[SOLVED] base64_decode help

[pcw]

Hi, I am writing a registration and login script.  The script successfully encodes the password and writes the result to the mysql database.

 

When it comes to the logging in part I am using base64_decode to check the password matches that as to what is listed in the database, but it just states that that login was not successful. It worked fine until I changed the string to using base64_decode.

 

Any help is much appreciated.

 

function login_chk() {

if (isset($_POST['submit'])) {

   $db = "moveitho_sitebuilder";

  mysql_connect('localhost', 'moveitho_paul', 'test') or die(mysql_error());
  mysql_select_db( $db) or die(mysql_error());
  
   $username = mysql_real_escape_string($_POST['username']);
  $password_decoded = mysql_real_escape_string(base64_decode($_POST['password']));

  if ($result = mysql_query("SELECT username, password, verified FROM users WHERE username='$username' AND password='$password_decoded' AND verified='yes'")) {
    if (mysql_num_rows($result) > 0) {
          echo "Login successful";
             }else {
          echo "Login not successful.";
         
    }
}else{

    echo "SQL Error: " . mysql_error();
}
}
};

[blintas]

print both passwords (one decoded from form, one decoded from db) on a page and see if they match up first. When in doubt, print the data!

[pcw]

Hi blintas, prob being a bit slow here, as I cant seem to get it to print the results for password encoded and password decoded. How would I do this?

 

Thanks

[pcw]

Ok, i managed to get it to print out the results, and they dont match 

 

Anyone know where I have gone wrong?

[jakebur01]

Where is the code where you are storing the password in the database and where you are making verified equal yes?

 

If I see how you are storing it I may be able to help.

[pcw]

Ok, here is the code that writes the data to the database. However I think I know what I am doing wrong. I should be comparing the password upon login to to that as to what has been decoded from the password table in the database.

 

It works if:

 

Password on registration - Password encoded - Writes encoded password to db

 

Password on login - Password encoded - Reads encoded password from db and gets a match.

 

However the way I have it at the mo:

 

Password on registration - Password encoded - Writes encoded password to db

 

Password on login - Password decoded - Reads encoded password from db and does not match as the password in the database is still encoded.

 

Here is the code for writing to the db

 

function db_add_user() {
$db = "moveitho_sitebuilder";
$link = mysql_pconnect( "localhost", "moveitho_paul", "test" );
if ( ! $link ) {
$dberror = mysql_error();
return false;
}
if ( ! mysql_select_db( $db, $link ) ) {
$dberror = mysql_error();
return false;
}
$password = base64_encode($_POST['password']);     
$query = "INSERT INTO users ( gen_id, username, password, first_name, last_name, email )
values('$_POST[gen_id]', '$_POST[username]', '$password', '$_POST[first_name]', '$_POST[last_name]', '$_POST[email]')";
if ( ! mysql_query( $query, $link ) ) {
$dberror = mysql_error();
return false;
}
return true;
};

[jakebur01]

If you encoded it when you originally stored it, you cannot match a decoded password against an encoded password.

 

$password_decoded = mysql_real_escape_string(base64_decode($_POST['password']));

 

change this to base64_encode and see if it works.

[rhodesa]

First of all....when it comes to encoding passwords, the term base64 shouldn't be in the picture. you should be using a one-way encryption like md5, sha1, etc.

 

so, in your registration code, use crypt() instead. this will use the best encryption method your version of php supports.

 

then, change your login code to:

<?php
function login_chk() {
  if (isset($_POST['submit'])) {
    $db = "moveitho_sitebuilder";
    mysql_connect('localhost', 'moveitho_paul', 'test') or die(mysql_error());
    mysql_select_db( $db) or die(mysql_error());

    $username = mysql_real_escape_string($_POST['username']);
    if ($result = mysql_query("SELECT username, password, verified FROM users WHERE username='$username' AND verified='yes'")) {
      if (mysql_num_rows($result) === 1) {
        $info = mysql_fetch_array($result);
        if(!strcmp($info['password'],crypt($_POST['password'],$info['password']))){
          echo "Login successful";
        }else {
          echo "Login not successful.";
        }
      }else{
        echo "User not found";
      }
    }else{
      echo "SQL Error: " . mysql_error();
    }
  }
}
?>