Further assistance on PHP login script required

[Transentient]

After alot of help from those on this an other forums, i have been able to create a login and registration scripts, that work well.

However i have one question and one problem to resolve.

Question is: all the login and registration scripts i have seen all have MD5 encryption for the password transmission for registering or login. I have heard that MD5 is not as secure as it once was, would say SHA1 or 2 be more appropriate, or am I being over cautious with what is only a personal project?

Problem to solve is: Registering works well, password is encrypted and appears in the database table in its encrypted form. But when I use the login in keeps re-directing me to my login failure screen, even though the login is correct.

The login code is set to pass the password for validation in the encrypted form, it seems as the password is being rejected as it is not matching the encrypted one in the table?

any help, as always would be gratefully recieved.

Thanks in advance

[traq]

Please post the problematic script so we can check it out.

[Transentient]

As requested the login script with the problem, the registration script works fine, the login form works fine, the invalid login page works fine, just the login script has a problem, even when the correct password and username combination are used.

PHP]<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-form.php");
exit();
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
?>[/PHP]

Thanks for any help

[traq]

nothing obvious. do this:

PHP Code:

print md5($_POST['password']); 


and compare the result to the database record.

[Transentient]

Thanks for the suggestion.

tried the code, but I get nothing displayed, should i be inserting the code in the code that process the login or on the login failure page? Tried both, nothing is displayed?

Thanks

[traq]

on the page that receives/ processes the form. Try putting it up near the beginning, like just after your session_start() call.

However, you've obviously done something else wrong: and md5 hash is always a 32-character hexadecimal string -even the hash of an empty or null value. Wherever you put that line of code, it was not executed.