bugzy Posted April 4, 2012 Share Posted April 4, 2012 I have this code on my registration form for password $password = $arVals['password']; $arVals['password'] = "'".md5($arVals['password'])."'"; $query = "INSERT INTO tbl_user (fname, lname, email, phone, city, status, province, password) " ."VALUES (".$arVals['fname'].", ".$arVals['lname'].", ".$arVals['email'].", ".$arVals['phone'].", ".$arVals['city'] .", ".$arVals['status'].", ".$arVals['province'].", ".$arVals['password'].")"; and a validation on the login process page using strcmp $user_id = $_POST['user_id']; $password = $_POST['password']; if ($row = mysql_fetch_assoc($result)) { // echo $row['sPassword'] . "<br>" . md5($passwd); if (strcmp($row['password'], md5($password)) != 0) { header("Location: ./login_page.php?flg=red&user_id=".$user_id); exit; } seemed like it's not working as it keeps redirecting me always and telling me that the password didn't match? I wonder what the problem is.... Quote Link to comment Share on other sites More sharing options...
trq Posted April 4, 2012 Share Posted April 4, 2012 You should do your comparisons in your query, not in PHP. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 You should do your comparisons in your query, not in PHP. Oh ok..so it will not work using that code? not really good in sql and just starting php.. can you give me a little sample on how to do it? Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 Ok guys I tried to echo both row['password'] from the database and my variable $password I got these two ['password'] = ea21fadd7366b3f94242 $password = 5380a7ced0e3f1a2b36b600b3a7f4e09 I'm not sure about how md5 works but is it supposed to be the same? anyone? Quote Link to comment Share on other sites More sharing options...
kicken Posted April 4, 2012 Share Posted April 4, 2012 So long as your using the same input then yes you will get the same hash as a return. If you have different hash values then you have different inputs and you need to debug why that is. var_dump() the values just before your md5 call in both places to ensure they are the same. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 So long as your using the same input then yes you will get the same hash as a return. If you have different hash values then you have different inputs and you need to debug why that is. var_dump() the values just before your md5 call in both places to ensure they are the same. kicken, the "['password'] = ea21fadd7366b3f94242" is coming from the database which is already md5 is there any other way I could see if both value are the same? I'm still having problem on this. I tried echoing out all the columns and it's correct, seemed like there's a problem on md5 Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 4, 2012 Share Posted April 4, 2012 You have at least two problems - 1) Your database column is not large enough to hold a md5 value. Its 32 characters. 2) The password value in the php code isn't what you expect (it's likely empty), because the same portion of the two md5 values that are present would be the same. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 You have at least two problems - 1) Your database column is not large enough to hold a md5 value. Its 32 characters. 2) The password value in the php code isn't what you expect (it's likely empty), because the same portion of the two md5 values that are present would be the same. Hello! Thanks for your response 1. I have already change it to 33 chars in the database column password, registered a new user and try logging in but it's still the same but now when I'm echoing it out it has the same no. of chars already ['password'] = ea21fadd7366b3f94242f462f86459d9 $password = 5380a7ced0e3f1a2b36b600b3a7f4e09 but still different? 2. I have tried to echo the password value in php using var_dump and it has a correct value. what do you think? Quote Link to comment Share on other sites More sharing options...
