[SOLVED] Log In Script Encryption?

[Jack Franklin]

Hi Guys,

I followed a tutorial here:
http://www.phpeasystep.com/workshopview.php?id=6
but it didn't include Encryption. I then looked at another tutorial:
http://www.phpeasystep.com/workshopview.php?id=26

I'm attempting to make a simple CMS for just my site, and so far I have been working on a local server, and so far so good.

I attempted to add encyption to the CMS usernames, login, etc. First is the script were the user adds an admin account to their site:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<td bordercolor="#000000" bgcolor="#FFFFFF"><form action="pg_insert_admin.php" method="post" name="form1" class="style1">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<td colspan="3"><strong>Add the Administrator Account</strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="name" type="text" id="name"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="lastname" type="password" id="lastname"></td>
</tr>
<tr>
<td>Please Retype Password</td>
<td>:</td>
<td><input name="lastname_c" type="password" id="lastname_c"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form></td>
</tr>
</table>

And this is the file it links to:

PHP: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
include('pg_config.php');
$tbl_name="members"; // Table name 
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form 
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$lastname_c=$_POST['lastname_c'];
$encrypt_password=md5($password);
if ($lastname==$lastname_c) {
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password)VALUES('$name', '$encrypt_password')";
$result=mysql_query($sql);
}
// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='pg_install.php'>Back to main page</a>";
}
else {
echo "ERROR";
}
// close connection 
mysql_close();
?>
</body>
</html>

------------------------

When I added a user it all went fine. I did a username of 'admin', and password of 'test'.

Then, I tried to log in. Log In page:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="pg_check_login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

And the php:

PHP: Select all

<?php
ob_start();
include('../pg_config.php');
$tbl_name="members";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// encrypt password 
$encrypted_mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:pg_login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

All SEEMS ok, no errors. But I just get the message 'Wrong Username or Password'. Can anyone see where I am going wrong?

Thanks!

jack

[Marc]

No. For when a user is logging in, you must select the username with the password e.g.

Quote:

SELECT username FROM $tbl_name WHERE password='$encrypted_mypassword'

then you should check the username (selected from the DB a moment ago) against the password given.. do you get me??

[Rakuli]

I would disagree with Mark on his point.. There is no need to bring the password into PHP at all...

If you have stored the password in its encrypted form in the MySQL database it is simple a matter of comparing the user name and password at the same time.

In your database, do you actually have the password encrypted? If you do, have you made sure that the column is "var_char(32)"..

MD5 returns a 32 character string so if the database doesn't have enough space it will truncate it and the passwords won't match.

[Jack Franklin]

The password field is varchar(65). Is that ok?

So, is my code fine? I'm going to try again just to make sure I did enter a password of test!

No luck, just says wrong username or password.

I then tryed entering the 32character encrypted password in the login page, but still no luck.

[Rakuli]

Can you show me how you're entering the details into the database, do you have a script that does this?

[Jack Franklin]

The user enters the details in this lovely form:

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<td bordercolor="#000000" bgcolor="#FFFFFF"><form action="pg_insert_admin.php" method="post" name="form1" class="style1">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<td colspan="3"><strong>Add the Administrator Account</strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="name" type="text" id="name"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="lastname" type="password" id="lastname"></td>
</tr>
<tr>
<td>Please Retype Password</td>
<td>:</td>
<td><input name="lastname_c" type="password" id="lastname_c"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form></td>
</tr>
</table>

and then it is processed using this PHP:

PHP: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
include('pg_config.php');
$tbl_name="members"; // Table name 
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form 
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$lastname_c=$_POST['lastname_c'];
$encrypt_password=md5($password);
if ($lastname==$lastname_c) {
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password)VALUES('$name', '$encrypt_password')";
$result=mysql_query($sql);
}
// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='pg_install.php'>Back to main page</a>";
}
else {
echo '<h3>Error. It is more than likely that you didn\'t enter your password correctly both times. Go back and try again!</h3>';
}
// close connection 
mysql_close();
?>
</body>
</html>

[Rakuli]

Okay, I don't see any glaring errors in either code snippets..

In your login script try changing the encryption line to:

PHP: Select all

$encrypted_mypassword= mysql_real_escape_string(md5($mypassword)); 

change the query line

PHP: Select all

$result=mysql_query($sql) or die(mysql_error()); 

to see if there is anything wrong with the query itself.

[Jack Franklin]

Rakuli, Thanks for your help so far

I changed it, so the code is now like this:

PHP: Select all

<?php
include('../pg_config.php');
$tbl_name="members";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from signup form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// encrypt password 
$encrypted_password=mysql_real_escape_string(md5($mypassword)); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql) or die(mysql_error()); 
 

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("$myusername");
session_register("$mypassword"); 
header("location:pg_login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

But I recieved an error:
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\Dolphin CMS\pg_administration\pg_check_login.php on line 19

I cannot quite see where I am going wrong.

[Rakuli]

Which is line 19? This is a sytax error -- usually means that there is a missing semi colon or quotes not closed.. I can't seem to see it though.

[Jack Franklin]

Line 19:

PHP: Select all

$result=mysql_query($sql) or die(mysql_error()); 

I am fairly new to this, but I cannot see anything wrong with it!

[Rakuli]

Try replacing it with

PHP: Select all

if (!$result=mysql_query($sql))

   die (mysql_error()); 

Seems odd, I have used that type of code many many times... seems to be treating the "or" as a misplaced string...

[Jack Franklin]

Ok no error now. It just saids 'Wrong Username or Password'.

[Rakuli]

Hmmm.. interesting..

Have you tried removing the encryption from this file and just checking password against password?

Copy the password from mysql and paste it into the text box, then remove the MD5 from the login file and see if you get a match that way

[alexgeek]

Maybe it's the data that's already in there.
If you have PHPmyadmin add a new user with this info:
username: user
password: 5f4dcc3b5aa765d61d8327deb882cf99 (it's just "password" md5()'d).

And try logging in with user/password.

[Jack Franklin]

Thanks guys, no luck! I found a new tutorial, however, and followed it, and this one is working. So it will remain a mystery!

Thanks for the help though