HmmZ
Mar 29 2005, 10:00 PM
Ok, vizskywalker was finally able to solve the problem with my registration, but when I tried to login with my testaccount, it just continuously give me the "wrong username/password" error, i registered a new account and tried again, but still fails... here's the authentication page...: CODE <?php
$user = $_POST['username'];
$pass = $_POST['password'];
$user=strip_tags($user);
$pass=strip_tags($pass);
$user=str_replace(" ","",$user);
$pass=str_replace(" ","",$pass);
$user=str_replace("%20","",$user);
$pass=str_replace("%20","",$pass);
$user=addslashes($user);
$pass=addslashes($pass);
$conn = mysql_connect("localhost","***","***");
mysql_select_db("***");
$pass=md5($pass);
$request = "SELECT * FROM go_logintable WHERE password='$pass' AND username='$user'";
$results = mysql_query("$request",$conn);
if(mysql_num_rows($results)==0)
{
echo "Username/Password Incorrect";
$_SESSION['auth'] = false;
}
else
{
echo "Succesfully logged in";
$_SESSION['user'] = $user;
$_SESSION['auth'] = true;
}
?> I don't know if it matters, but the registration also uses $password=md5($password), so the password is already encoded, like i said, i dont know if that matters. also, since the error i get is displayed with CODE if(mysql_num_rows($results)==0) maybe the problem is there.. [And again...sorry im bugging you guys..again  ]
Reply
Spectre
Mar 30 2005, 11:33 AM
It does matter. Unless you can hash strings in MD5 in your head, I'm assuming you are entering your password in plain-text - so basically, the plain-text password is going to be compared to the hashed password, meaning they won't match. Try using: CODE $pass = md5($pass); (assuming you haven't used a custom salt) after '$pass=addslashes($pass);'. Also, just a tip - where possible, use a single quote instead of a double quote, as it is quicker and less memory intensive. Strings within double quotes are checked for variables, escape characters, special formatting etc, so it takes longer to process. You could also use urldecode() instead of checking for '%20'. For example: CODE $user = urldecode($user);
$pass = urldecode($pass);
$user=str_replace(' ','',$user);
$pass=str_replace(' ','',$pass); Oh, and you want to be careful when passing user-entered values directly to a MySQL query. It can create all sorts of problems of the security kind.
Reply
Spectre
Mar 30 2005, 11:36 AM
That it is to say, it's better to use single quotes if you can. There are obviously many situations in which the alternative is required. (We need an edit button.)
Reply
HmmZ
Mar 30 2005, 11:52 AM
I ám using that code ($pass=md($pass)  look again What I meant, was that with the registration, the password will come hashed into the table, and I thought with the login it would then require to insert the hashed password (a whole different password then the user wanted..), so basically, im using the md5 in the registration ánd with the login, and theres where my question earlier comes in, does thát matter? and could you tell me what a custom salt is? I've heard about it before, but i don't know what people mean by that  and thanks for the tip on single quotes and the urldecode() QUOTE Oh, and you want to be careful when passing user-entered values directly to a MySQL query. It can create all sorts of problems of the security kind. ?? Their values go through some stripping first don't they? Once stripped and secured from sql injection, then the values are send through a query, so why wouldn't this be secure? 
Reply
Spectre
Mar 30 2005, 12:30 PM
Heh, I didn't notice the MD5 hashing. My apologies. It goes through some stripping, but certainly not enough to be considered secure. A 'salt' is bascially just a random generation used in conjunction with the cipher key, essentially causing the end result to be harder to break. If you are using the md5() function alone, then you shouldn't need to worry about it. I not 100% sure what you're asking in regard to comparing hashed values. If you encrypt the password entered in registration and then store that encrypted value in the database, then yes, you need to encrypt it again when entered during login for comparison. The password entered by the user will obviously not be in an encrypted form, so you can't compare a raw value against an encrypted value and come out positive. I think that's what you're asking about. Because there are no visible errors in the script shown here, I am going to assume that the problem lies either in the registration script, or your database structure. Try looking into both of these.
Reply
HmmZ
Mar 30 2005, 02:55 PM
I've send you a PM, read and think about it please
Reply
Similar Topics
Keywords : authentication- Mysql Authentication Problems
- (11)
- Http Authentication Without Using The Popup
- (3)
As it is mentioned earlier on in this form I am trying to use HTTP authentication to add simple
users control to my site, one thing I like about it is that the username and password are stored
throught the entire session that way I don't have to enter into the realm of cookeis and session
id's. So now I was wondering, a) can I use a standard html forum and place the password and
username values into $_SERVER and $_SERVER so that they will be reembered throuout the
session, and /cool.gif' border='0' style='vertical-align:middle' alt='cool.gif' /> ...
Http Authentication
- (2)
I have a book called PHP and MySQL for dynamic web sites by Larry Ullman, and it's a very good
book which I would recomend to anyone wanting to learn, but I followed a project in this book, not
letter by letter, and it won' work. I wrote this code to create an authentication script that
will only work with one user but allow the credientals to be passed from one page to another. So
here's the code CODE <?PHP $aut = FALSE; //Check for user variables if (
(isset($_server['PHP_AUTH_USER']) AND isset(�...
Ftp Script Problems - Authentication Failure
- (3)
I uploaded the code as a text file because it's pretty big: http://beeseven.trap17.com/ftp.txt
As I said it can't login. I get this error: Warning : ftp_login(): Authentication failed,
sorry in /home/beeseven/public_html/ftp.php on line 45 I think it might have something to do
with character encoding, but I'm not sure. If you think it is, what kind of encoding would work
as if I typed it directly? I tried putting it in the file, but then I got the missing required
fields error....
Looking for authentication
|
|
Searching Video's for authentication
|
advertisement
|
|
