[SOLVED] Log In Script Encryption?

Jack Franklin · #1 Jan 5th, 2008, 23:32

Hi Guys,

I followed a tutorial here:
http://www.phpeasystep.com/workshopview.php?id=6
but it didn't include Encryption. I then looked at another tutorial:
http://www.phpeasystep.com/workshopview.php?id=26

I'm attempting to make a simple CMS for just my site, and so far I have been working on a local server, and so far so good.

I attempted to add encyption to the CMS usernames, login, etc. First is the script were the user adds an admin account to their site:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<td bordercolor="#000000" bgcolor="#FFFFFF"><form action="pg_insert_admin.php" method="post" name="form1" class="style1">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<td colspan="3"><strong>Add the Administrator Account</strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="name" type="text" id="name"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="lastname" type="password" id="lastname"></td>
</tr>
<tr>
<td>Please Retype Password</td>
<td>:</td>
<td><input name="lastname_c" type="password" id="lastname_c"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form></td>
</tr>
</table>

And this is the file it links to:

PHP: Select all


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
include('pg_config.php');
$tbl_name="members"; // Table name 
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form 
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$lastname_c=$_POST['lastname_c'];
$encrypt_password=md5($password);
if ($lastname==$lastname_c) {
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password)VALUES('$name', '$encrypt_password')";
$result=mysql_query($sql);
}
// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='pg_install.php'>Back to main page</a>";
}
else {
echo "ERROR";
}
// close connection 
mysql_close();
?>
</body>
</html>

------------------------

When I added a user it all went fine. I did a username of 'admin', and password of 'test'.

Then, I tried to log in. Log In page:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="pg_check_login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

And the php:

PHP: Select all


<?php
ob_start();
include('../pg_config.php');
$tbl_name="members";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// encrypt password 
$encrypted_mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:pg_login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

All SEEMS ok, no errors. But I just get the message 'Wrong Username or Password'. Can anyone see where I am going wrong?

Thanks!

jack

Marc · #2 Jan 6th, 2008, 09:13

No. For when a user is logging in, you must select the username with the password e.g.

Quote:

SELECT username FROM $tbl_name WHERE password='$encrypted_mypassword'

then you should check the username (selected from the DB a moment ago) against the password given.. do you get me??

Rakuli · #3 Jan 6th, 2008, 09:26

I would disagree with Mark on his point.. There is no need to bring the password into PHP at all...

If you have stored the password in its encrypted form in the MySQL database it is simple a matter of comparing the user name and password at the same time.

In your database, do you actually have the password encrypted? If you do, have you made sure that the column is "var_char(32)"..

MD5 returns a 32 character string so if the database doesn't have enough space it will truncate it and the passwords won't match.

Jack Franklin · #4 Jan 6th, 2008, 10:53

The password field is varchar(65). Is that ok?

So, is my code fine? I'm going to try again just to make sure I did enter a password of test!

No luck, just says wrong username or password.

I then tryed entering the 32character encrypted password in the login page, but still no luck.

Rakuli · #5 Jan 6th, 2008, 11:06

Can you show me how you're entering the details into the database, do you have a script that does this?

Jack Franklin · #6 Jan 6th, 2008, 11:09

The user enters the details in this lovely form:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<td bordercolor="#000000" bgcolor="#FFFFFF"><form action="pg_insert_admin.php" method="post" name="form1" class="style1">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<td colspan="3"><strong>Add the Administrator Account</strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="name" type="text" id="name"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="lastname" type="password" id="lastname"></td>
</tr>
<tr>
<td>Please Retype Password</td>
<td>:</td>
<td><input name="lastname_c" type="password" id="lastname_c"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form></td>
</tr>
</table>

and then it is processed using this PHP:

PHP: Select all


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
include('pg_config.php');
$tbl_name="members"; // Table name 
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form 
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$lastname_c=$_POST['lastname_c'];
$encrypt_password=md5($password);
if ($lastname==$lastname_c) {
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password)VALUES('$name', '$encrypt_password')";
$result=mysql_query($sql);
}
// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='pg_install.php'>Back to main page</a>";
}
else {
echo '<h3>Error. It is more than likely that you didn\'t enter your password correctly both times. Go back and try again!</h3>';
}
// close connection 
mysql_close();
?>
</body>
</html>

Rakuli · #7 Jan 6th, 2008, 11:30

Okay, I don't see any glaring errors in either code snippets..

In your login script try changing the encryption line to:

PHP: Select all




$encrypted_mypassword= mysql_real_escape_string(md5($mypassword));

change the query line

PHP: Select all


$result=mysql_query($sql) or die(mysql_error());

to see if there is anything wrong with the query itself.

Jack Franklin · #8 Jan 6th, 2008, 11:50

Rakuli, Thanks for your help so far

I changed it, so the code is now like this:

PHP: Select all



<?php
include('../pg_config.php');
$tbl_name="members";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from signup form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// encrypt password 
$encrypted_password=mysql_real_escape_string(md5($mypassword)); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql) or die(mysql_error()); 
 

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("$myusername");
session_register("$mypassword"); 
header("location:pg_login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

But I recieved an error:
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\Dolphin CMS\pg_administration\pg_check_login.php on line 19

I cannot quite see where I am going wrong.

Rakuli · #9 Jan 6th, 2008, 12:02

Which is line 19? This is a sytax error -- usually means that there is a missing semi colon or quotes not closed.. I can't seem to see it though.

Jack Franklin · #10 Jan 6th, 2008, 12:05

Line 19:

PHP: Select all


$result=mysql_query($sql) or die(mysql_error());

I am fairly new to this, but I cannot see anything wrong with it!

Rakuli · #11 Jan 6th, 2008, 12:12

Try replacing it with

PHP: Select all




if (!$result=mysql_query($sql))

   die (mysql_error());

Seems odd, I have used that type of code many many times... seems to be treating the "or" as a misplaced string...

Jack Franklin · #12 Jan 6th, 2008, 12:31

Ok no error now. It just saids 'Wrong Username or Password'.

		Webforumz.com > Main Forums > Program Your Website > PHP Forum
[SOLVED] Log In Script Encryption?