batwimp Posted April 4, 2012 Share Posted April 4, 2012 Is your code short enough that you could post the entire thing here? Or at least all of the relevant code, including your SELECTs and everything associated with the login process. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 Is your code short enough that you could post the entire thing here? Or at least all of the relevant code, including your SELECTs and everything associated with the login process. Login Page Code <?php header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); //Below means if session database server crdentials is not set, require to use/set that connection then if (!isset($_SESSION['SESSION'])) require ( "../db_connection.php"); if($_SESSION['LOGGEDIN'] == TRUE) { header("Location: account.php"); exit; } $_SESSION['FORM_SUBMITTED'] = ""; $CRLF = chr(13).chr(10); $user_id = ""; if (isset($HTTP_GET_VARS["user_id"])) $user_id = $HTTP_GET_VARS["user_id"]; if ($user_id == '') { if (isset($_SESSION['user_id'])) $user_id = $_SESSION['user_id']; } //Validations $flg = ""; $error = ""; if (isset($HTTP_GET_VARS["flg"])) $flg = $HTTP_GET_VARS["flg"]; switch ($flg) { case "yellow": $error = "<font class=\"txt_main_str12_mar\"><BR>Your Account Has Not Been Verified.<BR>Check your email for Activation Instructions.<br>Click <a href=\"/courses/forgot_login.php\">here</a> to have the activation email resent.</font>"; break; case "red": $error = "<font class=\"txt_main_str12_mar\"><BR>That userid/password combination is not in our database.<br>Please Try Again.</font>"; break; case "blue": $error = "<font class=\"txt_main_str12_mar\"><BR>Your Session has Expired.<br>Please Login Again.</font>"; break; default: $error = " <br>"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Login Page</title> <script language="JavaScript"> <!-- function loadedPage() { } function submitForm() { if (isEmpty(document.forms[0].user_id.value)) { alert("Please enter your UserID."); bSubmit = false; return false; } if (isEmpty(document.forms[0].password.value)) { alert("Please enter your Password."); bSubmit = false; return false; } document.forms[0].submit(); } //--> </script> </head> <body><center><br /><br /> <form name="form1" method="post" id="form1" action="/php/sessions/login/login_processing.php"> <table> <tr> <td></td> <td><?php print $error ?></td> </tr> <tr> <td>User ID</td> <td><input type="text" name="user_id" id="user_id" value="<?php echo $user_id ?>" size="24" maxlength="30" /></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password" id="password" size="24" maxlength="30" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="Submit" value="Submit" onclick="submitForm();" /></td> </tr> </table> </form> </center> </body> </html> Login Processing Page Code <?php header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); if (!isset($_SESSION['SESSION'])) require ( "../db_connection.php"); $_SESSION['user_id'] = $user_id; $_SESSION['password'] = $password; // form variables must have something in them... if ($user_id == "" || $password == "") { header("Location: ./login_page.php?flg=green&user_id=".$user_id); exit; } // check in database... $query = "SELECT * FROM tbl_user WHERE user_id = ".$user_id; //echo $query; mysql_pconnect($_SESSION['MYSQL_SERVER1'],$_SESSION['MYSQL_LOGIN1'],$_SESSION['MYSQL_PASS1']) or die("Unable to connect to SQL server"); mysql_select_db($_SESSION['MYSQL_DB1']) or die("Unable to select database"); $result = mysql_query($query) or die("Invalid query: " . mysql_error()); // if userid is not present in DB go back to login page... if (mysql_affected_rows() != 1) { header("Location: ./login_page.php?flg=blue&user_id=".$user_id);; exit; } // check for password, active state, user type, and then send to appropriate section... if ($row = mysql_fetch_assoc($result)) { if (strcmp($row['password'], md5($password)) != 0) { header("Location: ./login_page.php?flg=white&user_id=".$user_id); exit; } // set standard session variables... $_SESSION['user_id'] = $user_id; $_SESSION['LOGGEDIN'] = true; $_SESSION['FNAME'] = $row['fname']; $_SESSION['LNAME'] = $row['lname']; header("Location: ./account.php"); exit; } else { header("Location: ../login_page.php?flg=red&user_id=".$user_id); exit; } ?> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 4, 2012 Share Posted April 4, 2012 SELECT queries don't set mysql_affected_rows (in most versions of php.) You need to use mysql_num_rows to determine if a SELECT query matched any rows. Your registration logic is likely doing something, such as using a 'salt' string before performing an md5 hash. Have you checked what the md5() value of your password should be so that you know which one of those values is correct? What does the following show - echo md5('your_actual_password_here'); Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 SELECT queries don't set mysql_affected_rows (in most versions of php.) You need to use mysql_num_rows to determine if a SELECT query matched any rows. Your registration logic is likely doing something, such as using a 'salt' string before performing an md5 hash. Have you checked what the md5() value of your password should be so that you know which one of those values is correct? What does the following show - echo md5('your_actual_password_here'); Hello! I have no problem with mysql_affected_rows as it passes and validates if a user id is present on the database or not. My main problem is comparing the password from the database(md5) and the variable password that the use input on the login page. as for irregularities before it md5 on the password variable in the login page, like what I said, I have used var_dump in the login processing page and it correctly echoes out the password that I input in the login page.. what do you think is still the problem here? Quote Link to comment Share on other sites More sharing options...
