login script problem

[atticus]

Hi all...

 

I am having a problem with a login function.  I cannot find any errors and I am receiving no errors from mysql or php.  It just simply says "wrong username and password".  I have double and triple checked my database and created multiple users (using the password field for password of course) and I still can't find the problem.  Here is the function:

 

function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = '';

$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];

// first, make sure the username & password are not empty
if ($userName == '') {
	$errorMessage = 'You must enter your username';
} else if ($password == '') {
	$errorMessage = 'You must enter the password';
} else {
	// check the database and see if the username and password combo do match
	$sql = "SELECT user_id
	        FROM tbl_user 
			WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";
	$result = dbQuery($sql) or die (mysql_error());

	if (dbNumRows($result) == 1) {
		$row = dbFetchAssoc($result);
		$_SESSION['plaincart_user_id'] = $row['user_id'];

		// log the time when the user last login
		$sql = "UPDATE tbl_user 
		        SET user_last_login = NOW() 
				WHERE user_id = '{$row['user_id']}'";
		dbQuery($sql) or die (mysql_error());

		// now that the user is verified we move on to the next page
            // if the user had been in the admin pages before we move to
		// the last page visited
		if (isset($_SESSION['login_return_url'])) {
			header('Location: ' . $_SESSION['login_return_url']);
			exit;
		} else {
			header('Location: index.php');
			exit;
		}
	} else {
		$errorMessage = 'Wrong username or password';
	}		

}

return $errorMessage;
}

/*
Logout a user
*/
function doLogout()
{
if (isset($_SESSION['plaincart_user_id'])) {
	unset($_SESSION['plaincart_user_id']);
	session_unregister('plaincart_user_id');
}

header('Location: login.php');
exit;
}

 

a portion of the form:

 

<form method="post" name="frmLogin" id="frmLogin">
       <p> </p>
       <table width="350" border="0" align="center" cellpadding="5" cellspacing="1" bgcolor="#336699" class="entryTable">
        <tr id="entryTableHeader"> 
         <td>:: Admin Login ::</td>
        </tr>
        <tr> 
         <td class="contentArea"> 
	 <div class="errorMessage" align="center"><?php echo $errorMessage; ?></div>
	  <table width="100%" border="0" cellpadding="2" cellspacing="1" class="text">
           <tr align="center"> 
            <td colspan="3"> </td>
           </tr>
           <tr class="text"> 
            <td width="100" align="right">User Name</td>
            <td width="10" align="center">:</td>
            <td><input name="txtUserName" type="text" class="box" id="txtUserName" value="admin" size="10" maxlength="20"></td>
           </tr>
           <tr> 
            <td width="100" align="right">Password</td>
            <td width="10" align="center">:</td>
            <td><input name="txtPassword" type="password" class="box" id="txtPassword" value="admin" size="10"></td>
           </tr>
           <tr> 
            <td colspan="2"> </td>
            <td><input name="btnLogin" type="submit" class="box" id="btnLogin" value="Login"></td>

 

Again...I am not getting any errors such as unknown columns or unknown tables...any suggesstions?

[trq]

Do not use mysql's PASSWORD function. It is an internal function and is not intended to be used by client code and may (will) break in future updates to mysql.

 

Given that, are you sure your passwords are stored using PASSWORD and not md5? Maybe that is your issue.

[atticus]

what is md5...I am using the mysql PASSWORD when I put the info into the database

[trq]

As I just said, mysql's PASSWORD function is not intended for use. its all covered in the manual. MD% creates a hash of the string passed to it.