selecting encrypted passwords <-Pictures!

[sporkit]

well ive been using my "dawg" K Yank's login script for quite a while now. I decided that it was time to take the next big step forward with my new site.

the first thing i wanted to do was integrate the users from a new forum i found at http://www.punbb.org/ with the rest of my site. the problem is that i dont think im pulling the password fields from the punbb board database correctly.

im thinking users could signup at my forum then get access to other parts of my site with that same username and password if i can pull the login information correctly with my script.

here is an example page they could see call protectedpage.php.

PHP Code:

<?php include 'accesscontrol2.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
  "[url=http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]">
<html xmlns="[url=http://www.w3.org/1999/xhtml]http://www.w3.org/1999/xhtml[/url]">
<head>
  <title> Members-Only Page </title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
</head>
<body>
<p>Welcome, <?=$username?>! You have entered a members-only area
   of the site. Don't you feel special?</p>
</body>
</html>

the included file from protectedpage.php, is accesscontrol2.php

PHP Code:

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_start();
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if(!isset($uid)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "[url=http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]">
  <html xmlns="[url=http://www.w3.org/1999/xhtml]http://www.w3.org/1999/xhtml[/url]">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="uid" size="8" /><br />
    Password: <input type="password" name="pwd" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  
  exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
dbConnect("f8_thug");
$sql = "SELECT * FROM forum_users WHERE
        username = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact [email=you@example.com.']you@example.com.'[/email]);
}
if (mysql_num_rows($result) == 0) {
  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "[url=http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]">
  <html xmlns="[url=http://www.w3.org/1999/xhtml]http://www.w3.org/1999/xhtml[/url]">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SESSION['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'fullname');
?>

i think this code from the page dispalyed above

PHP Code:

dbConnect("f8_thug");
$sql = "SELECT * FROM forum_users WHERE
        username = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact [email=you@example.com.']you@example.com.'[/email]);
} 


is trying to pull data from the punbb board database that looks like this.

http://www.sporkit.com/misc_links/database1.jpg
http://www.sporkit.com/misc_links/database2.jpg


however i was just pulling the code from this old database in a table called user just fine.

http://www.sporkit.com/misc_links/database3.jpg

im thinking that its this select statement in accesscontrol2.php thats throwing me off.

PHP Code:

dbConnect("f8_thug");
$sql = "SELECT * FROM forum_users WHERE
        username = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact [email=you@example.com.']you@example.com.'[/email]);
} 


maybe its an encryption thingy?

the only difference i noticed between the old table user and the new table from the forum im trying to use is the password fields are 16 and the other 32. not sure if that would make a differance.

anyway, if you have some suggestion i would love to hear them. i also hope i didnt scare anybody away with all the information i posed (not sure if thats a good thing ).

ill probably be messing with it till then.

thanks everybody!

[lieut_data]

This may be the problem -- PASSWORD is a reserved term for MySQL's management of its own internal passwords. You will most likely want to replace this function with MD5, the likely equivalent in use on your forum.

Cheers!

[sporkit]

This may be the problem -- PASSWORD is a reserved term for MySQL's management of its own internal passwords. You will most likely want to replace this function with MD5, the likely equivalent in use on your forum.

Cheers!

i knew it! i did a search on this forum to see how to use the md5 thingy but didnt find much. i also checked the php.net site without much luck. do you know where i could find info on this or mabey how it should look?

[lieut_data]

See MySQL Manual for more information -- but really, it should be as simple as replacing PASSWORD w/ MD5

Cheers!

[sporkit]

darnit! haha! how disappointing i spent a long time putting this post together!

oh well at least it works. thanks man.