Login Error

VickP07 · 11-08-2011, 02:49 AM

Okay guys so im trying to make a simple php login page that requires a user to enter in his/her username and password.

The password in my users table has a datatype of BLOB and when the user adds users into the DB i am doing a AES_ENCRYPT to save the password in the DB but encrypted.

Right now i am having trouble and can't figure out what i am missing or doing wrong? I have already tried to DEBUG and echo out my sql statement but i still can't figure out what the problem is and why the login form wont work when the user enters in the right username and password!

config.php:

Code:

<?
$conn = mysql_connect( "localhost", "root", "temp1234" );
$conn or die( "Error connecting: " . mysql_error() );

$db_name = "DoctorsOfficeDB";
mysql_select_db( $db_name )
 or die( "Bad db name: $db_name" );
?>

Login.php:

Code:

<?php
include("config.php");

	//start session
	session_start();
	
if( $_POST )
{


	// username and password sent from Form 
	$myusername = $_POST['username']; 
	$mypassword = $_POST['password']; 

$sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword='$mypassword');";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row

	if($count==1)
	{
		session_register("myusername");
		$_SESSION['login_user']=$myusername;

		header("Location: welcome.php");
		exit();
	}
	else 
	{
		$error="Your Login Name or Password is invalid";
	}
}
?>
<html>
<body>

<form action="Login.php" method="post">
<fieldset>
<legend>Login Information:</legend>
UserName: <input type="text" size="20" name="username" /><br />
Password: <input type="password" size="20" name="password" /><br />
</fieldset>
<input type="submit" value="Submit">
</form>


</body>
</html>

lock.php

Code:

<?php
include("config.php");

session_start();
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from users where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: Login.php");
}
?>

logout.php :

Code:

<?php
session_start();
if(session_destroy())
{
header("Location: Login.php");
}
?>

welcome.php:

Code:

<?php

include('lock.php');

?>

<html>
<head>
<title>Welcome</title>
</head>

<body>
<h1>Welcome <?php echo $login_session; ?></h1> 

<h2><a href="logout.php">Sign Out</a></h2>
</body>
</html>

VickP07 · 11-08-2011, 02:51 AM

I forgot to mention that right now when i try to use a correct username and password and hit submit on the login page i keep getting these errors:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 17

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/3342/paguilary/test2/Login.php on line 19

Old Pedant · 11-08-2011, 06:57 AM

Ready to kick yourself?

Code:

and aes_decrypt(pword='$mypassword');

What do you think that is doing?

It is *NOT* decrypting the pword field.

Instead, it is *FIRST* comparing the pword field *AS IS* to the $mypassword value.

*THEN* it is decrypting the value true or false which is the result of the comparison!!! (Well, it will surely be false, of course.)

Now try this:

Code:

and aes_decrypt(pword)='$mypassword';

*NOW* you are decrypting the pword field *BEFORE* comparing to $mypassword.

Except this *STILL* won't work. That's because the aes_decrypt( ) function, just like the aes_encrypt function, requires *TWO* arguments. The thing to be decrypted *AND* the encryption key that was used to encrypt it.

So you need to actually use

Code:

and aes_decrypt(pword,'WHATEVER THE KEY IS')='$mypassword';

********************

Incidentally, this is not really the best way to encrypt passwords.

You really should use a one-way encryption algorithm, so that even you are not able to decrypt them. That way, if somebody ever did manage to break into your site, they wouldn't be able to runs aes_decrypt on the db and decrypt them. And if they broke into your system they would just look in the PHP code to find the place where you did aes_decrypt and run around decrypting all the passwords.

With a one-way encryption, you then always do this:

Code:

and pword=SOME_ONE_WAY_ENCRYPTION('$mypassword');

Old Pedant · 11-08-2011, 07:02 AM

The real root of your problem is a lack of error handling.

At a bare bones minimum, you should be doing something like
$result=mysql_query($sql) or die(mysql_error());

Personally, I'd rather see you do something like this:

Code:

$result=mysql_query($sql);
if ( ! $result ) {
    echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
    exit();
}

(I don't use PHP, but I'd do the equivalent of that in other languages.

VickP07 · 11-08-2011, 09:43 AM

okay thank you for the comments i changed the sql statement and it seems to be working i did a echo on it to debug and see if it is getting the data from the text fields and finding the right user from the table...........but after i hit submit it still never does anything, even when i dont enter a password it should display an error msg it doesn't do anything?!?! it seems like it never enters the if($count statement)

i am confused as to what this line of code means(does exactly)
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)

Code:

<?php
include("config.php");

	//start session
	session_start();
	
if($_POST)
{
	// username and password sent from Form 
	$myusername = $_POST['username']; 
	$mypassword = $_POST['password']; 

$sql="SELECT user_id FROM users WHERE username='$myusername' and aes_decrypt(pword,'The Secret Phrase')='$mypassword';";

echo "<hr>DEBUG SQL: " . $sql . "<hr/>\n";

$result = mysql_query($sql);

if ( ! $result ) 
{
    echo "<hr/>Error during query: $sql<br/>Error message: " . mysql_error() . "<hr/>";
    exit();
}

$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

	if($count==1)
	{
		session_register("myusername");
		$_SESSION['login_user']=$myusername;

		header("Location: welcome.php");
		exit();
	}
	else 
	{
		$error="Your Login Name or Password is invalid";
	}
}
?>
<html>

<head>

<title>DoctorsOfficeDB</title>

</head>
<body>

<table width="1358" border="0">
<tr>
<td colspan="2" style="background-color:#FFA500;">

<hr /><h2>Doctor's Office DB</h2><hr /></td></tr> </table>

<form action="Login.php" method="post">
<fieldset style="width:500px">
<legend>Login Information:</legend>
UserName: <input type="text" size="20" name="username" /><br />
Password: <input type="password" size="20" name="password" /><br />
</fieldset>
<input type="submit" value="Submit">
</form>


</body>
</html>

VickP07 · 11-08-2011, 04:34 PM

okay i got it to at least display the error message now if the user provided the wrong password or username.

But i am still having troublegetting it to actually run if the user provided the right password and username.

The if ($count == 1) will never run because $count is always 0. I tried doing before the if statement
$count = $count + 1

but this will always allow a user to gain access even if he/she put in a wrong password

Old Pedant · 11-08-2011, 07:28 PM

This seems strange:

Code:

$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result)

How can you get a field named active when your SQL query did

Code:

SELECT user_id FROM users ...

With that SELECT, the *ONLY* value you will be able to read from the $result will be user_id. You can't get fields you don't SELECT.