RE: Encrypted Password NOT recognized by database during registered member login

[mrjap1]

Hello Everyone,

 

I recent made a simple membership website. Every page I created works exactly how I envisioned it...

All members data from my registration form goes into my database along with their md5 Encrypted passwords with a time-stamp.

Subsequent pages have a start_session included.

 

I am very please with it except ONE THING. Logging in is now a problem... username is recognized but NOT the password.

 

Now the strange thing is that when I go into the database and copy the encrypted password and paste

it into the password field in my login page, I miraculously get into my website with NO problem.

 

" How do I get the registered members Encrypted Passwords to be recognized by the database when

the  registered members decide to logging in with the password that they create? "

 

Is there a easy fix for this?

 

I appreciate ALL your help... 8) 8)

 

 

Thx

mrjap1

[batwimp]

It sounds like your password input isn't being hashed with MD5 before it checks against the database. Could you please post the relevant code, and put it inside code tags?

[kicken]

Whatever means of hashing the password you use when you register them and save the password to the database has to be repeated when they login.  Then you compare the two hash values together to see if they match.

 

So say on registration you save to your database the sha1 value of the password, eg: sha1($_POST['password']); giving you a value like 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 in your database.

 

When the user tries to login, you'd do something like:

$hash = sha1($_POST['password']);
$user = $_POST['username'];


$sql = 'SELECT * FROM users WHERE username=\''.mysql_real_escape_string($user).'\' AND password=\''.$hash.'\'';

 

 

[mrjap1]

Hello batwimp,

 

Thanks again for responding. I have placed all my code from my "workingitoutproperly.php" page so that you can get a feel for what I've accomplished and perhaps you can tell me what i did incorrectly... how to fix it and then I can adjust the code going forward.

 

Thank you Again for your time.

 

<?php
error_reporting(0);
if($_POST['submit'])
{ //Begining of full IF Statment
$name = $_POST['name'];
$email = $_POST['email'];
$username = $_POST['username'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
$registration_date = $_POST['registration_date'];
// $date = date ("l, F jS, Y");
//$time = date ("h:i A");
// Encrypt Pasword
$posAt = strpos($email, "@");
$posDot = strrpos($email, ".");
$enc_password = md5($password);
$enc_password2 = md5($confirm_password);


// Confirm All feild were filled out when submit button was pressed
if($name && $email && $username && $password && $confirm_password) 
{
// Confirm that the NAME that you used is NOT greater than 30 characters	 
	 if(strlen($name)>24)
	 {
	 echo "<h2><center>YOUR NAME IS TOO LONG!!!!</center></h2><br>";
	 }
// Confirm that the EMAIL that you used is NOT greater than 30 characters	 
	 if(strlen($email)>25)
	 {
	 echo "<h2><center>YOUR EMAIL IS TOO LONG!!!!</center></h2><br>";
	 }
	if ( ($posAt === false) or ($posDot === false) or ($posDot < $posAt) ) 
	{
	   echo "<h2><center>BAD EMAIL ADDRESS!!!!</center></h2><br>";
	}	 

// Confirm that the USERNAME that you used is NOT greater than 10 characters	 	
	if(strlen($username)>10)
	 {
	 echo "<h2><center>YOUR USERNAME IS TOO LONG!!!!</center></h2><br>";
	 }
	 else {

// Confirm that the PASSWORD that you used MATCH & Between 6 and 15 characters	 
		if(strlen($password)>10 || strlen($password)<6)
		 {
		 echo "<h2><center>YOUR PASSWORD MUST BE BETWEEN 6 and 15 CHARACTERS!!!!</center></h2><br>";
		 }
		if($password == $confirm_password)
		{
		// Database Connection required
		require "db_conncect.php";
		// We Now connect to the Dabase and insert the Form input details
		//------- ### ENTERING ALL INFORMATION INTO THE DATABASE BELOW ### --------// 


// 1. Create a database connection
$con = mysql_connect("localhost","root",""); // <-- THIS IS WHERE YOU " CAN CHANGE " THE USERNAME IS "root", PASSWORD IS "" ONLY.

if (!$con) {
  die('Database connection failed could not connect: ' . mysql_error());
  }
  
// 2. Select a database to use
$db_select = mysql_select_db("registernow_2012",$con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE.
if (!$db_select) {
  die('Database selection failed could not connect: ' . mysql_error());
}

mysql_select_db("registernow_2012", $con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE TO BE CONNECTED.

// <-- THE `registernow_2012` IS THE NAME OF THE DATABASE TO BE CONNECTED.... `visitors` IS THE TABLE WITH ALL THE FIELDS WITHI IN THE DATABASE.


