mysql_query failing

[ntroycondo]

My query keeps failing with echo "<b>username and password did not match</b>";.

I know I am using good login info.

And i added echo "$name $pass <p>"; into code so i know it is passing variables fine.

 

<?php

# removed the user_pass

if(isset($_POST['Submit'])){

//Define post fields into simple variables

$name = $_POST['user_name'];

$pass = $_POST['password_1'];

$pass = md5($pass);

$query = "SELECT * FROM userauth WHERE user_name = '$name' AND password_1 = '$pass'";

echo "$name $pass <p>"; #to test that data is being passed

$result = mysql_query($query); // Run the query.

if ($result) { // If it ran OK, display the records.

// Fetch and print all the records.

$row = mysql_fetch_array($result,MYSQL_NUM);

if($row){ // SUCCESSFUL MATCH OF USER NAME

header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."secure.php");

mysql_free_result ($result); // Free up the resources.

exit();

}else{

echo "<b>username and password did not match</b>";

unset($_POST['Submit']);

include('form.php');

}

} else { // If it did not run OK.

echo '<p>The login result could not be displayed due to a system error. We apologize for any inconvenience.</p><p>' . mysql_error() . '</p>';

}

mysql_close(); // Close the database connection.

}else{  // THE BIG IF ELSE STATEMENT FOR THE FORM

include('form.php');

}

?>

[PFMaBiSmAd]

So, your query is failing to match any row in your database table. Have you checked directly in your table to see if there is a row that has the user_name and password_1 values you are entering?

 

Any chance your password_1 values are MD5() hashes of the actual passwords?

[ntroycondo]

Yeah, I think it has to be failing somewhere in $row = mysql_fetch_array... or maybe with md5?

Yes, passwords are hash values. In my code I can change the variables to password_2 (which aren't hashes) and it still fails even though I can echo them out to verify what they are passing what matches the table rows in phpmyadmin.

[sspoke]

$query = "SELECT * FROM userauth WHERE user_name = '$name' AND password_1 = '$pass'";

 

is that a horrible SQL structure or that the problem

[PFMaBiSmAd]

Check the length of your password_1 field in your table. It is probably not long enough to hold an md5() value.

 

It also sounds like you might have stored the raw password in your database as well. For a real application, you would not want to do that since it gives anyone who gets access to or dumps your database table (through sql injection for example) direct access to the raw passwords.

[ntroycondo]

You're correct, the password_2 is raw password, this isn't a production application. I did make the field larger for password_1, but since my query is failing with use of password_2, too small a field can't be the issue. It must not be matching up the correct rows with use of $row = mysql_fetch_array($result,MYSQL_NUM);????

[sspoke]

your problem is one of those very simple php errors most people can solve in a split second if you actually took your time to make your post include as much information as possible.

 

Most importantly a row from userauth so we can see how it looks and maybe structure.. or just a myphpadmin dump to make it easier for you and everyone else.

[siva.katir]

If your passwords are raw have you gone into phpmyadmin, or something else, and made sure what's in the db is actually what you're passing in via the form? Or have the results print_r out and see what's actually being returned, if anything.

[ntroycondo]

Re: sspoke, good point. thanks:

 

Here's my 'testing' user row in the table.

 

(`ID`, `first_name`, `last_name`, `user_name`, `password_1`, `password_2`, `pass_hint`, `email_address`

(5, 'test', 'test', 'test', '098f6bcd4621d373cade4e832627b4', 'test', 'test', 'test@test.test', '2010-05-31 09:49:29'),

[sspoke]

well that narrows it down to just one line

 

if($row){ // SUCCESSFUL MATCH OF USER NAME

 

assuming $row is a array of data..

 

so I guess it should be true right?? but you can always do

 

if(isset($row)) {

 

to be sure i dont know.. your problem isn't as simple as it looks.

 

maybe variable $row is reserved for something else? dunno doubt it but whatever i give up

 

I'm stumped! haha 

[ntroycondo]

Switching to if(isset($row)) {

has opposite affect. using any known bad or good username/password is true and logs in.

 

[sspoke]

do

 

print_r($row);

 

above if($row)

whats in it?

 

it's obviously not empty

 

what does print_r($row) look for both valid and invalid logins whats the difference? then you can find a good conditional statement to check for login/fail

 

 

But your login code is so simple why make it so complicated just use

$num_rows = mysql_num_rows($result);

 

if 0 rows returned then obviously bad login otherwise good login.. don't need to use fetch_array

[siva.katir]

Switching to if(isset($row)) {

has opposite affect. using any known bad or good username/password is true and logs in.

