authentication problem 1

[hex6007]

Hi,

i have this problem with my login authentication. it cannot match the password from the database table field password to the input password in the login form.

I used the md5 encryption.Please help me solve this...


The Index page:

<?php
session_start();
$page = 'index';

include_once('inc/inc.header.php');

$m = $_GET['module'];

include_once('inc/inc.menu.php');

echo '<div>';

switch($m){
case "login":
include_once('mod/authenticate.php');
break;
case "logout":
include_once('lib/logoff.php');
break;
default:
echo 'Log in first...';
}

echo '</div>';

include_once('inc/inc.footer.php');
?>


The Authenticate page:

<?php
session_start();
$page='authenticate';

include_once('inc/inc.config.db.auth.php');
include_once('lib/functions.php');

$error = 0;

echo 'User Authentication';

if (isset($_POST['submit'])){

$usernm = $_POST['username'];
$passwd = $_POST['password'];

// not full proof but an extra layer of protection from external posting
if ((left($_SERVER['HTTP_REFERER'],7,5)) == (left('

http://'.$_SERVER

['HTTP_HOST'],7,5))) {

// step 1: check if user exists
$User = CheckUser($usernm, $passwd);
}
else {
// redirect
$error = 1;
session_destroy();
}

}
?>

<form name="frmLogin" method="post" action="<? $PHP_SELF; ?>">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="passwd"></td>
</tr>
<tr>
<td colspan="2">
<input type="submit" name="submit" value="Login">
</td>
</tr>
</table>
</form>

*** the function CheckUser i used
function CheckUser($usernm, $passwd){

/* Verify if user exist in the database */
$query1 = "Select username,password from users where username = '$usernm'" ;
$query = mssql_query($query1);

/* Retrieve password */
$fetch = mssql_fetch_array($query);

/* Validate if password is correct*/
$passen = md5($pass);
if ($fetch['password']==$passen){
echo "password match";
}
/*else{
echo '<br><strong>'."Invalid Username and Password".'</strong>';
} */

}

 

[jpadie]

Your variables are muddled in the final function. You pass in a variable called $passwd and then refer to it as $pass in the md5 line

 

[hex6007]

Thanks. I tried changing it but still doesnt work. but if i dont integrate in the index page it works.

 

[ingresman]

to cut a long story short....
Put some echo's in your code to show:
1. The user name an password passed in
2. the md5 from that password
3. the md5 from the record in the database representing the user.
4. The user name from the database (so we can see if you actualy retreved the correct user from the database.

 

[southbeach]

I'll be curious to know if the data in the DB is in the same case type as the input data. I do not know if this matters when using MD5 encryption (I have never used it and nothing about it ...).



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[ingresman]

southbeach.
MD5 is just a hash of the input parameter. It always generates 32 byte string as it's output. It's usual to add a secret salt to the input parameter to stop people generatign the hash value e.g rather than md5($password) use md5($password . "my secret and unguessable phrase");

It's a valid point about case so we await the details I asked for. JPaddie pointed out flaws in the code and looking at it it has an else clause commeted out so it might just be some oddness in the way the code is structured.

 

[southbeach]

ingresman,

Thanks for the explanation about md5(), as I send this message, I am heading to php.net to learn more. It sure looks like something one should employ when validating user credentials.

I specially like the idea of appending your own "secret salt".

Thanks!


--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.