname','test@test.net',SHA('testpassword'),'2','3','5',NOW()),
Any help would be much appreciated.
. Is SHA() and SHA1() the same thing? and are they always a 40 character string length regardless of the length of the password before it's hashed?
| 