$sql="INSERT INTO `registernow_2012`.`users` (
`id` ,
`name` ,
`email`,
`username`,
`password`,
`confirm_password`,
`registration_date`
)
VALUES (
NULL , '$_POST[name]', '$_POST[email]', '$_POST[username]', '{$enc_password}','{$enc_password2}', NOW( ))";


if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
}

// 3. Close Connection
mysql_close($con);

header("Location: index.php");  // <-- THIS IS WHERE YOU CAN CHANGE THE "Location: TDIThankYouPageAfrica.htm" of the THANK YOU PAGE.		

		}
	else 
	{
	echo "<h2><center>PASSWORDS MUST MATCH!!!!!</center></h2><br>";
	}	

	 }

	//echo "<h2><center>WORKING!!!!</center></h2>";
}	
else echo "<h2><center>ALL FEILDS MUST BE COMPLETED</center></h2>";

} //Ending of full IF Statment
?>

<!DOCTYPE html>
<html lang='en'>
<head>
<title>THE FORM MY WAY NOW</title>
</head>
<div id='centerstage'>
<form name="myform" action="workingitoutproperly.php" method="POST">
<p>
<label>Name</label><br>
<input type='text' name='name' value=''><br>
<label>Email</label><br>
<input type='text' name='email' value=''><br>
<label>UserName</label><br>
<input type='text' name='username' value=''><br>
<label>Password</label><br>
<input type='password' name='password' value=''><br>
<label>Re-Enter Password</label><br>
<input type='password' name='confirm_password' value=''><br>
<br>
<input type='submit' name='submit' value='REGISTER NOW!!'>
</p>
</form>
</div>
</html>

17836_.php

[batwimp]

Ok. So where is your login script? The one that has the database query that would be something like:

 

SELECT id FROM register_2012 where username = $username and password = $enc_password

 

We need to see all that code as well.

 

BTW, you don't need to store both the password and the confirmed password in the database. Just one will do.

[mrjap1]

Hello batwimp,

 

Thanks again for your help. My apologies, here is all my php scripts attached in a zip file called " mrjap1-phpscripts.zip ".

 

Perhaps once you see the big picture you'll get to see the direction I am going.

Then may be after seeing my scripts you could show me the exact & proper coding to achieve my goal.

 

I appreciate your guidance. :D :D

 

thx

mrjap1

17837_.zip

[scootstah]

In short, your original problem is that you are not hashing the password when you compare it in login.php.

 

When you register, you do

$enc_password = md5($password);

 

When you login, you do

$password = $_POST['password'];

 

Since you inserted a hash, when you return the row from the database (in login.php) that password will be hashed. As it is now, you are comparing a plaintext password to a hashed password.

 

I see several things wrong with your code. There's some very bad practices going on there. I'm feeling a little bored tonight so I decided to whip up a quick and dirty login script for you. There is a login, logout, register, and membersonly pages.

 

Some of the improvements are:

- using the MySQLi extension instead of the MySQL extension. The MySQL extension is very, very old. There is literally no reason to be using it anymore. In my scripts I have used the Object-Oriented style but all of the same functions exist in procedural if you're more comfortable with that (although I'd recommend just using the OOP version).

 

- Escaping data to prevent SQL injection. I am using the MySQLi extension (as I stated above) which supports prepared statements, but I figured that might be a little over the top for you at this point. I do however recommend you look into it, because prepared statements help to secure your queries from attackers.

 

- Minimally separating presentation from business logic. It's very hard to read and maintain code when you have HTML mixed in everywhere. Not to mention the fact that you are outputting HTML before your session_start calls, which throws a warning.

 

Note that to keep things simple, I only used the sha1 function to hash the password. This function (along with md5) is not made for password hashing and as such is very bad at doing so.

 

Anyway, I've attached the files to this post. Hope this helps.

17838_.zip

[mrjap1]

Hello scootstah,

 

Thank you so much for your help!! I really appreciate it. Thank you especially for showing me how to escape the values to avoid SQL injection  plus introducing me to "mysqli ".

 

I used the nice clean php code samples that you kindly provided me. I immediately put them to the test,

to see that if a user types in their chosen unique username & password they proceed into the website.

 

In viewing the database, the password most definitely gets encrypted with the sha1 encrption.

 

Unfortunately, on the login.php page, I get " ERROR: Invalid username/password combination! " subsequent to me manually typing in both my localhost url then entering my username & password.

 

So here is what I need to accomplish... the registered user upon completing the form should be redirected to the login page. The user now enters in their unique registered user name &  password (even thou the password is encrypted in the database) and be redirected to the members page subsequently.

 

I am stuck at this point... is there a way to make this happen?

Would you kindly modify the nice sample that you perviously sent me on how to accomplish this?

 

I do very much appreciate your direction and input.

 

Thx

mrjap1

[scootstah]

In my example, the condition for that error message is that the number of rows returned is not equal to 1. Do you by chance have the same username/password combination in the database more than once?