[SOLVED] having trouble querying sha1 passwords from database in where clause

[cluce]

I am having trouble matching username and password that is in database. 

 

On my first page I am using this query to login:

 

//trims and strips tags and escapes fields
$checkuser = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['username'])));
$_SESSION['password'] = $checkpassword = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));

//create and issue the query
$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

 

and on every other page I am including an authentication page with the following:

 

//authenticate employee
$val = "SELECT username, password FROM employees WHERE username = '" . $_SESSION['validate']."' AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'";
        $auth = mysqli_query($mysqli,$val)  or die(header("Location: error.html"));	
	 if	(mysqli_num_rows($auth) != 1) { 
   $_SESSION['authenticate'] = "<font color='red'>You must be logged in</font>";
  mysqli_close($mysqli);
  header ("Location: employee_resource.php5");
      exit(); 
}
echo($val);

 

 

The probelm I am having is this "AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'";   is not matching the password thats in the database. I would think it would be the samne as the query used on my first page to login but its not because it redirects me to the login everytime. Also, when I echo($val) the query, the hash password is diiferent from what I see in the databse. can someone see tell me why its not matching up with my first query's password?

 

I am able login without the authentication page. I am just using it for added security.

[craygo]

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value

 

$_SESSION['auth'] = 1;

 

Now just check to see if the value is set and a value of 1

if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}

 

Ray

[Rayhan Muktader]

Your . may not be getting evaluated.  Try this and see if it works.

<?php
$p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));
$p = $p . STR_PWSALT;

$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

?>

[cluce]

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value

 

$_SESSION['auth'] = 1;

 

Now just check to see if the value is set and a value of 1

if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}

 

Ray

thanks. I will do this.

[cluce]

Your . may not be getting evaluated.  Try this and see if it works.

<?php
$p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));
$p = $p . STR_PWSALT;

$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

?>

 

I am able to login. its the authentication code to check for a valid login user on all my other pages that wasnt working.

[cluce]

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value

 

$_SESSION['auth'] = 1;

 

Now just check to see if the value is set and a value of 1

if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}

 

Ray

 

I ran into another problem.  The username and password is both the primary key because the username alone can be dupicates.  SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user.  I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed.

 

 

[conker87]

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value

 

$_SESSION['auth'] = 1;

 

Now just check to see if the value is set and a value of 1

if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}

 

Ray

 

I ran into another problem.  The username and password is both the primary key because the username alone can be dupicates.  SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user.  I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed.

 

 

Well thats a stupid idea. Use the ID of the user too if you really need to have duplicated usernames.