password problems 2

[PaulFynch]

hello all.....
having problems with an encrypted password, i know it is something simple and stupid, but i just cant see it

here is the code that is giving me trouble.....


switch (@$do)
{
case "login":
$connection = mysql_connect($host, $user,$password)
or die ("Couldn't connect to server."
$db = mysql_select_db($database, $connection)
or die ("Couldn't select database."

$sql = "SELECT memberid FROM Member
WHERE memberid='$fusername'";
$result = mysql_query($sql)
or die("Login name not found"
$num = mysql_num_rows($result);
if ($num == 1)
{
$sql = "SELECT memberid FROM Member WHERE memberid='$fusername'
AND password=password('$fpassword')";
$result2 = mysql_query($sql)
or die("Incorrect Password"
$num2 = mysql_num_rows($result2);
if ($num2 > 0)
{
$auth="yes";
$logname=$fusername;
$today = date("Y-m-d h:m:s"
$sql = "INSERT INTO Login (memberid,loginTime)
VALUES ('$logname','$today')";
mysql_query($sql) or die("Can't execute query."
header("Location: Member_page.php"
}
else // password is not correct
{
unset($do);
$message="The Login Name, '$fusername' exists,
but you have not entered the correct
password! Please try again.<br>&quot;;
include(&quot;login_form.inc&quot;
}
} // 50
elseif ($num == 0).......



it is returning the last message &quot;the loginname, 'soandso' exists, but you have not entered the correct password......&quot;

now i have the correct password in the database, and the ppassword entered into the database was encrypted, but i still get that error. a little help would be awesome
thanks so much
paul

 

[dlord369]

Paul,

what kind of encryption r u using on ur password?

 

[PaulFynch]

i am using the mysql password() function to enter the password into the database. i assumed that if i used the same function to pull it out, the encryption would be the same....
regards
paul

 

[sleipnir214]

If you used MySQL's password() function to enter the password, then using MySQL's password() function will match the value.

Just to ask the dumb question, have you examined the string in $sql and verified it is what you expect it to be? ______________________________________________________________________
TANSTAAFL!

 

[PaulFynch]

i returned $sql to the page and got

SELECT memberid FROM Member WHERE memberid='jo' AND password=password('jo')

jo and jo are the user and pass i entered into the db using my registration form ...

INSERT INTO Member (memberid,createDate,password,......
VALUES('$newname','$today',password('$newpass'),......


i have returned the value of '$num2' and it is always '0'. so i changed the code to say if ($num2 = 0) instead of if ($num2 > 0) and the code still doesnt work.....
it returns the same error
i am stumped

 

[sleipnir214]

If you hand that query string to whatever MySQL admin tool you're using, does it return any rows? ______________________________________________________________________
TANSTAAFL!

 

[PaulFynch]

i am using mysql monitor at the command prompt
at the prompt i enter
mysql> SELECT memberid FROM member WHERE memberid='jo' AND password=password('jo');
Empty Set (0.00sec)

hope thats what you meant. although, that query should have worked.....thats why i am scratching my head....is there a setting for the encryption in mysql.ini or sowething?
paul

 

[sleipnir214]

In your mysql monitor program, issue the queries:

select password('jo');

And

select password from members where memberid = 'jo';


Do the two values look the same? ______________________________________________________________________
TANSTAAFL!

 

[PaulFynch]

here are the results.....*interesting*

select password('jo'); = '077C2b6f492637cd

And

select password from members where memberid = 'jo'; = '077C2b6f'


hmmmmm....
what do i do from here/what happened?
thanks
paul

 

[sleipnir214]

The width of column password isn't wide enough, and MySQL is truncating.

Alter your table to widen out that column to at least 16 characters, then reinsert the password. ______________________________________________________________________
TANSTAAFL!

 

[PaulFynch]

dude!!! i would give you 2 stars if i could
You flippin rock! i have been smakin my head all bloody day
thankx so much!
(a very happy)paul

 

[benzito]

I'm getting the same error as well. I ran the same queries as above and get the following output. My varchar length is set for 255. With the first query, I'm returned the password unencrypted, with the second it's returned encrypted...I've tried entering the password both plain text and encrypted in my form and still no joy. Any suggestions? Thanks from the obvious newbie!



