mysql/php login page

[dagoat10]

I am wondering if i can create a login in page using php to log in to a mysql database. Because if the user name is in the user table in the mysql database then i just need to be able to match the password which is encrypted, but i can decrypt the password. I have used a number of ways to decrypt it but no success. I have php 4.1.2, so that limits what i can try. Any ideas?

 

[jpadie]

sure. don't see why not. it doesn't seem very efficient though.

 

[dagoat10]

well only thing that seems to work for my version is base64_encode and base64_decode.

 

[jpadie]

I'm lost. what has base64_encode/decode got to do with logging in to a php site or to a mysql database?

perhaps it might be better for you to take two steps back and explain the problem you are trying to overcome and why you are having troubles.

 

[dagoat10]

ok, i am trying to login to a mysql database using input from a php form, but when i try it says access denied.

in other words the user name and password i send to the mysql database is from the form input.

i pull the user name and password from the post variables and then send them through a query like this:

$sql="SELECT * FROM user WHERE User='$myusername' and Password='$mypassword'";

my main problem is that when it compares the password variable with the one from user input, it fails due to the password it is checking is encrypted and i can't use decode(), or encode() because the php version is 4.1.2 the only functions that it allows me to use are crypt() and md5(). I just need to know how to compare the encrypted password with the user input because i can't decrypt the password.

 

[jpadie]

again, this does not seem like a good idea. perhaps phpmyadmin might be a better tool.

but anyway I assume you are querying the user table having connected to the database server with root privileges. in which case use the following query

<?php
$sql = "select count(*) as `count` from user where `User`='%s' and `Password`=password('%s')";
$sql = vsprintf(  	$sql, 
					array(  
							mysql_real_estate_string($myusername), 
							mysql_real_estate($mypassword)
						)
				);
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);
if ($row['count'] == 1) {
	//ok
}
?>

 

[frumpus]

If I'm understanding what you want to do correctly, you don't need to decrypt anything. I have a table with user logins with a CHAR(100) password field.

When I am setting a password, I encrypt it with SHA1 like this:

UPDATE USER_LOGIN SET PASSWORD = SHA1('$password') WHERE USERNAME = '$username'

When a user is logging in, you can just encrypt the password they type, and compare the encrypted strings. Like this:

SELECT * FROM USER_LOGIN WHERE USERNAME = '$username' AND PASSWORD = SHA1('$password')

This way there is no need to decrypt the password.

 

[jpadie]

@frumpus

the OP is trying to use the built in mysql user table to authenticate users.

you are correct that a separate user table within a database (rather than at the system level) is a more usual solution.

 

[frumpus]

In that case i would think you just pass the password in the mysql_connect function instead of trying to do it manually.

$con = mysql_connect($dbHostname,$dbUsername,$password)

right?

 

[jpadie]

that would tell you whether the person has the right to access a particular database. not whether the person's user name and password were stored at the system level.

that might be enough. we don't know.

 

[dagoat10]

ok thanks