plaincart - admin login not working - urgent help!!!!

[dragon42tt]

[color=black]
Hi everybody,

I successfully inserted "plaincart" into my website (i'm new) and everything seems to be working well until i try to login as admin, i get the following message;

"Wrong username or password"  ???

i am definetly using the correct username and password.

I followed a tutorial:
http://www.phpwebcommerce.com/

I found solution which worked for some people, this was;
  :-\
-------------------------------------------------------------
The problem seems to be with one line in this SQL query:

$sql = "SELECT user_id
FROM tbl_user
WHERE user_name = '$userName' AND
user_password = PASSWORD('$password')";

The login process works fine if you change the last line to just:

user_password = '$password'";
-----------------------------------------------------------------------

but the above amendment did not work for me, i also tried uploading the files using binary, still no luck.  :-\


If someone can help, it would be greatly appreciated.  ;)

The source code can be downloaded from:
http://www.phpwebcommerce.com/download/plaincart.zip

Thanks a lot.


[/color]

[tritrek]

I would need that help as well! A superb shop but worth nothing when you can't log in!  :'(

[quasiman]

[quote]user_password = '$password'";[/quote]

You're saying here that there is no encryption in the password. 

[quote]user_password = PASSWORD('$password')";[/quote]
This method tries to match your password with the encrypted version in the database.  PASSWORD is not a very good encryption method though, so I would change it and all instances to md5.

admin/library/functions.php (line 39-43):
[code=php:0]
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
        FROM tbl_user
WHERE user_name = '$userName' AND user_password = md5('$password')";
$result = dbQuery($sql);
[/code]

admin/user/changePass.php (line 14-31):
[code=php:0]
if (isset($_POST['btnModify'])) {
$userId      = $_SESSION['userId'];
$oldPassword = $_POST['txtOldPassword'];
$newPassword = $_POST['txtNewPassword1'];

$sql = "SELECT userId FROM tbl_user WHERE userId = $userId AND password = md5('$oldPassword')";
$result = mysql_query($sql) or die(mysql_error());
if (mysql_num_rows($result) != 1) {
$errorMessage = 'Old password is incorrect';
} else {
$sql = "UPDATE tbl_user
SET password = md5('$newPassword')
WHERE userId = $userId";
mysql_query($sql) or die('Modify failed. ' . mysql_error());
header('Location: index.php');
exit;
}
}
[/code]

admin/user/processUser.php (line 50-58):

[code=php:0]
if (dbNumRows($result) == 1) {
header('Location: index.php?view=add&error=' . urlencode('Username already taken. Choose another one'));
} else {
$sql   = "INSERT INTO tbl_user (user_name, user_password, user_regdate)
          VALUES ('$userName', md5('$password'), NOW())";

dbQuery($sql);
header('Location: index.php');
}
[/code]

admin/user/processUser.php (line 64-76):
[code=php:0]
function modifyUser()
{
$userId   = (int)$_POST['hidUserId'];
$password = $_POST['txtPassword'];

$sql   = "UPDATE tbl_user
          SET user_password = md5('$password')
  WHERE user_id = $userId";

dbQuery($sql);
header('Location: index.php');

}
[/code]

After you've changed each of these, re-encrypt the password with md5 in your database (phpMyAdmin would be easiest), then try to login.

Hope that helps

[imjustakid]

Hi! quasiman. Sorry, how to encrypt a password with md5 in phpmyadmin?

[gazever]

create your password, encrypt it here [url=http://www.spywire.net/password-encryption.php]http://www.spywire.net/password-encryption.php[/url] then enter the md5 exncrytion value into your sql database using phpmyadmin.

[quasiman]

Why would you encrypt it there, when phpMyAdmin does md5 encryption on it's own?

[list]
[*]Login to phpMyAdmin
[*]Select the database you're using for plaincart
[*]Select the users table
[*]Click the Insert tab
[*]Type your password into the Value section for the password column
[*]Under the Function dropdown, select MD5
[*]Whatever else you need to do (add/change/remove information)
[*]Press the Go button
[*]All done
[/list]

[imjustakid]

quasiman still have a problem when i encrypt the password using your steps, here's is what i got

SQL query: Edit

INSERT INTO `tbl_user` ( `user_id` , `user_name` , `user_password` , `user_regdate` , `user_last_login` )
VALUES (
NULL , '', MD5( 'please' ) , '0000-00-00 00:00:00', '0000-00-00 00:00:00'
), (
NULL , '', '', '0000-00-00 00:00:00', '0000-00-00 00:00:00'
)

MySQL said: Documentation
#1062 - Duplicate entry '' for key 2

[imjustakid]

i used gazever encryption, thanks man! :).. also thanks to quasiman (hands down) you both a great help to me, thanks.

[quasiman]

#1062 - Duplicate entry '' for key 2

That's saying there's a problem with your primary key field - "user_id".  It should be an auto_increment field, is it?