batwimp Posted April 4, 2012 Share Posted April 4, 2012 On your login processing page: $_SESSION['user_id'] = $user_id; $_SESSION['password'] = $password; Where is it getting $user_id and $password from so they can be put into the session variables? Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 On your login processing page: $_SESSION['user_id'] = $user_id; $_SESSION['password'] = $password; Where is it getting $user_id and $password from so they can be put into the session variables? Hello! It's from login page I started a session then it both came from a form <input type="text" name="user_id" id="user_id" value="<?php echo $user_id ?>" size="24" maxlength="30" /> <input type="password" name="password" id="password" size="24" maxlength="30" /> I have tried to echo it on login processing page and it both correctly displayed Quote Link to comment Share on other sites More sharing options...
batwimp Posted April 4, 2012 Share Posted April 4, 2012 Quick aside: Create a new php page and just put: <?php phpinfo(); ?> Run it. You should get a large table with lots of information. At the very top is the PHP version number. what is it? Also, down the page a bit, do a search for the term "register_globals" and tell us whether it is on or off. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 4, 2012 Author Share Posted April 4, 2012 Quick aside: Create a new php page and just put: <?php phpinfo(); ?> Run it. You should get a large table with lots of information. At the very top is the PHP version number. what is it? Also, down the page a bit, do a search for the term "register_globals" and tell us whether it is on or off. PHP Version 5.3.0 register_globals On Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 5, 2012 Share Posted April 5, 2012 You need to turn register_globals OFF, ASAP. They were turned off by default in php4.2 in April of the year 2002 (10 years ago this month) because they let hackers set your session variables and a lot of web sites have been taken over. They have also been completely removed as of php5.4, so your current code that relies on them won't work at all under php5.4. You still have not determined which of the two md5 values (database table or login) is correct, which would pin down if your registration script that puts the value into the table is the problem or something in your login script - Your registration logic is likely doing something, such as using a 'salt' string before performing an md5 hash. Have you checked what the md5() value of your password should be so that you know which one of those values is correct? What does the following show - echo md5('your_actual_password_here'); And you do need to use the proper mysql_num_rows function in your script so that your script will work as intended under all versions of php. There were a few versions of php where someone, without any documentation, made mysql_affected_rows work the same as mysql_num_rows. AFAIK this has been undone and back to what the documentation states for those functions. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted April 5, 2012 Share Posted April 5, 2012 You need to turn register_globals OFF, ASAP. They were turned off by default in php4.2 in April of the year 2002 (10 years ago this month) because they let hackers set your session variables and a lot of web sites have been taken over. They have also been completely removed as of php5.4, so your current code that relies on them won't work at all under php5.4. And they let you inadvertently set variables to something you don't want them set to. $_SESSION['user_id'] = $user_id; $_SESSION['password'] = $password; With register_globals ON, the first time you executed this statement, the password from the POST data was placed in the session. Every time after that, register_globals put the SESSION password value into $password (overwriting the POST value). So, regardless of what you type in the form, you are testing the same password value over and over (from the SESSION data). 1) Clear out your session -- delete the cookie and if you have access, delete the server file 2) Do NOT store the user's password in the session. Session files, especially on shared hosts, are typically stored in /tmp which is world readable. Note: You may have had the same problem on the page that registered the user. So, the value that was hashed and stored as the user's password may not have been what you think you set. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 5, 2012 Author Share Posted April 5, 2012 You need to turn register_globals OFF, ASAP. They were turned off by default in php4.2 in April of the year 2002 (10 years ago this month) because they let hackers set your session variables and a lot of web sites have been taken over. They have also been completely removed as of php5.4, so your current code that relies on them won't work at all under php5.4. You still have not determined which of the two md5 values (database table or login) is correct, which would pin down if your registration script that puts the value into the table is the problem or something in your login script - Your registration logic is likely doing something, such as using a 'salt' string before performing an md5 hash. Have you checked what the md5() value of your password should be so that you know which one of those values is correct? What does the following show - echo md5('your_actual_password_here'); And you do need to use the proper mysql_num_rows function in your script so that your script will work as intended under all versions of php. There were a few versions of php where someone, without any documentation, made mysql_affected_rows work the same as mysql_num_rows. AFAIK this has been undone and back to what the documentation states for those functions. Hello thanks again. About register_globals and mysql_affected_rows, noted! but since I'm only practicing here in my computer using wamp server, that's not really a concern and I don't have any plans in the future to alter any of the php.ini code when I'm starting to code on the actual server. As for echoing out the password on the login processing page, as I have mentioned, it echoes out correctly the password that I have entered. I have just tried now echoing out the password on the registration form like what you told me and also it echoes out the correct value that I have entered. Any other suggestions? Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 5, 2012 Author Share Posted April 5, 2012 You need to turn register_globals OFF, ASAP. They were turned off by default in php4.2 in April of the year 2002 (10 years ago this month) because they let hackers set your session variables and a lot of web sites have been taken over. They have also been completely removed as of php5.4, so your current code that relies on them won't work at all under php5.4. And they let you inadvertently set variables to something you don't want them set to. $_SESSION['user_id'] = $user_id; $_SESSION['password'] = $password; With register_globals ON, the first time you executed this statement, the password from the POST data was placed in the session. Every time after that, register_globals put the SESSION password value into $password (overwriting the POST value). So, regardless of what you type in the form, you are testing the same password value over and over (from the SESSION data). 1) Clear out your session -- delete the cookie and if you have access, delete the server file 2) Do NOT store the user's password in the session. Session files, especially on shared hosts, are typically stored in /tmp which is world readable. Note: You may have had the same problem on the page that registered the user. So, the value that was hashed and stored as the user's password may not have been what you think you set. even it echoes out the correct password that I have inputted? what do you think? I'm also using the same exact password sample on every registration sample that I have made. I tried also to destroy the session using session_destroy(); and I also deleted the cookie. registered a new user, login, and there's still the problem. as for #2 that is noted. Thanks! Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 5, 2012 Author Share Posted April 5, 2012 I forgot to mention on my last post above that I have use different password that time, tried echoing it out also and I got it also correctly.. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted April 5, 2012 Share Posted April 5, 2012 Looking at that code, I have no idea where $user_id and $password are coming from. So it is difficult to determine what it should be doing. However, let's take this approach: In your login processing page, add these lines just before testing the password if ($row = mysql_fetch_assoc($result)) { // LET'S SEE WHAT WE HAVE printf("dbHash: %s<BR>\n", $row['password']); printf("enrtyHash: %s<BR>\n", md5($password)); printf("should be: %s<BR>\n", md5('HARD CODE THE PASSWORD YOU ARE TESTING WITH HERE')); if (strcmp($row['password'], md5($password)) != 0) { That should give you three hashes. The last two should be exactly the same if $password is coming from the form. If they are and the database one is different, then we need to see the code that puts the entry in the database. I notice in your first post, you were inserting from $arVals[] but there is no indication of how the values got into that array and what might have been done to the password before it was hashed. Typically, a salt is used when hashing, and if one is used before the INSERT, we have to use the same salt in the login page. By the way, turning off register_globals is not just for security. Your development platform should match your intended production platform as closely as possible. Especially in this respect. If you develop with register_globals ON you could end up writing code that "works perfectly" on your development platform, but fails miserably on your production platform. -- Search this forum for "works perfectly" and you will find many, many posts that have that problem. Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 5, 2012 Author Share Posted April 5, 2012 Looking at that code, I have no idea where $user_id and $password are coming from. So it is difficult to determine what it should be doing. However, let's take this approach: In your login processing page, add these lines just before testing the password if ($row = mysql_fetch_assoc($result)) { // LET'S SEE WHAT WE HAVE printf("dbHash: %s<BR>\n", $row['password']); printf("enrtyHash: %s<BR>\n", md5($password)); printf("should be: %s<BR>\n", md5('HARD CODE THE PASSWORD YOU ARE TESTING WITH HERE')); if (strcmp($row['password'], md5($password)) != 0) { That should give you three hashes. The last two should be exactly the same if $password is coming from the form. If they are and the database one is different, then we need to see the code that puts the entry in the database. I notice in your first post, you were inserting from $arVals[] but there is no indication of how the values got into that array and what might have been done to the password before it was hashed. Typically, a salt is used when hashing, and if one is used before the INSERT, we have to use the same salt in the login page. By the way, turning off register_globals is not just for security. Your development platform should match your intended production platform as closely as possible. Especially in this respect. If you develop with register_globals ON you could end up writing code that "works perfectly" on your development platform, but fails miserably on your production platform. -- Search this forum for "works perfectly" and you will find many, many posts that have that problem. DavidAM thanks! I got this dbHash: ea21fadd7366b3f94242 enrtyHash: 5380a7ced0e3f1a2b36b600b3a7f4e09 should be: 5380a7ced0e3f1a2b36b600b3a7f4e09 What seems to be wrong there? Quote Link to comment Share on other sites More sharing options...