 

You should use a more thorough check then either isset or if. If you can check the value returned as the username against the input AND check to make sure the input isn't blank, such as:

 

if($row['user_name'] == $_POST['username'] AND $row['user_name'] != ""){

 

this stops the false positive of logging in with no name.

[sspoke]

Switching to if(isset($row)) {

has opposite affect. using any known bad or good username/password is true and logs in.

 

You should use a more thorough check then either isset or if. If you can check the value returned as the username against the input AND check to make sure the input isn't blank, such as:

 

if($row['user_name'] == $_POST['username'] AND $row['user_name'] != ""){

 

this stops the false positive of logging in with no name.

 

yes or just use

 

$num_rows = mysql_num_rows($result);

 

 

LOL

[ntroycondo]

print_r($row); doesn't print anything.

 

so obviously something wrong with $row = mysql_fetch_array($result,MYSQL_NUM);

 

switched with $num_rows = mysql_num_rows($result); but no difference, i'm cleary not reading the php correctly.

 

appreciate the comments and thoughts.

 

code is now:

 

$result = mysql_query($query); // Run the query.

if ($result){ // If it ran OK, display the records.

  echo "<p>You got a result</p>";

// Fetch and print all the records.

#$row = mysql_fetch_array($result,MYSQL_NUM);

# print_r($row);

$num_rows = mysql_num_rows($result);

 

if($num_row){ // tried with  $row too          SUCCESSFUL MATCH OF USER NAME

header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."secure.php");

mysql_free_result ($result); // Free up the resources.

exit();

}else{

echo "<b>username and password did not match</b>";

[sspoke]

$num_rows returns a number though, then again true = 1 right? so stumpted again 

 

Then again you have it as $num_row  not $num_rows

 

 

so successful login would be

if($num_rows == 1) {

 

but to be safe in case 2 users with same username and password matches up (could happen) who knows? haha try

 

if($num_rows > 0) {

 

[PFMaBiSmAd]

As already stated, one of the most likely causes is that your field is not long enough to hold an md5 value -

 

098f6bcd4621d373cade4e832627b4

 

That's only 30 characters. MD5() values are 32 characters.

 

You must not have looked at the value you were putting into the query and the actual value in your table to see if they were they matched.

 

If you increased the length of your field, did you re-populate the value(s) with the full and correct md5() value(s)?

[ntroycondo]

RE:sspoke

Yes, i omitted the s in num_rows...

fixed and edited to if($num_rows == 1)  but no difference.

 

RE:PFMaBiSmAd

I changed value to 40. Registered a new user and tested username and password but still fails.

[sspoke]

lol dang that was overlooked seemed like 32 characters if you eyeball it

 

well try changing it to just 32 characters maybe it adds some invisible padding (just guessing).

 

What he ment is..

in your sql table

 

098f6bcd4621d373cade4e832627b4

 

for user test its missing 2 numbers you must of typed it into SQL wrong.

 

 

Hows your registering code work?

[PFMaBiSmAd]

Have you echo'ed $query to see exactly what is in it?

 

Your original code looks correct, but is not matching the data in your table.

[ntroycondo]

I did change the structure in phpmyadmin to var=40 from 30.

Registered new user, confirm in phpmyadmin that there are 2 additional characters but that login still fails.

[ntroycondo]

added echo "$query"; and get expected results:

SELECT * FROM userauth WHERE user_name = 'blue' AND password_2 = 'd41d8cd98f00b204e9800998ecf8427e'

 

 

[sspoke]

yah seems like we are out of ideas then.. why u change it back to 30? keep it at 32

 

other then that yeah then that did you try

 

  $pass = $_POST['password_1'];

echo "PASSWORD BEFORE MD5 = ".$pass;

  $pass = md5($pass);

echo "MD5 PASSWORD = ".$pass;

 

now check MD5 Password letter by letter in myphpadmin see if it all there.

 

maybe the $_POST['password_1'] is wrong before it gets encoded with MD5? that could be the only last thing wrong with it.

 

Also try running that echo'd query in myphpadmin see if it finds anything.

 

Actually maybe you forgot mysql_select_db and it's looking in the wrong database?

[PFMaBiSmAd]

According to the information you posted in Reply #8, password_1 is the md5() value, not password_2. Why do your have password_2 in the query you just posted.

[ntroycondo]

Good catch. Password_2 was from earlier testing. Switched variable and query both back to password_1. No difference.

 

The hash in phpmyadmin is:

48d6215903dff56238e52e8891380c8f

 

The hashed echo in browser is same:

48d6215903dff56238e52e8891380c8f