Jump to content

password help

Blauv

By Blauv
in PHP Coding Help

 Share

Recommended Posts

Blauv Newbie

Blauv

Posted
Posted

I am having some trouble getting this to pull the password correctly from the database.

I believe the problem is from the password being in md5 format.

I am not sure how to fix the issue.

 

Much thanks

 

<?php
//signin.php
include 'connect.php';
include 'header.php';

echo '<h3>Sign in</h3><br />';

//first, check if the user is already signed in. If that is the case, there is no need to display this page
if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true)
{
   echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.';
}
else
{
   if($_SERVER['REQUEST_METHOD'] != 'POST')
   {
      /*the form hasn't been posted yet, display it
        note that the action="" will cause the form to post to the same page it is on */
      echo '<form method="post" action="">
         Username: <input type="text" name="username" /><br />
         Password: <input type="password" name="password"><br />
         <input type="submit" value="Sign in" />
       </form>';
   }
   else
   {
      /* so, the form has been posted, we'll process the data in three steps:
         1.   Check the data
         2.   Let the user refill the wrong fields (if necessary)
         3.   Varify if the data is correct and return the correct response
      */
      $errors = array(); /* declare the array for later use */
      
      if(!isset($_POST['username']))
      {
         $errors[] = 'The username field must not be empty.';
      }
      
      if(!isset($_POST['password']))
      {
         $errors[] = 'The password field must not be empty.';
      }
      
      if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
      {
         echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />';
         echo '<ul>';
         foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
         {
            echo '<li>' . $value . '</li>'; /* this generates a nice error list */
         }
         echo '</ul>';
      }
      else
      {
         //the form has been posted without errors, so save it
         //notice the use of mysql_real_escape_string, keep everything safe!
         //also notice the sha1 function which hashes the password
         $sql = "SELECT 
                  userid,
                  username,
                  userlevel
               FROM
                  users
               WHERE
                  username = '" . mysql_real_escape_string($_POST['username']) . "'
               AND
                  password = '" . sha1($_POST['password']) . "'";
                  
         $result = mysql_query($sql);
         if(!$result)
         {
            //something went wrong, display the error
            echo 'Something went wrong while signing in. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
         }
         else
         {
            //the query was successfully executed, there are 2 possibilities
            //1. the query returned data, the user can be signed in
            //2. the query returned an empty result set, the credentials were wrong
            if(mysql_num_rows($result) == 0)
            {
               echo 'You have supplied a wrong user/password combination. Please try again.';
            }
            else
            {
               //set the $_SESSION['signed_in'] variable to TRUE
               $_SESSION['signed_in'] = true;
               
               //we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
               while($row = mysql_fetch_assoc($result))
               {
                  $_SESSION['userid']    = $row['userid'];
                  $_SESSION['username']    = $row['username'];
                  $_SESSION['userlevel'] = $row['userlevel'];
               }
               
               echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.';
            }
         }
      }
   }
}

include 'footer.php';
?>

Link to comment
Share on other sites
chriscloyd Advanced Member

chriscloyd

Posted
Posted

just an attempt

<?php
//start out with your session
session_start();
//config file
include 'connect.php';
//header file 
include 'header.php';
//set two arrays one for info and one for errors
$info = array(
"username" => $_POST['username'],
"password" => $_POST['password']
);
$errors = array();
foreach ($info as $key => $val) {
if ($key == 'password') {
	$val = md5($val);
}
$val = mysql_real_escape_string($val);
if ($val == '') {
	$errors[] = "The {$key} field must not be empty";
}
}
//now check if the errors is empty
if(empty($errors)) {
$sql = "SELECT `userid`,`username`,`userlevel` FROM `users` WHERE `username` = '{$info['username']}' AND `password` = {$info['password']}'";
    $result = mysql_query($sql);
if(!$result) {
	//something went wrong, display the error
	echo 'Something went wrong while signing in. Please try again later.';
	//echo mysql_error(); //debugging purposes, uncomment when needed
} else {
	//the query was successfully executed, there are 2 possibilities
	//1. the query returned data, the user can be signed in
	//2. the query returned an empty result set, the credentials were wrong
	if(mysql_num_rows($result) == 0) {
		echo 'You have supplied a wrong user/password combination. Please try again.';
	} else {
		//set the $_SESSION['signed_in'] variable to TRUE
		$_SESSION['signed_in'] = true;
               
		//we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
		while($row = mysql_fetch_assoc($result)) {
			$_SESSION['userid']    = $row['userid'];
			$_SESSION['username']    = $row['username'];
			$_SESSION['userlevel'] = $row['userlevel'];
		}
               
		echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.';
	}
}
} else {
echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />';
    echo '<ul>';
foreach($errors as $value) { /* walk through the array so all the errors get displayed */
	echo "<li>{$value}</li>"; /* this generates a nice error list */
}
echo '</ul>';
}


include 'footer.php';
?>

Link to comment
Share on other sites
Blauv Newbie

Blauv

Posted
  • Author
Posted

i tried to switch it to md5 no joy :(

 

the user table was created for another script and I am trying to convert this to use the existing user table.