bugzy Posted April 5, 2012 Author Share Posted April 5, 2012 Here's the code that I put my password in the database Register Form <?php header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); //Below means if session database server crdentials is not set, require to use/set that connection then if (!isset($_SESSION['SESSION'])) require ( "./db_connection.php"); $arVals = array(); require_once("./session_func.php"); // make sure the seesion vars are initialized... reset ($arVals); while (list ($key, $val) = each ($arVals)) { if (!isset($_SESSION[$key])) $_SESSION[$key] = ""; if ($_SESSION[$key] == "NULL") $_SESSION[$key] = ""; }$arVals = array(); require_once("./session_func.php"); // make sure the seesion vars are initialized... reset ($arVals); while (list ($key, $val) = each ($arVals)) { if (!isset($_SESSION[$key])) $_SESSION[$key] = ""; if ($_SESSION[$key] == "NULL") $_SESSION[$key] = ""; } if ($_SESSION["status"] == "") $_SESSION["status"] = 0; $flg = ""; $error = ""; if (isset($HTTP_GET_VARS["flg"])) $flg = $HTTP_GET_VARS["flg"]; switch ($flg) { case "yellow": $error = "<br><font class=\"txt12_red\">That Email Address already exists in our Database.<br>Please Select Another.<BR></font>"; break; case "red": $error = "<br><font class=\"txt12_red\">Please fill out all the required fields.<br>Please Try Again.<BR></font>"; break; case "blue": $error = "<br><font class=\"txt12_red\">Your Session has Expired.<br>Please Login Again.</font><BR>"; break; case "pink": $error = "<br><font class=\"txt12_red\"><BR>The Special Code you entered is not valid.<br>Please Try Again or Leave that field blank. </font><BR>"; break; case "white": $error = "<br><font class=\"txt12_red\"><BR>The fields are too long for our Database.<br>Please correct your data via this form.</font> <BR>"; break; default: $error = ""; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>User Registration Form</title> <script language="javascript"> function validateForm() { var form = document.forms[0]; if (!form.fname.value.length || !form.lname.value.length || !form.email.value.length || !form.phone.value.length || !form.city.value.length || !form.status.selectedIndex || !form.province.value.length || !form.password.value.length || !form.password2.value.length ) { //Validation failed alert("Please fill out all the required fields."); return false; } //Validation passed return true; } </script> </head> <body><center><br /><br /> <?php echo $error; ?><br /><br /> <form name="registration" method="post" action="./registered.php" onsubmit="return validateForm();""> <table> <tr> <td>First Name:</td> <td><input type="text" name="fname" value="<?php $_SESSION['fname'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>Last Name:</td> <td><input type="text" name="lname" value="<?php $_SESSION['lname'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>E-Mail Address:</td> <td><input type="text" name="email" value="<?php $_SESSION['email'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>Phone:</td> <td><input type="text" name="phone" value="<?php $_SESSION['phone'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>City:</td> <td><input type="text" name="city" value="<?php $_SESSION['city'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>Status:</td> <td> <select name="status" id="status"> <option>Pls. Select One <option value="single">Single <option value="relationship">In a Relationship <option value="complicated">It's Complicated </select> </td> <td>*</td> </tr> <tr> <td>Province:</td> <td><input type="text" name="province" value="<?php echo $_SESSION['province'] ?>" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>Password:</td> <td><input type="password" name="password" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td>Confirm Password:</td> <td><input type="password" name="password2" size="30" maxlength="50" /></td> <td>*</td> </tr> <tr> <td> <input type="reset" name="Reset" value="Reset"></td> <td> <input type="submit" name="Submit" value="Submit" ></td> </tr> </table> </form> </center> <script language="javascript"> // set the selection box values... form.status.selectedIndex = parseInt("<?php echo $_SESSION['status'] ?>"); </script> </body> </html> Register Processing <?php //This is to make sure that everything is fresh and when a user visit again the website it is not the cached that he's seeing header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Always use date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); if (!isset($_SESSION['SESSION'])) require ( "./db_connection.php"); $arVals = array(); require_once('./session_func.php'); reset($_POST); while (list ($key, $val) = each ($_POST)) { if ($val == "") $val = "NULL"; $arVals[$key] = (get_magic_quotes_gpc()) ? $val : addslashes($val); if($val == "NULL") $_SESSION[$key] = NULL; else $_SESSION[$key] = $val; if ($key != "access_period" && $key != "passwd") $arVals[$key] = "'".