MD5 Encryption not working on login page

[jwhillster]

I have inhereted a little problem, and can't seem to find an easy answer anywhere. The registration page from the site in question employs MD5 on the password without a hitch, but the login page does not want to work?

 

Neither the original password or the encrypted version will result in successful login (i tried the encrypted version to see if maybe encryption was not happening to the login password). Anyway, hopefully someone can see what the problem is, or I'm going to have to bite the bullet and recode it. Thanks in advance!!!

 

<?php require_once('Connections/vprRegistration.php'); ?>
<?php 
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['txtUsername'])) {
  $loginUsername=$_POST['txtUsername'];
  $password=strip_tags(substr($_POST['txtPassword'],0,32));
  $cleanpw = crypt(md5($pw));
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "account_manage.php";
  $MM_redirectLoginFailed = "login.php?failed=true";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_vprRegistration, $vprRegistration);
  
  $LoginRS__query=sprintf("SELECT RegUsername, RegPassword FROM registration WHERE RegUsername=%s AND RegPassword='". mysql_real_escape_string($cleanpw)."'",
    GetSQLValueString($_POST['txtUsername'], "text"),
GetSQLValueString($_POST['txtPassword'], "text"));
   
  $LoginRS = mysql_query($LoginRS__query, $vprRegistration) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

 

 

[jwhillster]

line 42 should be:

 

$cleanpw = crypt(md5($password));

 

not:

 

$cleanpw = crypt(md5($pw));

 

still not working though.

[shino]

Have you tried md5 without the crypt?

An easy way would be to pick a password say: test, do md5('test'); then compare that result with the one from your code in your login sequence and see if it's identical, that way you can spot your problem.

[jwhillster]

Brilliant! Works fine with 'crypt' removed from both the registration page and this login page. Not 100% sure why right now, but I'm sure I'll figure it out.