Cetanu Posted July 1, 2009 Author Share Posted July 1, 2009 So I've tested the code, and it will not work. The problem lies in here: <?php $password = $_POST['password']; $username = $_POST['username']; function hashPW($password, $username) { return sha1($password.$username); } ?> This is the login script, which I'm trying to fix. <?php include("config.php"); // connect to the mysql server $link = mysql_connect($server, $db_user, $db_pass) or die ("Could not connect to mysql because ".mysql_error()); // select the database mysql_select_db($database) or die ("Could not select database because ".mysql_error()); include "function.php"; $match = "select id from $table where username = '".$_POST['username']."' and password = '".hashPW($_POST['password'],$_POST['username'])."';"; $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); $num_rows = mysql_num_rows($qry); if ($num_rows <= 0) { echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>"; echo "<a href=log.php>Try again</a>"; exit; } else { setcookie("loggedin", "TRUE", time()+(3600 * 24)); setcookie("mysite_username", "{$_POST['username']}"); header('Location:http://mythscape.freezoka.com/'); die(); } ?> It gives me my error message about not having username and password specified exist.... I tried it with {} and without them in the function script. GOOD NEWS: The existing passwords were hashed and the registration script works. Just the login script is broken. Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 1, 2009 Share Posted July 1, 2009 You need to be more specific. What is the EXACT error message and what line is it giving the error on? In the first block of code above, why are you defining $password & $username? I did a test and it outputs exactly what I would expect $_POST['username'] = 'mjdamato'; $_POST['password'] = 'notmyrealpassword'; $table = 'tableName'; function hashPW($password, $username) { return sha1($password.$username); } $match = "select id from $table where username = '".$_POST['username']."' and password = '".hashPW($_POST['password'],$_POST['username'])."';"; echo $match; // Output: // select id // from tableName // where username = 'mjdamato' // and password = '032aefab39a2f2ee2b90891d62fd19edcd220802'; Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 1, 2009 Author Share Posted July 1, 2009 There is no error, the page just goes to login.php and is completely blank. The error I was talking about was from the login.php code: echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>"; echo "<a href=log.php>Try again</a>"; I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail. Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 1, 2009 Share Posted July 1, 2009 I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail. I'm not suggesting you define the POST values, that was only a test. And, post values do not come from the database, they come from a form post. are you even sure of what your code does? I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? No. you pass the values to the function and they are defined within the function. Echo the value of $match to the page to see if the query is being generated as you expect. Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 1, 2009 Author Share Posted July 1, 2009 Well I sort of have an idea what the code's doing, but this is really a learn-as-you-go experience for me. That's what PHP has been so far, and I think I've learned a fair bit. I'll see what happens when I echo $match. Thanks. EDIT: It does echo what I want it to! With this: <?php include("config.php"); // connect to the mysql server $link = mysql_connect($server, $db_user, $db_pass) or die ("Could not connect to mysql because ".mysql_error()); // select the database mysql_select_db($database) or die ("Could not select database because ".mysql_error()); include ("function.php"); $match = "select id from $table where username = '".$_POST['username']."' and password = '".hashPW($_POST['password'],$_POST['username'])."';"; echo $match; ?> So it would have to be something in here: ... $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); $num_rows = mysql_num_rows($qry); if ($num_rows <= 0) { echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>"; echo "<a href=user_login.php>Try again</a>"; exit; } else { setcookie("loggedin", "TRUE", time()+(3600 * 24)); setcookie("mysite_username", "{$_POST['username']}"); header('Location:http://mythscape.freezoka.com/'); die(); } ?> Right? Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 1, 2009 Share Posted July 1, 2009 Use this code and run a test. Then post the text displayed <?php include("config.php"); // connect to the mysql server $link = mysql_connect($server, $db_user, $db_pass) or die ("Could not connect to mysql because ".mysql_error()); // select the database mysql_select_db($database) or die ("Could not select database because ".mysql_error()); include ("function.php"); //$match = "select id from $table where username = '".$_POST['username']."' //and password = '".hashPW($_POST['password'],$_POST['username'])."';"; //Test Query $match = "select password from $table where username = '".$_POST['username']."'"; $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); //----BEGIN TEST CODE $result = mysql_fetch_assoc($qry); echo "QUERY: {$match}<br /> POSTED VALUES:<br /> - Username: {$_POST['username']}<br /> - Password: {$_POST['password']}<br /> - Hashed Password: " . hashPW($_POST['password'], $_POST['username']) . "<br />"; echo "Database Password: {$_result['password']}"; exit(); //-----END TEST CODE $num_rows = mysql_num_rows($qry); if ($num_rows <= 0) { echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>"; echo "<a href=user_login.php>Try again</a>"; exit; } else { setcookie("loggedin", "TRUE", time()+(3600 * 24)); setcookie("mysite_username", "{$_POST['username']}"); header('Location:http://mythscape.freezoka.com/'); die(); } ?> Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 2, 2009 Author Share Posted July 2, 2009 Okay: QUERY: select password from users where username = 'Admin' POSTED VALUES: - Username: Admin - Password: ------ - Hashed Password: 89cda54482caa109b5544b204b0ad06a7d57df4e Database Password: Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 2, 2009 Author Share Posted July 2, 2009 Okay, I found that a variable was improperly defined and then retried it so this is the final after my change: QUERY: select password from users where username = 'Admin' POSTED VALUES: - Username: Admin - Password: ------ [<< I changed it to that, it showed my password] - Hashed Password: 89cda54482caa1e9b5544b204b0ad06a7d57df4e Database Password: 89cda54482caa1e9b5544b204b0ad06a Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 2, 2009 Share Posted July 2, 2009 Check the definition for the password field in the database. I'm guessing you set the length of that field to 32 characters - so the value is getting truncated (i.e. the last 8 characters are getting cut off)! You will need to: 1. Restore your backed up database 2. Increase the length of the field in the database to at least 40 characters 3. Rerun the script to hash the current passwords Is "should" all work then. Now aren't you glad you made a backup of the database?! Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 2, 2009 Author Share Posted July 2, 2009 Wait, the database field is set to be too short to be hashed? Okay, I can change it. YES I am happy that I backed it up. I'll go do that, thanks I'll pro'ly have one or two more questions. Quote Link to comment Share on other sites More sharing options...
Cetanu Posted July 2, 2009 Author Share Posted July 2, 2009 Okay. Thanks a lot to everyone who helped me accomplish this. It's fixed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.