$arVals[$key]."'"; } // check to see if these variables have been set... if ((!isset($_SESSION["fname"])) || (!isset($_SESSION["lname"])) || (!isset($_SESSION["email"])) || (!isset($_SESSION["phone"])) || (!isset($_SESSION["city"])) || (!isset($_SESSION["status"])) || (!isset($_SESSION["province"]))) { resendToForm("?flg=red"); } // form variables must have something in them... if ($_SESSION['fname'] == "" || $_SESSION['lname'] == "" || $_SESSION['email'] == "" || $_SESSION['phone'] == "" || $_SESSION['city'] == "" || $_SESSION['status'] == "" || $_SESSION['province'] == "") { resendToForm("?flg=red"); } // make sure fields are within the proper range... if (strlen($_SESSION['fname']) > 35 || strlen($_SESSION['lname']) > 35 || strlen($_SESSION['email']) > 35 || strlen($_SESSION['phone']) > 35 || strlen($_SESSION['city']) > 35 || strlen($_SESSION['status']) > 35 || strlen($_SESSION['province']) > 35 || strlen($_SESSION['password']) > 30) { resendToForm("?flg=white"); } $query = "SELECT COUNT(email) FROM tbl_user where email = '".$_SESSION['email']."'"; mysql_connect($_SESSION['MYSQL_SERVER1'],$_SESSION['MYSQL_LOGIN1'],$_SESSION['MYSQL_PASS1']) or die("Unable to connect to SQL server"); mysql_select_db($_SESSION['MYSQL_DB1']) or die("Unable to select database"); $result = mysql_query($query) or die("Invalid query (login): " . mysql_error()); $row = mysql_fetch_row($result); if ($row[0] > 0) { // an email aleady exists in the database, because the row count > 0... resendToForm("?flg=yellow"); } /* WHEN YOU INSERT USE MD5 for Passwords!!!! */ $password = $arVals['password']; $arVals['password'] = "'".md5($arVals['password'])."'"; /********************************************************************************************** Insert into the database... **********************************************************************************************/ $query = "INSERT INTO tbl_user (fname, lname, email, phone, city, status, province, password) " ."VALUES (".$arVals['fname'].", ".$arVals['lname'].", ".$arVals['email'].", ".$arVals['phone'].", ".$arVals['city'] .", ".$arVals['status'].", ".$arVals['province'].", ".$arVals['password'].")"; $result = mysql_query($query) or die("Invalid query: " . mysql_error() . "<br><br>". $query); $insertid = mysql_insert_id(); function resendToForm($flags) { reset ($_POST); // store variables in session... while (list ($key, $val) = each ($_POST)) { $_SESSION[$key] = $val; } // go back to the form... //echo $flags; header("Location: ./registration_form.php".$flags); exit; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Registration Data Processing</title> </head> <body> </body> </html> I have tried to echo the password in register processing and like the login page and login processing I got also the correct value for the password that I have inputted.. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted April 5, 2012 Share Posted April 5, 2012 I got this dbHash: ea21fadd7366b3f94242 enrtyHash: 5380a7ced0e3f1a2b36b600b3a7f4e09 should be: 5380a7ced0e3f1a2b36b600b3a7f4e09 What seems to be wrong there? As PFMaBiSmAd said in Reply #6, that hash from the database is TOO short. An MD5 hash is 32 characters and that DB hash is only 20. So you are never going to match it. Second, there is a lot of stuff going on in that Registration Processing script that is screwing with the password. 1) Around line 27: $arVals[$key] = (get_magic_quotes_gpc()) ? $val : addslashes($val); This could modify the Password value. Since it will add slashes to "escape" certain characters. If you insist on keeping this code here, you need to use the exact same code in your login so that the password is modified in the same way. 2) Around line 35: if ($key != "access_period" && $key != "passwd") $arVals[$key] = "'".$arVals[$key]."'"; Since the password key is spelled incorrectly in the IF statement, this line is definitely changing the password value entered by the user before you run md5 on it (around line 100). As a side note, not directly related to this problem. The manner in which you are using get_magic_quotes and addslashes "hinky" to me. Since you are using mysql, you should really be using mysql_real_escape_string instead of addslashes, anyway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.