 

The user table places the password into the DB as an md5  this script call it from the db as sha1. two seperate scripts.

Link to comment
Share on other sites
Muddy_Funster Regular Member

Muddy_Funster

Posted
Posted

ok, give this a shot:

<?php
//signin.php
include 'connect.php';
include 'header.php';

echo '<h3>Sign in</h3><br />';

//first, check if the user is already signed in. If that is the case, there is no need to display this page
if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true)
{
   echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.';
}
else
{
   if($_SERVER['REQUEST_METHOD'] != 'POST')
   {
      /*the form hasn't been posted yet, display it
        note that the action="" will cause the form to post to the same page it is on */
      echo '<form method="post" action="">
         Username: <input type="text" name="username" /><br />
         Password: <input type="password" name="password"><br />
         <input type="submit" value="Sign in" />
       </form>';
   }
   else
   {
      /* so, the form has been posted, we'll process the data in three steps:
         1.   Check the data
         2.   Let the user refill the wrong fields (if necessary)
         3.   Varify if the data is correct and return the correct response
      */
      $errors = array(); /* declare the array for later use */
      
      if(!isset($_POST['username']))
      {
         $errors[] = 'The username field must not be empty.';
      }
      
      if(!isset($_POST['password']))
      {
         $errors[] = 'The password field must not be empty.';
      }
      
      if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
      {
         echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />';
         echo '<ul>';
         foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
         {
            echo '<li>' . $value . '</li>'; /* this generates a nice error list */
         }
         echo '</ul>';
      }
      else
      {
         //the form has been posted without errors, so save it
         //notice the use of mysql_real_escape_string, keep everything safe!
         //also notice the md5 function which hashes the password
$uname = mysql_real_escape_string(trim($_POST['username']));
$upass = mysql_real_escape_string(trim($_POST['password']));
$encPass = md5($upass);
         $sql = "SELECT 
                  userid,
                  username,
                  userlevel
               FROM
                  users
               WHERE
                  username = '$uname'
               AND
                  password = '$encPass'";
                  
         $result = mysql_query($sql);
         if(!$result)
         {
            //something went wrong, display the error
            echo 'Something went wrong while signing in. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
         }
         else
         {
            //the query was successfully executed, there are 2 possibilities
            //1. the query returned data, the user can be signed in
            //2. the query returned an empty result set, the credentials were wrong
            if(mysql_num_rows($result) == 0)
            {
               echo 'You have supplied a wrong user/password combination. Please try again.';
            }
            else
            {
               //set the $_SESSION['signed_in'] variable to TRUE
               $_SESSION['signed_in'] = true;
               
               //we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages
               while($row = mysql_fetch_assoc($result))
               {
                  $_SESSION['userid']    = $row['userid'];
                  $_SESSION['username']    = $row['username'];
                  $_SESSION['userlevel'] = $row['userlevel'];
               }
               
               echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.';
            }
         }
      }
   }
}

include 'footer.php';
?>

Link to comment
Share on other sites
Blauv Newbie

Blauv

Posted
  • Author
Posted

This was posted by the creator of the login script

 

I would say there is no need to reinvent the wheel so to speak when all the functions you need are already in the code. So for example, the confirmUserpass function in database.php already does this starting line 75. But ultimately I would say it is because you are not using the salt which is added to the password. The salt is saved in the database for each username.

 

What it does is the query gets the password then takes that password and sha1's it with the salt also from the database then matches that with the form submitted password (which must also be salted). A bit complicated I know.

 

function confirmUserPass($username, $password){
      /* Add slashes if necessary (for query) */
      if(!get_magic_quotes_gpc()) {
         $username = addslashes($username);
      }

      /* Verify that user is in database */
      $sql = $this->connection->query("SELECT password, userlevel, usersalt FROM ".TBL_USERS." WHERE username = '$username'");
      $count = $sql->rowCount();
    
     if(!$sql || $count < 1){
        return 1; //Indicates username failure
      }

      /* Retrieve password and userlevel from result, strip slashes */
    $dbarray = $sql->fetch();
      
     // $dbarray['password'] = stripslashes($dbarray['password']);
     $dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
     $dbarray['usersalt'] = stripslashes($dbarray['usersalt']);
     $password = stripslashes($password);
     
     $sqlpass = sha1($dbarray['usersalt'].$password);

     /* Validate that password matches and check if userlevel is equal to 1 */
     if(($dbarray['password'] == $sqlpass)&&($dbarray['userlevel'] == 1)){
       return 3; //Indicates account has not been activated
     }
     
     /* Validate that password matches and check if userlevel is equal to 2 */
      if(($dbarray['password'] == $sqlpass)&&($dbarray['userlevel'] == 2)){
       return 4; //Indicates admin has not activated account
     }

      /* Validate that password is correct */
     if($dbarray['password'] == $sqlpass){
      return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }
   }

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.