[SOLVED] password () function trouble

[zoran]

I am using password () function in an out of mysql database, but I get a message that there is no match in the login.php for that user name and password combination, even though I know there should be. What is wrong here?

 

In my register.php I have:

$result = mysql_query ("INSERT INTO users (name, password, email, showemail)

 

VALUES ('".$user."',PASSWORD('".$pass."'), '".$email."', '".$showemail."')");

 

in my login.php I have:

 

dbConnect();

 

 

$result = mysql_query("SELECT * FROM users WHERE name = '".$user."'

AND password = PASSWORD('".$pass."')");

 

 

[mikesta707]

try putting single quotes around the values

[zoran]

Done that but no avail

login.php

dbConnect();

 

 

$result = mysql_query("SELECT * FROM users WHERE name = '$user'

AND password = PASSWORD('$pass')");

 

register.php

$result = mysql_query ("INSERT INTO users (name, password, email, showemail)

 

VALUES ('$user',PASSWORD('$pass'), '$email', '$showemail')");

[PFMaBiSmAd]

The mysql PASSWORD() function is not intended to be used by your application code. The hash length that it uses has been changed at least once, breaking any application that was using it.

 

You would need to do a test by SELECT'ing both the value from the password column and what PASSWORD('".$pass."') returnes and see if they are the same.

 

If you have just written this application and don't yet have any real passwords stored, switch to the MD5() or SHA1() functions instead.

[zoran]

Still no luck with MD5 ()

login.php

dbConnect();

 

 

$result = mysql_query("SELECT * FROM users WHERE name = '$user'

AND password = MD5('$pass')") or error_reporting(e_ALL);

 

register.php

$result = mysql_query ("INSERT INTO users (name, password, email, showemail)

 

VALUES ('$user',MD5('$pass'), '$email', '$showemail')");

 

[PFMaBiSmAd]

Do some troubleshooting, you were already told how -

You would need to do a test by SELECT'ing both the value from the password column and what PASSWORD('".$pass."') returns and see if they are the same.

[zoran]

I've aready done that, I just  forgot to mention.

 

select * from users where password = MD5('dido')

 

I have registered a password dido with MD5() function into database, and when I look in phpMyAdmin it is there, but the response I get is:

MySQL returned an empty result set (i.e. zero rows).

[PFMaBiSmAd]

when I look in phpMyAdmin it is there

In programming, it is not enough just to look and see that something is present, you must check that it is correct.

 

How about doing this part -

see if they are the same.

 

Until you find out why the two values are not matching on your server with your database, you will never solve this.

[zoran]

How to check if those to values are the same, my friend?

Can you give me a piece of code, because I dont know how to check it.

All I got so far is the error message from the server.

[herghost]

Try something like this:

 

register

$query = 'INSERT INTO users 
                (user_id, username, password)
           VALUES 
               (NULL, "' . mysql_real_escape_string($username, $conn) . '", ' . 
                'PASSWORD("' . mysql_real_escape_string($password, $conn) . '"))';
        $result = mysql_query($query, $conn) or die(mysql_error());

 

login

if (isset($_POST['submit'])) {
    $query = 'SELECT admin_level FROM users WHERE ' .
         'username = "' . mysql_real_escape_string($username, $conn) . '" AND ' .
         'password = PASSWORD("' . mysql_real_escape_string($password, $conn) . '")';
    $result = mysql_query($query, $conn) or die(mysql_error($conn));

[PFMaBiSmAd]

You would need to do a test by SELECT'ing both the value from the password column and what PASSWORD('".$pass."') MD5('dido') returns and see if they are the same.

[zoran]

I could select the value from the password column by typing this:

dbConnect();

 

$sql=mysql_query("select password from users where userID='11' ");

$result = mysql_fetch_assoc($sql);

echo $result['password'];

 

But I do not understand how to use a return to see what MD5('dido') puts into the database,

so I can check it if they are the same.

[DavidAM]

You could add it to the select:

$sql=mysql_query("select password, md5('dido') AS testpwd from users where userID='11' ");
$result = mysql_fetch_assoc($sql);
echo $result['password'] . '=?=' . $result['testpwd'];

If they don't matchup, you may want to check the datatype/length of the column in the table; did you use CHAR or VARCHAR?

[zoran]

I got this:

6b9cfb08bdab57dea1af68c60ed19c=?=6b9cfb08bdab57dea1af68c60ed19c61

 

so there is a match, but I can not login.

I used Varchar in the password column.

[Alex]

I got this:

6b9cfb08bdab57dea1af68c60ed19c=?=6b9cfb08bdab57dea1af68c60ed19c61

 

so there is a match, but I can not login.

I used Varchar in the password column.

That's not a match.

[zoran]

sorry , there is not a match. I'll have another look at the Varchar length.

[zoran]

sorry, I'll have another look at the Varchar lenght

[zoran]

sorry, I'll have another look at the Varchar lenght

[zoran]

I have changed Varchar length in my password column from varchar(30) to varchar(90), and when I did the test again , got the same diference in values:

 

6b9cfb08bdab57dea1af68c60ed19c=?=6b9cfb08bdab57dea1af68c60ed19c61

[DavidAM]

You will have to re-INSERT the row into the database.  The value as truncated when you originally created it.

[zoran]

No, it is working now varchar(90) solved it. Thanks all