a little stuck on (should be) simple if else tags

[smileyrva]

Its been quite a while since ive done anything PHP related but I decided to help a buddy with a website so he can sell his clothing company products online. I found a simple, pre made shopping cart script that seems to run fine. EXCEPT...the admin login. For some reason I keep getting returned to the same page, with the same error(pass and user didnt match). I know for sure that they do, therefore I am absolutely stumped. I have compared this code with books I have and cant seem to fix it. Can anyone help??

 

function doLogin()
{
   // if we found an error save the error message in this variable
   $errorMessage = '';

   $userName = $_POST['txtUserName'];
   $password = $_POST['txtPassword'];

   // first, make sure the username & password are not empty
   if ($userName == '') {
      $errorMessage = 'You must enter your username';
   } else if ($password == '') {
      $errorMessage = 'You must enter the password';
   } else {
      // check the database and see if the username and 
      // password combo do match
      $sql = "SELECT user_id
                  FROM tbl_user 
                  WHERE user_name = '$userName' AND 
                              user_password = PASSWORD('$password')";
      $result = dbQuery($sql);

      if (dbNumRows($result) == 1) {
            $row = dbFetchAssoc($result);
            $_SESSION['plaincart_user_id'] = $row['user_id'];

            // log the time when the user last login
            $sql = "UPDATE tbl_user 
                        SET user_last_login = NOW() 
                        WHERE user_id = '{$row['user_id']}'";
            dbQuery($sql); 
            // now that the user is verified we move on to the next page
            // if the user had been in the admin pages before we move to
            // the last page visited
            if (isset($_SESSION['login_return_url'])) {
              header('Location: ' . $_SESSION['login_return_url']);
              exit;
            } else {
              header('Location: index.php');
              exit;
            }
      } else {
            $errorMessage = 'Wrong username or password';
      } 

  }

  return $errorMessage;
}

[petroz]

Try running your query through some kind of mysql interface to make sure your actually getting one user...

 

$sql = "SELECT user_id
                  FROM tbl_user 
                  WHERE user_name = '$userName' AND 
                              user_password = PASSWORD('$password')";

[smileyrva]

At the moment, there is only 1 user in the DB.

[smileyrva]

I actually think what is happening is its not setting a session variable. It checks for a session ID but for some reason its not being set... here is my checkuser function.

 

 

function checkUser(){   if (!isset($_SESSION['plaincart_user_id'])) {      header('Location: ' . WEB_ROOT . 'admin/login.php');   }   if (isset($_GET['logout'])) {      doLogout();   }}

 

[PradeepKr]

You should note that the password is decided by mysql function PASWORD() in your SQL.

So, try checking the real password in your table "user" for the password you are entering.

 

SELECT PASSWORD('mypass');

 

Note: if you are entering password as 'mypass' it would be converted to a long string and stored in the table.

 

[smileyrva]

The password does get stored as a bunch of numbers. Does this mean thats my new password? Ive tried using that string of numbers to login and that doesnt work either. Is there a possible way around it without using the PASSWORD() query?

[PradeepKr]

1. Go to phpmyadmin or MySQL commandline,

2. Run this,  UPDATE tbl_user SET user_password = PASSWORD('test') WHERE user_name = 'your_user_name';

3. If the query is successful, try running your php from browser with the password "test".

 

[smileyrva]

Just gave it a shot. The MySQL query worked, but the password was just generated into another group of random numbers. I tried running the script with password "test." also didnt work. 

[wildteen88]

Just gave it a shot. The MySQL query worked, but the password was just generated into another group of random numbers.

 

That because PASSWORD() encrypts the password you give it. As you are encrypting your passwords when you insert them into your database you will need to compare the users password in its encrypted form.

[smileyrva]

So if I were to just take out the PASSWORD() tags and change the settings in my DB it should work? Im going to give it a shot with

 

 

$sql = "SELECT user_id                  FROM tbl_user                   WHERE user_name = '$userName' AND                               user_password = '$password'";

 

[wildteen88]

How are you storing the passwords within your table? Are they in they plain text (eg the passeword is 'test') or are they encrypted (eg  *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 - the results of 'test' being passed to PASSWORD()). If they are entrypted then you need to compare the entered password in its encrypted form.

 

You cannot compare a plain text password with a encrypted password.

[petroz]

Like we have all already asked.. please run your query in mysql // phpmyadmin.. or however you choose to run the query... We need to see if the result is returning any rows or not. Post your results... please

 

 

$sql = "SELECT user_id                  FROM tbl_user                   WHERE user_name = '$userName' AND                               user_password = PASSWORD('$password')";

 

[smileyrva]

Its working now. I didnt need to encrypt the password in the first place so I got rid of that. I was not familiar with the PASSWORD() function and got confused with it. Thanks for your help.

[wildteen88]

If you are dealing with passwords you should be encrypting them. You should either use MD5() or SHA1()