cluce Posted June 13, 2008 Share Posted June 13, 2008 I am having trouble matching username and password that is in database. On my first page I am using this query to login: //trims and strips tags and escapes fields $checkuser = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['username']))); $_SESSION['password'] = $checkpassword = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password']))); //create and issue the query $sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1"; $result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html")); and on every other page I am including an authentication page with the following: //authenticate employee $val = "SELECT username, password FROM employees WHERE username = '" . $_SESSION['validate']."' AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'"; $auth = mysqli_query($mysqli,$val) or die(header("Location: error.html")); if (mysqli_num_rows($auth) != 1) { $_SESSION['authenticate'] = "<font color='red'>You must be logged in</font>"; mysqli_close($mysqli); header ("Location: employee_resource.php5"); exit(); } echo($val); The probelm I am having is this "AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'"; is not matching the password thats in the database. I would think it would be the samne as the query used on my first page to login but its not because it redirects me to the login everytime. Also, when I echo($val) the query, the hash password is diiferent from what I see in the databse. can someone see tell me why its not matching up with my first query's password? I am able login without the authentication page. I am just using it for added security. Quote Link to comment Share on other sites More sharing options...
craygo Posted June 13, 2008 Share Posted June 13, 2008 not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value $_SESSION['auth'] = 1; Now just check to see if the value is set and a value of 1 if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){ // run code } else { // redirect to login page header('Location:login.php'); } Ray Quote Link to comment Share on other sites More sharing options...
Rayhan Muktader Posted June 13, 2008 Share Posted June 13, 2008 Your . may not be getting evaluated. Try this and see if it works. <?php $p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password']))); $p = $p . STR_PWSALT; $sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1"; $result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html")); ?> Quote Link to comment Share on other sites More sharing options...
cluce Posted June 13, 2008 Author Share Posted June 13, 2008 not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value $_SESSION['auth'] = 1; Now just check to see if the value is set and a value of 1 if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){ // run code } else { // redirect to login page header('Location:login.php'); } Ray thanks. I will do this. Quote Link to comment Share on other sites More sharing options...
cluce Posted June 13, 2008 Author Share Posted June 13, 2008 Your . may not be getting evaluated. Try this and see if it works. <?php $p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password']))); $p = $p . STR_PWSALT; $sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1"; $result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html")); ?> I am able to login. its the authentication code to check for a valid login user on all my other pages that wasnt working. Quote Link to comment Share on other sites More sharing options...
cluce Posted June 13, 2008 Author Share Posted June 13, 2008 not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value $_SESSION['auth'] = 1; Now just check to see if the value is set and a value of 1 if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){ // run code } else { // redirect to login page header('Location:login.php'); } Ray I ran into another problem. The username and password is both the primary key because the username alone can be dupicates. SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user. I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed. Quote Link to comment Share on other sites More sharing options...
conker87 Posted June 13, 2008 Share Posted June 13, 2008 not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value $_SESSION['auth'] = 1; Now just check to see if the value is set and a value of 1 if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){ // run code } else { // redirect to login page header('Location:login.php'); } Ray I ran into another problem. The username and password is both the primary key because the username alone can be dupicates. SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user. I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed. Well thats a stupid idea. Use the ID of the user too if you really need to have duplicated usernames. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.