Jump to content
xisto Community
Sign in to follow this  
HmmZ

Need Help...again............ Authentication -_-

Recommended Posts

Ok, vizskywalker was finally able to solve the problem with my registration, but when I tried to login with my testaccount, it just continuously give me the "wrong username/password" error, i registered a new account and tried again, but still fails...

 

here's the authentication page...:

<?php $user = $_POST['username'];$pass = $_POST['password'];$user=strip_tags($user);$pass=strip_tags($pass);$user=str_replace(" ","",$user);$pass=str_replace(" ","",$pass);$user=str_replace("%20","",$user);$pass=str_replace("%20","",$pass);$user=addslashes($user);$pass=addslashes($pass);$conn = mysql_connect("localhost","***","***");mysql_select_db("***");$pass=md5($pass);$request = "SELECT * FROM go_logintable WHERE password='$pass' AND username='$user'";$results = mysql_query("$request",$conn);if(mysql_num_rows($results)==0){	echo "Username/Password Incorrect";	$_SESSION['auth'] = false;}else{	echo "Succesfully logged in";	$_SESSION['user'] = $user;	$_SESSION['auth'] = true;}?>
I don't know if it matters, but the registration also uses $password=md5($password), so the password is already encoded, like i said, i dont know if that matters.

 

also, since the error i get is displayed with

if(mysql_num_rows($results)==0)
maybe the problem is there..

 

 

[And again...sorry im bugging you guys..again :)]

Share this post


Link to post
Share on other sites

It does matter. Unless you can hash strings in MD5 in your head, I'm assuming you are entering your password in plain-text - so basically, the plain-text password is going to be compared to the hashed password, meaning they won't match.

Try using:

$pass = md5($pass);
(assuming you haven't used a custom salt) after '$pass=addslashes($pass);'.

Also, just a tip - where possible, use a single quote instead of a double quote, as it is quicker and less memory intensive. Strings within double quotes are checked for variables, escape characters, special formatting etc, so it takes longer to process. You could also use urldecode() instead of checking for '%20'.

For example:
$user = urldecode($user);$pass = urldecode($pass);$user=str_replace(' ','',$user);$pass=str_replace(' ','',$pass);

Oh, and you want to be careful when passing user-entered values directly to a MySQL query. It can create all sorts of problems of the security kind.

Share this post


Link to post
Share on other sites

That it is to say, it's better to use single quotes if you can. There are obviously many situations in which the alternative is required.

 

(We need an edit button.)

Share this post


Link to post
Share on other sites

I ám using that code ($pass=md($pass):) look again :)

What I meant, was that with the registration, the password will come hashed into the table, and I thought with the login it would then require to insert the hashed password (a whole different password then the user wanted..), so basically, im using the md5 in the registration ánd with the login, and theres where my question earlier comes in, does thát matter?

and could you tell me what a custom salt is?
I've heard about it before, but i don't know what people mean by that ;)

and thanks for the tip on single quotes and the urldecode()

Oh, and you want to be careful when passing user-entered values directly to a MySQL query. It can create all sorts of problems of the security kind.

??Their values go through some stripping first don't they? Once stripped and secured from sql injection, then the values are send through a query, so why wouldn't this be secure? B)

Share this post


Link to post
Share on other sites

Heh, I didn't notice the MD5 hashing. My apologies.

 

It goes through some stripping, but certainly not enough to be considered secure.

 

A 'salt' is bascially just a random generation used in conjunction with the cipher key, essentially causing the end result to be harder to break. If you are using the md5() function alone, then you shouldn't need to worry about it.

 

I not 100% sure what you're asking in regard to comparing hashed values. If you encrypt the password entered in registration and then store that encrypted value in the database, then yes, you need to encrypt it again when entered during login for comparison. The password entered by the user will obviously not be in an encrypted form, so you can't compare a raw value against an encrypted value and come out positive. I think that's what you're asking about.

 

Because there are no visible errors in the script shown here, I am going to assume that the problem lies either in the registration script, or your database structure. Try looking into both of these.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.