Wont MD5?

[3raser]

Why isn't this working?

 

elseif($db_password==md5($password))

[trq]

Define "isn't working", were not mind readers.

[Psycho]

How do you know it isn't working? Echo the two values to the page and I bet they are not the same.

[3raser]

How do you know it isn't working? Echo the two values to the page and I bet they are not the same.

 

I have echoed out the variable, and it doesn't MD5. It basically just keeps the password the same as it was from $_POST['password'] - All passwords in the database are MD5'ed - So thats why I'm trying to MD5 password, then check if they  are equal.

 

@thorpe,

 

My post basically states why wont $password change to MD5.

[trq]

My post basically states why wont $password change to MD5.

 

No it doesn't. Read it, we are NOT mind readers.

 

I have echoed out the variable, and it doesn't MD5.

 

Show us the code where you have tested this.

[Pikachu2000]

Post the code you used to echo everything.

[awjudd]

== is NOT an assignment.  Therefore if you are trying to assign the value you are going about it the wrong way ... especially since it is in an if statement ...

 

~juddster

[PFMaBiSmAd]

Justin L H, no one here is standing right beside you. When you don't post what you see (including showing any debugging output, such as echoing the values on both sides of a comparison that does not seem to be working) when you execute your code on your server, no one can help you.

[3raser]

What else would it mean?

 

Code to login:

<?php

include("includes/mysql.php");
include("includes/config.php");

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link href="style.css" rel="stylesheet" type="text/css" />
<title><?php echo $title; ?></title>
</head>

<body>
<div id="container">
<div id="content">
	<div id="left">
		<div class="menu">
			<div class="menuheader"><h3>Menu</h3></div>
			<?php include("includes/navigation.php"); ?>
			<div class="menufooter"></div>
		</div>
		<?php include("includes/menu.php"); ?>
	</div>

	<?php

	$username = $_POST['username'];
	$password = $_POST['password'];

	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);

	if(!$password || !$username)
	{

		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Login</h1></div>
				<div class="postcontent">
					<center><p><form action="login.php" method="POST">
					<table border="0">
					<tr><th>Username:</th> <td><input type="text" name="username"><br/></td></tr>
					<tr><th>Password:</th> <td><input type="password" name="password"></td></tr>
					<br/><input type="submit" value="Login">
					</table></form></p></center>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';

	}
	else
	{
	 $query = mysql_query("SELECT COUNT(username),password FROM users WHERE username='$username'");
	 $check = mysql_fetch_assoc($query);

	 $db_password = $check['password'];

	 if(strlen($username) > 20)
	 {

		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
					<p>Sorry, the username can NOT be greater than 20 characters long. Please go back by pressing the back button on your browser.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif(strlen($password) > 20)
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
				 <p>Sorry, the password can NOT be greater than 20 characters long. Please go back by pressing the back button on your browser.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif($check['COUNT(username)'] < 1)
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Error</h1></div>
				<div class="postcontent">
				 <p>No account exists with this username. Please go back.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
	 }
	 elseif($db_password==md5($password))
	 {
		echo
		'
		<div id="middle">
			<div class="post">
				<div class="postheader"><h1>Login Successful</h1></div>
				<div class="postcontent">
				 <p>You have successfully logged in! Return home.</p>
				</div>
				<div class="postfooter"></div>
			</div>
			</div>
		';
		$_SESSION['user']=$username;
	 }
	 else
	 {
			echo
			'
			<div id="middle">
				<div class="post">
					<div class="postheader"><h1>Error</h1></div>
					<div class="postcontent">
					 <p>The password you have enetered in is incorrect. Please go back. '. $db_password .' '. $password .'</p>
					</div>
					<div class="postfooter"></div>
				</div>
				</div>
			';
	 }
	}
	?>

	</div>
</div>
</body>
</html>

 

Where to test: http://coolscripts.webatu.com/login.php

 

Account details

 

Username: Justin

Password: doesn't matter

[3raser]

Justin L H, no one here is standing right beside you. When you don't post what you see (including showing any debugging output, such as echoing the values on both sides of a comparison that does not seem to be working) when you execute your code on your server, no one can help you.

 

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

[trq]

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

 

Your the one meant to be describing your problems. Post too many stupid threads and people will simply ignore them after a while.

[Psycho]

Well, I just state that there is a lot of unnecessary validation logic in that code. Since you are trying to validate against a record that supposedly exists in the database, there is no reason to check if the username and/or password are greater than a specific length. You only need to check if there is a match in the database.

 

Plus, your query is getting the record where the username matches and THEN seeing if the password matches the record that is retrieved. A more efficient method is to simply do a query for a record where the username AND the password match. Giving different errors based upon whether the username doesn't match or if the password doesn't match. Doing so gives a malicious user information needed to crack into your system

[3raser]

If you all just ASK, I'd be happy to post my code. At first I thought it was just a probably with my if statement, so I didn't bother posting any other part of the code.

 

Your the one meant to be describing your problems. Post too many stupid threads and people will simply ignore them after a while.

 

Thank you mjdamato, I'll try that out.

 

Edit: Still didn't fix the MD5 problem. - Is it the incorrect way to MD5 with my first post? And why is it wrong to check the lengths of their input?

[trq]

why is it wrong to check the lengths of their input?

 

Why do you need to ? That should have been checked at registration. All you need do now is validate and login the user.

[Psycho]

And why is it wrong to check the lengths of their input?

As thorpe stated, you would do that at registration. The whole point of having authentication is to prevent unauthorized access. That implies that there would be users that want to access the data who should not. So, you should not give them any information that would help infiltrate the system.

 

With the previous logic I could find out: 1) valid length of a username, 2) valid length of a password. Plus, I could find a valid username through trial and error. By just telling the user that you were unable to authenticate their credentials you give them no information about what may have been incorrect.