Results 1 to 6 of 6

Thread: Further assistance on PHP login script required

  1. #1
    Join Date
    Oct 2011
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default Further assistance on PHP login script required

    After alot of help from those on this an other forums, i have been able to create a login and registration scripts, that work well.

    However i have one question and one problem to resolve.

    Question is: all the login and registration scripts i have seen all have MD5 encryption for the password transmission for registering or login. I have heard that MD5 is not as secure as it once was, would say SHA1 or 2 be more appropriate, or am I being over cautious with what is only a personal project?

    Problem to solve is: Registering works well, password is encrypted and appears in the database table in its encrypted form. But when I use the login in keeps re-directing me to my login failure screen, even though the login is correct.

    The login code is set to pass the password for validation in the encrypted form, it seems as the password is being rejected as it is not matching the encrypted one in the table?

    any help, as always would be gratefully recieved.

    Thanks in advance

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Please post the problematic script so we can check it out.

  3. #3
    Join Date
    Oct 2011
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    As requested the login script with the problem, the registration script works fine, the login form works fine, the invalid login page works fine, just the login script has a problem, even when the correct password and username combination are used.

    PHP]<?php
    //Start session
    session_start();

    //Include database connection details
    require_once('config.php');

    //Array to store validation errors
    $errmsg_arr = array();

    //Validation error flag
    $errflag = false;

    //Connect to mysql server
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    if(!$link) {
    die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysql_select_db(DB_DATABASE);
    if(!$db) {
    die("Unable to select database");
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
    $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
    }

    //Sanitize the POST values
    $login = clean($_POST['login']);
    $password = clean($_POST['password']);

    //Input Validations
    if($login == '') {
    $errmsg_arr[] = 'Login ID missing';
    $errflag = true;
    }
    if($password == '') {
    $errmsg_arr[] = 'Password missing';
    $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
    session_write_close();
    header("location: login-form.php");
    exit();
    }

    //Create query
    $qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
    $result=mysql_query($qry);

    //Check whether the query was successful or not
    if($result) {
    if(mysql_num_rows($result) == 1) {
    //Login Successful
    session_regenerate_id();
    $member = mysql_fetch_assoc($result);
    $_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
    $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
    $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
    session_write_close();
    header("location: member-index.php");
    exit();
    }else {
    //Login failed
    header("location: login-failed.php");
    exit();
    }
    }else {
    die("Query failed");
    }
    ?>[/PHP]

    Thanks for any help

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    nothing obvious. do this:
    PHP Code:
    print md5($_POST['password']); 
    and compare the result to the database record.

  5. #5
    Join Date
    Oct 2011
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    Thanks for the suggestion.

    tried the code, but I get nothing displayed, should i be inserting the code in the code that process the login or on the login failure page? Tried both, nothing is displayed?

    Thanks

  6. #6
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    on the page that receives/ processes the form. Try putting it up near the beginning, like just after your session_start() call.

    However, you've obviously done something else wrong: and md5 hash is always a 32-character hexadecimal string -even the hash of an empty or null value. Wherever you put that line of code, it was not executed.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •