denoteone Posted January 21, 2009 Share Posted January 21, 2009 my _post password is not matching the password in the DB? here is my code anybody see any glaring issues? if (isset($_POST['submit'])) { // if form has been submitted // makes sure they filled it in if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } // checks it against the database if (!get_magic_quotes_gpc()) { $_POST['email'] = addslashes($_POST['email']); } $check = mysql_query("SELECT * FROM users WHERE email = '".$_POST['username']."'")or die(mysql_error()); //Gives error if user dosen't exist $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That is not a vaild username.'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); //gives error if the password is wrong if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); }else Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/ Share on other sites More sharing options...
Philip Posted January 21, 2009 Share Posted January 21, 2009 A few things I notice: <?php if(!$_POST['username'] | !$_POST['pass']) { // should be: if(!$_POST['username'] || !$_POST['pass']) { ?> and: <?php // you don't need this, since md5 returns alphanumeric only $_POST['pass'] = stripslashes($_POST['pass']); // you don't need the next line $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); ?> Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742578 Share on other sites More sharing options...
denoteone Posted January 21, 2009 Author Share Posted January 21, 2009 I am striplashes from the password entered on the login page. so don't I need to keep this? $_POST['pass'] = stripslashes($_POST['pass']); I understand I don't need to do that for the password being checked from the DB that has already been when entered in the DB still getting a Incorrect password, please try again. error Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742584 Share on other sites More sharing options...
cytech Posted January 21, 2009 Share Posted January 21, 2009 This is probably a silly question, but the password in the db is md5 right? $_POST['email'] = addslashes($_POST['email']); // use mysql_real_escape_string isntead of addslashes, its much better. $_POST['email'] = mysql_real_escape_string($_POST['email']); Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742587 Share on other sites More sharing options...
denoteone Posted January 21, 2009 Author Share Posted January 21, 2009 Yes it is. I do that on my registration page. Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742591 Share on other sites More sharing options...
cytech Posted January 21, 2009 Share Posted January 21, 2009 $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); After this portion echo out both $_POST['pass'] and $info['password'] to see if they are blank or have values. Also keep in mind if your column name is "password" MySQL has a habit of turning that into PASSWORD (all caps) since PASSWORD is a function used by the system. Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742602 Share on other sites More sharing options...
Philip Posted January 21, 2009 Share Posted January 21, 2009 Well, I'm not sure how you did it when they registered. However, it is not necessary to stripslashes on something that will be encrypted. Give this a shot, I simplified it a bit: <?php if (isset($_POST['submit'])) { // if form has been submitted // makes sure they filled it in if(!$_POST['username'] | !$_POST['pass']) die('You did not fill in a required field.'); // checks it against the database if (!get_magic_quotes_gpc()) $_POST['email'] = addslashes($_POST['email']); // Are you sure you meant to do 'username', or was it supposed to be 'email' $check = mysql_query("SELECT * FROM users WHERE email = '".$_POST['username']."'")or die(mysql_error()); //Gives error if user dosen't exist if(mysql_num_rows($check)==0) die('That is not a vaild username.'); // otherwise, get info $info = mysql_fetch_assoc($check); // this isn't needed, unless you did this when they signed up. // remember, to NOT change $_POST values. // so we'll setup a new variable, named password $password = stripslashes($_POST['pass']); $password = md5($password); //gives error if the password is wrong if ($password != $info['password']) { $test = 'In the DB: '.$info['password'].'<br />'; $test.= 'MD5\'d: '.md5($_POST['pass']).'<br />'; $test.= 'MD5\'d + stripslashes: '.$password.'<br />'; $test.= 'Do any of these match?'; echo $test; die("Invalid password"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742605 Share on other sites More sharing options...
denoteone Posted January 21, 2009 Author Share Posted January 21, 2009 this is what i got In the DB: 0e9c339f8f5a4c1613eb MD5'd: 0e9c339f8f5a4c1613ebd4c6284f5658 MD5'd + stripslashes: 0e9c339f8f5a4c1613ebd4c6284f5658 Do any of these match? (this is just a test account so the info above can not be used for anything potentially harmful) Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742632 Share on other sites More sharing options...
denoteone Posted January 21, 2009 Author Share Posted January 21, 2009 thanks KingPhilip for your help i am going to use your code style for this project and in the future. Looks like my varchar length was not long enough. Again thank you for your help Quote Link to comment https://forums.phpfreaks.com/topic/141830-password-issues/#findComment-742641 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.