SELECT password FROM login
where loginName = 'tfreeman' =password bux


SELECT password( 'tfreeman' ) =password('tfreeman')
0efd8d9c2edcd25c

--------------------------------------------------


<?php
/* Program: Login.php
Desc: Login progam to provide access to the TT app. for existing users.
*/
session_start();
session_register('auth');
session_register('logname');
include(&quot;connect.inc&quot;
switch (@$do)
{
case &quot;login&quot;:
$connection = mysql_connect($host, $user,$password)
or die (&quot;Couldn't connect to server.&quot;
$db = mysql_select_db($database, $connection)
or die (&quot;Couldn't select database.&quot;
$sql = &quot;SELECT loginName FROM login
WHERE loginName = '$fusername'&quot;;
$result = mysql_query($sql) or die (&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
if ($num == 1) // login name was found
{
$sql = &quot;SELECT loginName FROM login
WHERE loginName = '$fusername'
AND password=password('$fpassword')&quot;;
$result2 = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num2 = mysql_num_rows($result2);
if ($num2 > 0) // password is correct
{
$auth=&quot;yes&quot;;
$logname=$fusername;
$today = date(&quot;y-m-d h:m:s&quot;
$sql = &quot;INSERT INTO user_logins (loginName,loginTime)
VALUES ('$logname','$today')&quot;;
mysql_query($sql) or die (&quot;Can't execute query.&quot;
header(&quot;Location: tt.php&quot;
}
else // password is not correct
{
unset($do);
$message=&quot;Please try password again.<br>&quot;;
include(&quot;login_form.inc&quot;
}
}
elseif ($num == 0) // login name not found
{
unset ($do);
$message = &quot;The Login Name, '$fusername' exists, Please try password again<br>&quot;;
include (&quot;login_form.inc&quot;
}
break;

default;
include (&quot;login_form.inc&quot;
}
?>

 

[Telfie]

Hi

I have been placing passwords into mysql database encrypted but I am having trouble retrieving it back as plain text.

I used password() to place the information into the database.

I understand that I can match the information but I would like to be able to send the information direct to a user in the event that they lose it. So they can enter their email account for example and submit this with an auomated response sent to their email as per the database.

Your assistance is appreciated

 

[sleipnir214]

Telfie,

MySQL's password() function does not encrypt passwords -- it hashes them. There is no way to transform the data stored in the database to plaintext. This is a feature, not a bug.

I can think of two ways to be able to send the password to a user:[ul][li]store the password as plaintext[/li][li]use PHPs mcrypt functions to encrypt the data using a reversible encryption system (

http://www.php.net/manual/en/ref.mcrypt.php)

[/li][/ul]


benzito,

Typically, what you want to do is hash the data as you place it into the database, then test the data to validate user-presented credentials.

Assume that the user authentication table is called &quot;users&quot;, with the column &quot;username&quot; containing user names, and the column &quot;userpassword&quot; containing user passwords. If your code is presented with the username of &quot;foo&quot; and a password of &quot;bar&quot;, a classic query is:

SELECT count(username) FROM users WHERE username = 'foo' and userpassword = password('bar')

All you are doing is trying to see whether as set of user credentials matching the one you were presented exists. ______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[Telfie]

Thanks Sleipnir214

Thanks for your response. I guess I will just have to do as you suggest with mcrypt. Better check it is turned on the server.

Or find some other way to to determine the right user and send them an email with a new password that they can change.

Thanks
Andrew Telford
<a href=&quot;

http://www.telfordinternet.com.au&quot;>Telford

Internet</>

 

[sleipnir214]

Telfie,

One way is to store passwords as plaintext. I don't know whether this possible with the security constraints of your application.

There are another routes to allowing your users to change their passwords without knowing the originals.

Your site can set the user's password to a known value and email that new password to the user. The email also contains a link to a page which allows the user to change his password. If you set up your site right, you can set the status of the user's record to force the user to perform this change before he can access anything else in your site. You don't have to decrypt passwords.

Another variation is to have a table which records user requests to blindly change passwords. Your site creates a complex string, something like a UUID, and enters that UUID and username into that table. The site then emails the link to the change page:

http://yoursite.com/changescript.php?changeid=<your

complicated string> . When your user hits the page, it uses the string to see which user's record needs changing. A script records the change to the user record, then removes the string entry from the change request table. It would also be best if you had some mechanism which removed entries from the change request table after the entries have been there an arbritrary time. ______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[danielhozac]

You could also use MySQL's ENCRYPT and DECRYPT functions. These are what I use. //Daniel

 

[Telfie]

Thank you Sleipnir and Danial

We currently store passwords in plain text but would prefer not to do so. We will try both suggestions depending upon the capabilities of the server.

Thinking about it, it would be better to not be able to decrypt and just get the user to change passwords.

Thanks again to both Andrew Telford

http://www.telfordinternet.com.au