Jump to content

Recommended Posts

How do you know it isn't working? Echo the two values to the page and I bet they are not the same.

 

I have echoed out the variable, and it doesn't MD5. It basically just keeps the password the same as it was from $_POST['password'] - All passwords in the database are MD5'ed - So thats why I'm trying to MD5 password, then check if they  are equal.

 

@thorpe,

 

My post basically states why wont $password change to MD5.

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094837
Share on other sites

Justin L H, no one here is standing right beside you. When you don't post what you see (including showing any debugging output, such as echoing the values on both sides of a comparison that does not seem to be working) when you execute your code on your server, no one can help you.

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094848
Share on other sites

What else would it mean?

 

Code to login:

<?php

include("includes/mysql.php");
include("includes/config.php");

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link href="style.css" rel="stylesheet" type="text/css" />
<title><?php echo $title; ?></title>
</head>

<body>
<div id="container">
<div id="content">
	<div id="left">
		<div class="menu">
			<div class="menuheader"><h3>Menu</h3></div>
			<?php include("includes/navigation.php"); ?>
			<div class="menufooter"></div>
		</div>
		<?php include("includes/menu.php"); ?>
	</div>

	<?php

	$username = $_POST['username'];
	$password = $_POST['password'];

	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);

	if(!$password || !$username)
	{

		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Login</h1></div>
				<div class="postcontent">
					<center><p><form action="login.php" method="POST">
					<table border="0">
					<tr><th>Username:</th> <td><input type="text" name="username"><br/></td></tr>
					<tr><th>Password:</th> <td><input type="password" name="password"></td></tr>
					<br/><input type="submit" value="Login">
					</table></form></p></center>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';

	}
	else
	{
	 $query = mysql_query("SELECT COUNT(username),password FROM users WHERE username='$username'");
	 $check = mysql_fetch_assoc($query);

	 $db_password = $check['password'];

	 if(strlen($username) > 20)
	 {

		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
					<p>Sorry, the username can NOT be greater than 20 characters long. Please go back by pressing the back button on your browser.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif(strlen($password) > 20)
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
				 <p>Sorry, the password can NOT be greater than 20 characters long. Please go back by pressing the back button on your browser.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif($check['COUNT(username)'] < 1)
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
				 <p>No account exists with this username. Please go back.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif($db_password==md5($password))
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Login Successful</h1></div>
				<div class="postcontent">
				 <p>You have successfully logged in! Return home.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
		$_SESSION['user']=$username;
	 }
	 else
	 {
			echo
			'
			<div id="middle">
				<div class="post">
					<div class="postheader"><h1>Error</h1></div>
					<div class="postcontent">
					 <p>The password you have enetered in is incorrect. Please go back. '. $db_password .' '. $password .'</p>
					</div>
					<div class="postfooter"></div>
				</div>
				</div>
			';
	 }
	}
	?>

	</div>
</div>
</body>
</html>

 

Where to test: http://coolscripts.webatu.com/login.php

 

Account details

 

Username: Justin

Password: doesn't matter

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094850
Share on other sites

Justin L H, no one here is standing right beside you. When you don't post what you see (including showing any debugging output, such as echoing the values on both sides of a comparison that does not seem to be working) when you execute your code on your server, no one can help you.

 

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094851
Share on other sites

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

 

Your the one meant to be describing your problems. Post too many stupid threads and people will simply ignore them after a while.

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094853
Share on other sites

Well, I just state that there is a lot of unnecessary validation logic in that code. Since you are trying to validate against a record that supposedly exists in the database, there is no reason to check if the username and/or password are greater than a specific length. You only need to check if there is a match in the database.

 

Plus, your query is getting the record where the username matches and THEN seeing if the password matches the record that is retrieved. A more efficient method is to simply do a query for a record where the username AND the password match. Giving different errors based upon whether the username doesn't match or if the password doesn't match. Doing so gives a malicious user information needed to crack into your system

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094854
Share on other sites

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

 

Your the one meant to be describing your problems. Post too many stupid threads and people will simply ignore them after a while.

 

Thank you mjdamato, I'll try that out.

 

Edit: Still didn't fix the MD5 problem. ;) - Is it the incorrect way to MD5 with my first post? And why is it wrong to check the lengths of their input?

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094855
Share on other sites

And why is it wrong to check the lengths of their input?

As thorpe stated, you would do that at registration. The whole point of having authentication is to prevent unauthorized access. That implies that there would be users that want to access the data who should not. So, you should not give them any information that would help infiltrate the system.

 

With the previous logic I could find out: 1) valid length of a username, 2) valid length of a password. Plus, I could find a valid username through trial and error. By just telling the user that you were unable to authenticate their credentials you give them no information about what may have been incorrect.

Link to comment
https://forums.phpfreaks.com/topic/209727-wont-md5/#findComment-1094864
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.