Lodius2000 Posted January 31, 2009 Share Posted January 31, 2009 This always redirects to changepw.php <?php $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $q = mysql_query("SELECT `password` FROM `users` WHERE `username` = $username"); if ( $a[0] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { mysql_query("UPDATE `users` SET `temp_usage` = '1' WHERE `username` = $username and `temp_password` = $hash"); $_SESSION['username'] = $username; header('Location: changepw.php'); } ?> and the query that updates temp_usage, does not set it to 1 whats wrong Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 I don't see where you are assigning anything to $a[0] Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 sorry cv supposed to be $q[0].... for some stupid reason I changed the variable for this forum, they do match up in my script though //repost of the code <?php $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $q = mysql_query("SELECT `password` FROM `users` WHERE `username` = $username"); if ( $q[0] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { mysql_query("UPDATE `users` SET `temp_usage` = '1' WHERE `username` = $username and `temp_password` = $hash"); $_SESSION['username'] = $username; header('Location: changepw.php'); } ?> Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 okay well doing a mysql_query returns a result source. You actually have to pull the info out of the result source with mysql_result or mysql_fetch_assoc or mysql_fetch_row Quote Link to comment Share on other sites More sharing options...
uniflare Posted January 31, 2009 Share Posted January 31, 2009 Try using a mysql function to extract that specific row from the result resource returned by mysql_query; <?php $q = mysql_query("SELECT `password` FROM `users` WHERE `username` = $username"); $result = mysql_result($q,0,'password'); if ( $result == $hash ){ ?> Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 this is the bane of using a database extraction... everytime i have a sql question on these forums, if I mention i use peardb i get no responses, because my sql looks weird. if I dont mention it and I try to make it look like i use the php mysql functions i invariably screw up and people correct my function usage. I know how to use my dba, I dont know how to use php's mysql functions but i try to fudge it. I think there is a problem with how my query result is interacting with my if() statement (possibly a sql problem all together so in my real script $q is fetched into an associative array, so the code looks as such if ($q['password'] == $hash) now to me that says, 'if the password entered in the form matches the password in the database, display a successful login', now to the else clause 'else the password entered in the form does not match the database then do the second query and redirect to the password changing script' right, or am i screwed up somewhere EDIT: CV it seems like you have changed your sig like 9 times tonight, all of them worthy of being up there for a quite a while, i was still laughing at the last one, now you have the stick pron joke Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 I understand you wanting to shy away with showing your real code because you use pear. You may receive little or no response from posting your real code, but you will certainly receive nothing helpful by not posting it. Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 alright then that sounded like a passive request so here it is down and dirty <?php function process_form(){ global $db; $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash("sha512",$password.$salt); $a = $db->getOne("SELECT password FROM users WHERE username = ?", array($username)); if ($a['password'] == $hash ){ $_SESSION['username'] = $username; print "you have successfully logged-in "; print '<a href="changepw.php">Change Password</a>'; } else { $db->query("UPDATE users SET temp_usage = 1 WHERE username = ? and temp_password = ?", array($username, $hash)); $_SESSION['username'] = $username; header('Location: changepw.php'); } } ?> Quote Link to comment Share on other sites More sharing options...
uniflare Posted January 31, 2009 Share Posted January 31, 2009 use var_dump on both variables your checking, see if they are exactly the same. enclose them in quoptes if you can make sure there is no whitespace or new lines etc. Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 well thats just interesting vardump hash prints out the correct hash $a['password'] on the other hand prints out '6', which is the first character of the hash, but not the first character of id, the only numeric field in the table that doesnt contain 0 or 1 Quote Link to comment Share on other sites More sharing options...
uniflare Posted January 31, 2009 Share Posted January 31, 2009 try a var_dump($a) Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 hash and $a are not the same, though they should be, I made a new account and tried this whole thing again still different if register.php hashes the pw before putting it in the db like this: (direct copy paste) $password = $_POST['password']; $hash = hash("sha512",$password.$salt); and $hash is created in the login script like this: (direct copy paste) $password = $_POST['password']; $hash = hash("sha512",$password.$salt); how am i getting different hash values Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 just made this, $hash and $hash2 are the same <?php require ('settings.php');//define $salt $password = 'blah'; $hash = hash("sha512",$password.$salt); print $hash."\n"; $hash2 = hash("sha512",$password.$salt); print $hash2."\n"; ?> Quote Link to comment Share on other sites More sharing options...
uniflare Posted January 31, 2009 Share Posted January 31, 2009 Make sure your not hashing them twice, that the are the same case, length and use some sort of PearAdmin interface to make sure the hash stored in the db is the same, also make sure the db field isn't set to 'password' or anything, it could hash your hash - if u know what i mean. try echoing the insert query from registration. then echo the results from a select query etc, generally debug this situation and post your findings . Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted January 31, 2009 Author Share Posted January 31, 2009 omg i hate myself i hate myself more for wasting all of your time. at the top of the codeblock function process_form(){ global $db; should be function process_form(){ global $db, $salt; variable scope can just bite me tonight Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 what is the column type you are using to store the password has in? Quote Link to comment Share on other sites More sharing options...
uniflare Posted January 31, 2009 Share Posted January 31, 2009 lol i'm glad you sorted it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.