...
PDA

Login Error

VickP07
11-08-2011, 02:49 AM
Okay guys so im trying to make a simple php login page that requires a user to enter in his/her username and password.

The password in my users table has a datatype of BLOB and when the user adds users into the DB i am doing a AES_ENCRYPT to save the password in the DB but encrypted.

Right now i am having trouble and can't figure out what i am missing or doing wrong? I have already tried to DEBUG and echo out my sql statement but i still can't figure out what the problem is and why the login form wont work when the user enters in the right username and password!

config.php:

<?
$conn = mysql_connect( "localhost", "root", "temp1234" );
$conn or die( "Error connecting: " . mysql_error() );

$db_name = "DoctorsOfficeDB";
mysql_select_db( $db_name )
or die( "Bad db name: $db_name" );
?>


Login.php:

<?php
include("config.php");

//start session
session_start();

if( $_POST )
{


// username and password sent from Form
$myusername = $_POST['username'];
$mypassword = $_POST['password'];

$sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword='$mypassword');";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;

header("Location: welcome.php");
exit();
}
else
{
$error="Your Login Name or Password is invalid";
}
}
?>
<html>
<body>

<form action="Login.php" method="post">
<fieldset>
<legend>Login Information:</legend>
UserName: <input type="text" size="20" name="username" /><br />
Password: <input type="password" size="20" name="password" /><br />
</fieldset>
<input type="submit" value="Submit">
</form>


</body>
</html>



lock.php

<?php
include("config.php");

session_start();
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from users where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: Login.php");
}
?>


logout.php :

<?php
session_start();
if(session_destroy())
{
header("Location: Login.php");
}
?>


welcome.php:

<?php

include('lock.php');

?>

<html>
<head>
<title>Welcome</title>
</head>

<body>
<h1>Welcome <?php echo $login_session; ?></h1>

<h2><a href="logout.php">Sign Out</a></h2>
</body>
</html>
VickP07
11-08-2011, 02:51 AM
I forgot to mention that right now when i try to use a correct username and password and hit submit on the login page i keep getting these errors:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 17

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 19
Old Pedant
11-08-2011, 06:57 AM
Ready to kick yourself?


and aes_decrypt(pword='$mypassword');

What do you think that is doing?

It is *NOT* decrypting the pword field.

Instead, it is *FIRST* comparing the pword field *AS IS* to the $mypassword value.

*THEN* it is decrypting the value true or false which is the result of the comparison!!! (Well, it will surely be false, of course.)

Now try this:

and aes_decrypt(pword)='$mypassword';

*NOW* you are decrypting the pword field *BEFORE* comparing to $mypassword.

Except this *STILL* won't work. That's because the aes_decrypt( ) function, just like the aes_encrypt function, requires *TWO* arguments. The thing to be decrypted *AND* the encryption key that was used to encrypt it.

So you need to actually use
and aes_decrypt(pword,'WHATEVER THE KEY IS')='$mypassword';


********************

Incidentally, this is not really the best way to encrypt passwords.

You really should use a one-way encryption algorithm, so that even you are not able to decrypt them. That way, if somebody ever did manage to break into your site, they wouldn't be able to runs aes_decrypt on the db and decrypt them. And if they broke into your system they would just look in the PHP code to find the place where you did aes_decrypt and run around decrypting all the passwords.

With a one-way encryption, you then always do this:
and pword=SOME_ONE_WAY_ENCRYPTION('$mypassword');
Old Pedant
11-08-2011, 07:02 AM
The real root of your problem is a lack of error handling.

At a bare bones minimum, you should be doing something like
$result=mysql_query($sql) or die(mysql_error());

Personally, I'd rather see you do something like this:

$result=mysql_query($sql);
if ( ! $result ) {
echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
exit();
}

(I don't use PHP, but I'd do the equivalent of that in other languages.
VickP07
11-08-2011, 09:43 AM
okay thank you for the comments i changed the sql statement and it seems to be working i did a echo on it to debug and see if it is getting the data from the text fields and finding the right user from the table...........but after i hit submit it still never does anything, even when i dont enter a password it should display an error msg it doesn't do anything?!?! it seems like it never enters the if($count statement)

i am confused as to what this line of code means(does exactly)
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)

<?php
include("config.php");

//start session
session_start();

if($_POST)
{
// username and password sent from Form
$myusername = $_POST['username'];
$mypassword = $_POST['password'];

$sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword,'The Secret Phrase')='$mypassword';";

echo "<hr>DEBUG SQL: " . $sql . "<hr/>\n";

$result = mysql_query($sql);

if ( ! $result )
{
echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
exit();
}

$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;

header("Location: welcome.php");
exit();
}
else
{
$error="Your Login Name or Password is invalid";
}
}
?>
<html>

<head>

<title>DoctorsOfficeDB</title>

</head>
<body>

<table width="1358" border="0">
<tr>
<td colspan="2" style="background-color:#FFA500;">

<hr /><h2>Doctor's Office DB</h2><hr /></td></tr> </table>

<form action="Login.php" method="post">
<fieldset style="width:500px">
<legend>Login Information:</legend>
UserName: <input type="text" size="20" name="username" /><br />
Password: <input type="password" size="20" name="password" /><br />
</fieldset>
<input type="submit" value="Submit">
</form>


</body>
</html>
VickP07
11-08-2011, 04:34 PM
okay i got it to at least display the error message now if the user provided the wrong password or username.

But i am still having troublegetting it to actually run if the user provided the right password and username.

The if ($count == 1) will never run because $count is always 0. I tried doing before the if statement
$count = $count + 1

but this will always allow a user to gain access even if he/she put in a wrong password
Old Pedant
11-08-2011, 07:28 PM
This seems strange:

$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result)


How can you get a field named active when your SQL query did

SELECT user_id FROM users ...

With that SELECT, the *ONLY* value you will be able to read from the $result will be user_id. You can't get fields you don't SELECT.

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum