Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,493 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,061 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

Username/Passcode query issues

Reply to this topic

Start new topic

Username/Passcode query issues

Akelo	2 Jul, 2008 - 11:13 AM Post #1
D.I.C Head Joined: 12 Dec, 2007 Posts: 77 My Contributions	Here's the meat and potatoes of this issue. I have a login page, and when I use the query looking only for a username, EVERYTHING works appropriately. As soon as I add the "AND password='$password'" part to the query...it doesn't work at all (in fact comes up with match not found)...I've put in checks to see where it hiccups, but either I've been staring too long at the screen, or I'm "special" in the ways of mysql...or both. Here is the code from the login.php CODE <?php $page_title = "Login.php"; $secured_page = FALSE; $message=array(); $error=array(); $login = " <form action='login.php' method='post'> <div id='text'> Login <input type='text' name='username' size='15' maxlength='20'/> Password <input type='password' name='password' size='15' maxlength='20'/> <input type='submit' name='submit' value='Login'/> <input type='hidden' name='submitted' value='TRUE'/> </div> </form> "; include('../od_mysql_connect.php'); if(!isset($_COOKIE['username'])) { if($secured_page)//REQUIRES AUTHENTICATION { $message[]="Secured Page"; $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); if((substr($url, -1) == '/') OR (substr($url, -1) == '\\')) { $url = substr($url, 0,-1); } $url .= '/login.php'; header("Location: $url"); exit(); } elseif(!$secured_page)//GUEST LEVEL { $message[]="You are currently not logged in!"; } } else { $login = "Welcome " . $_COOKIE['username']; $message[] = "You are currently logged in!"; } if(isset($_POST['submitted'])) { if(empty($_POST['username'])) { $error[]="Username not given! Please try again."; } else { $username=escape_data($_POST['username']); } if(empty($_POST['password'])) { $error[]="Password not given! Please try again."; } else { $password=escape_data($_POST['password']); } if(empty($error)) { $message[]="Attempting to connect to database and verify credentials."; $query = "SELECT username, user_id FROM users WHERE username='$username' AND password=SHA('$password')"; $result = @mysql_query($query); $row=mysql_fetch_array($result, MYSQL_ASSOC); if($row) { $message[]="Match Found"; setcookie('username', $row['username']); setcookie('user_id', $row['user_id']); $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); if((substr($url, -1) == '/') OR (substr($url, -1) == '\\')) { $url = substr($url, 0,-1); } $url .= '/login.php'; header("Location: $url"); exit(); } else { $error[]="No match found!"; } } } include('./includes/header.html'); foreach($_COOKIE as $msg) { echo " - $msg"; } if(!empty($message)) { echo "<h2>Messages</h2>"; foreach($message as $msg) { echo " - $msg<br/>"; } } if(!empty($error)) { echo "<h2>Errors</h2>"; foreach($error as $msg) { echo " - $msg<br/>"; } } ?> <?php include('./includes/footer.html'); ?> here is how I setup the database CODE CREATE TABLE users ( user_id MEDIUMINT(8) UNSIGNED NOT NULL AUTO_INCREMENT, username VARCHAR(20) NOT NULL, email VARCHAR(40) NOT NULL, password CHAR(20) NOT NULL, user_status_id SMALLINT(2) NOT NULL, user_level_id SMALLINT(2) NOT NULL, user_rank_id SMALLINT(2) NOT NULL, registration_date DATETIME NOT NULL, PRIMARY KEY (user_id) ); INSERT INTO users (username, email, password, user_status_id, user_level_id, user_rank_id, registration_date) VALUES ('testname','test@test.net',SHA('testpassword'),'2','3','5',NOW()), Any help would be much appreciated.
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

akozlik	2 Jul, 2008 - 12:21 PM Post #2
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	Have you checked the SHA'ed password against the one in the database to make sure they're the same? Echo out your $password and compare it.
	This Post Was Helpful! ^New!

AdaHacker	2 Jul, 2008 - 12:22 PM Post #3
D.I.C Head Joined: 17 Jun, 2008 Posts: 166 Thanked 25 times My Contributions	Might want to check your database schema there. You have password specified as a VARCHAR(20), but you're inserting the results of an SHA() call into it. SHA1 hashes are 40 characters long. Unfortunately, MySQL doesn't warn you when you insert too much data into a character field - it just silently truncates the data. So your query is actually comparing the first 20 characters of the user's password hash to the full password hash, which obviously doesn't match. So just set your password field to the right size, recalculate your hashes, and you should be good.
	This Post Was Helpful! ^New!

akozlik	2 Jul, 2008 - 12:23 PM Post #4
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	QUOTE(AdaHacker @ 2 Jul, 2008 - 04:22 PM) Might want to check your database schema there. You have password specified as a VARCHAR(20), but you're inserting the results of an SHA() call into it. SHA1 hashes are 40 characters long. Unfortunately, MySQL doesn't warn you when you insert too much data into a character field - it just silently truncates the data. So your query is actually comparing the first 20 characters of the user's password hash to the full password hash, which obviously doesn't match. So just set your password field to the right size, recalculate your hashes, and you should be good. Damn I didn't even see that. I bet you anything that's the problem. Though we might've come to that conclusion after 20 posts about the comparison thing. Ha ha. This post has been edited by akozlik: 2 Jul, 2008 - 12:24 PM
	This Post Was Helpful! ^New!

joeyadms	2 Jul, 2008 - 01:17 PM Post #5
D.I.C Head Joined: 4 May, 2008 Posts: 145 Thanked 6 times Dream Kudos: 600 Expert In: PHP, Web Security My Contributions	Stop the presses!!!! jk But you really should consider not using cookies for validation. A user could simply modify his cookies, and set one for username, and would render your check useless. Use sessions for things like that, keep control in your court.
	This Post Was Helpful! ^New!

akozlik	2 Jul, 2008 - 01:33 PM Post #6
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	Read this for the difference: http://www.dreamincode.net/forums/showtopic52887.htm
	This Post Was Helpful! ^New!

Akelo	2 Jul, 2008 - 01:41 PM Post #7
D.I.C Head Joined: 12 Dec, 2007 Posts: 77 My Contributions	Thanks Adahacker, that did the trick . Is SHA() and SHA1() the same thing? and are they always a 40 character string length regardless of the length of the password before it's hashed?
	This Post Was Helpful! ^New!

AdaHacker	2 Jul, 2008 - 02:09 PM Post #8
D.I.C Head Joined: 17 Jun, 2008 Posts: 166 Thanked 25 times My Contributions	QUOTE(Akelo @ 2 Jul, 2008 - 04:41 PM) Is SHA() and SHA1() the same thing? and are they always a 40 character string length regardless of the length of the password before it's hashed? Yes on both counts. According to the MySQL manual, SHA() is simply an alias for SHA1(). And as for length, yes, it's fixed. SHA-1 produces 160-bit message digests, which, at 4-bits per character, encodes to a 40-character hexadecimal string.
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/22/08 04:45PM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month