[SOLVED] Having trouble with challenge key auth system

[aosmith]

this one has got me stumped... I'm still quasi-new to php and mysql and i just cant figure out why i cannot get my keys (aka "replies") to match heres my code:

index.php (just the part that really matters):

<?php
//start a session
session_start();
//store ip addr and test connection to mysql server
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
$conn=mysql_connect('localhost', '####', '####') or die($_SESSION['error']='could not connect to database--ln6-index.php <br />'.mysql_error());
mysql_select_db('notepanda', $conn) or die($_SESSION['error']='could not select notepanda--ln7-index.php <br />'.mysql_error());
//generate challenge
$chal=md5(uniqid(mt_rand(), true)) or die($_SESSION['error']='could not generate chal');
//set the challenege
$_SESSION['chal']=$chal;
?>

 

I'm using Paj's javascript for the client side hashing (it can be found here: http://pajhome.org.uk/crypt/md5/md5src.html)

 

the form containing login information looks like this:

<!--encrypt password-->
<script src="js/md5.js" type="text/javascript"></script>
<!--encrypt password using script and set password and challenge to null-->
<form method="POST" action="login.php" name="login_form" id="login_form" onsubmit="javascript: login();">
<tr>
<td>
<img src="img/user.gif">
</td>
<td>
<!--username and cookie reading script-->
<input type="text" name="username" size="20" id="username">
</td>
</tr>
<tr>
<td>
<img src="img/pass.gif">
</td>
<td>
<input type="password" name="password" size="20" id="password">
<!--start hidden fields-->
<input type="hidden" name="chal" id="chal" size="40">
<input type="hidden" name="key" id="key" size="40">
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" value="Submit" onclick="Javascript: login();">
<input type="reset">	
</div>
</td>
</tr>
</form>
</table>
</div>

 

and the code for login():

 

<script type="text/javascript">
function login()
	{
	var login_form = document.getElementById("login_form");
	if (login_form.username.value == "")
		{
		alert("Please enter your user name");
		return false;
		}
	if (login_form.password.value == "")
		{
		alert("Please enter your password");
		return false;
		}
	if (login_form.password.value != null && login_form.username.value != null)
		{
		/*hash the password and the key*/
		login_form.password.value = hex_md5 (login_form.password.value);
		login_form.key.value = hex_md5(login_form.chal.value + login_form.password.value);
		/*clear the form of everything except user and key*/
		/*using a single _ for password and challenge to avoid triggering the empty password catch*/
		/*and a little joke for all the packet sniffers out there*/
		//login_form.password.value = "packet sniffing isn't nice";
		//login_form.chal.value = " ";
		/*last but not least submit the form*/
		login_form.submit();

		}
	}
</script>

 

and last but not least login.php looks like this:

 

<?php
//////////////////////////////////
//PHP Login Mechanism		//
//By: Alex Smith		//
//////////////////////////////////
session_start();

//read in post variables from index.php
if (isset($_POST))
{
//read in password and username from post
$user=$_POST['username'];
$key=$_POST['key'];
//values should be null
$pass=$_POST['password']; 
//read in challenge from session
$chal=$_SESSION['chal'];

//add expire
$_SESSION['expire']=time()+4800;
$_SESSION['key']=$key;

//connect to mysql db or kick out an error code
$connect=mysql_connect('localhost', '####', '####') or die($_SESSION['error']=mysql_error()." ERROR: Could not connect to MySQL Server--gate:1-inc.php");
//connect to notpanda database or error code
mysql_select_db('notepanda') or die($_SESSION['error']=mysql_error()." ERROR: Could not select db--gates:2-inc.php");
//query to select password
$sql = 'SELECT `password` FROM `login_users` WHERE `username`="'.$user.'"';
//query to select admin status
$sql2 = 'SELECT `admin` FROM `login_users` WHERE `username`="'.$user.'"';
//record the query to a session var for debugging
$_SESSION['sql']=$sql;
$_SESSION['sql2']=$sql2;
//query database and 4th error gate
$dbpass=mysql_query($sql) or die($_SESSION['error']=mysql_error()." ERROR:query error1--gate:4.0-login.php");
$admin=mysql_query($sql2) or die($_SESSION['error']=mysql_error()." ERROR:query error2--gate:4.1-login.php");
//compose key from database challenge
        //note: stored passwords have already been hashed using md5
$str=$chal.$dbpass;
//finish composing	
$dbkey=md5($str);
$_SESSION['dbpass']=$dbpass;

$_SESSION['pkey']=$pkey;
$_SESSION['dbkey']=$dbkey;
//make sure this table is only viewable to super users
if ($dbkey==$key)
	{
	if ($admin="1")
		{
		$_SESSION['valid']="user";
		}
	if ($admin="2")
		{
		$_SESSION['valid']="admin";
		}
	if ($admin="3")
		{
		$_SESSION['valid']="super";
		}
	}
if ($dbkey!=$key)
	{
	echo "ERROR: Authentication--gate:5-login.php <br />";
	echo $key."<br />".$dbkey;
	}		

 

I've been staring at this for almost an hour and i just can't figure it out why isn't working except for a problem with paj's script. TIA guys and gals.

-Alex

 

and as a ps note i know that this is about 2 steps past spaghetti code but i'm new to this 

 

and here's what login.php kicks out (from the nice little debug table i built):

 

ERROR: Authentication--gate:5-login.php

14135****

8f477****

Session Vars

user:

pass:

chal:####

key:14135f***

valid:

expire:1195179791

ip:127.0.0.1

error:

admin:

sql:SELECT `password` FROM `login_users` WHERE `username`="admin"

sql2:SELECT `admin` FROM `login_users` WHERE `username`="admin"

dbkey:8f477***

pkey:

dbpass:Resource id #3

key:1413*****

user:admin

pass:775****

add5*

add5*

8f47*

0c0ff*

[premiso]

In your sql query, you need to use single quotes not double quotes for starters.

[aosmith]

I'm about to mark this one solved, but i figured i would post the solution for anyone else having trouble:

$result=mysql_query($sql) or die($_SESSION['error']=mysql_error()." ERROR:query error1--gate:4.0-login.php");
if (!$result)
	{
	die ("Couldn't fetch any results");
	}

$array = mysql_fetch_assoc($result);
$dbpass=$array['password'];