SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2004
    Location
    Liverpool
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Comparing MYSQL password vs HTML form password

    Hi,

    I have placed a password in a MYSQL database using the function
    PASSWORD()

    I have a website which will take a password as part of a form and I need to compare against the one stored in MYSQL (A Login screen basically)

    The problem I have is the comparison always fails, as the data "password" is stored in two different formats:-

    MYSQL : password = 5d2e19393cc5ef67
    HTML FORM PASSWORD : password = 5f4dcc3b5aa765d61d8327deb882cf99

    Does anyone know which format I need to convert and the best PHP code to do it ?

    Knowing what the two formats are would also be interesting too.

    Any help greatly appreciated.
    I was angered, for I had no shoes,
    then I met a man who had no feet.

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    $password = $_POST("password");
    $goodpwd = [insert mysql to get pwd here]
    if MD5($password) == $goodpwd{
    ---code here-----
    }
    else
    {
    ---code here-----
    };

    That should work
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $sql "SELECT COUNT(*) FROM users WHERE `password` = PASSWORD('" $_POST['password'] . "')"

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2004
    Location
    Liverpool
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry Changed, but still not matching

    Thanks for that, it has changed but I now have:-

    5696d29e0940a4957748fe3fc9efd22a3 (HTML Form)

    vs

    5d2e19393cc5ef67 (MYSQL)


    still no match
    I was angered, for I had no shoes,
    then I met a man who had no feet.

  5. #5
    SitePoint Enthusiast
    Join Date
    Sep 2004
    Location
    Liverpool
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry

    Quote Originally Posted by Andymcc77
    Thanks for that, it has changed but I now have:-

    5696d29e0940a4957748fe3fc9efd22a3 (HTML Form)

    vs

    5d2e19393cc5ef67 (MYSQL)


    still no match
    Make that 696d29e0940a4957748fe3fc9efd22a3 (HTML Form)
    I was angered, for I had no shoes,
    then I met a man who had no feet.

  6. #6
    SitePoint Enthusiast
    Join Date
    Sep 2004
    Location
    Liverpool
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's the actual code (with lots of echo statements for debugging)

    <?

    /**
    * Checks whether or not the given username is in the
    * database, if so it checks if the given password is
    * the same password in the database for that user.
    * If the user doesn't exist or if the passwords don't
    * match up, it returns an error code (1 or 2).
    * On success it returns 0.
    */
    function confirmUser($username, $password){
    global $conn;
    /* Add slashes if necessary (for query) */
    if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
    }

    /* Verify that user is in database */
    $q = "select username,password from security where username = '$username'";
    $result = mysql_query($q);
    if(!$result || (mysql_numrows($result) < 1)){
    return 1; //Indicates username failure
    }

    /* Retrieve password from result, strip slashes */
    echo ("Result is $result");
    $dbarray = @mysql_fetch_array($result);


    echo ("You entered user");
    echo ("$username\n");
    echo ("You entered password con MD5");
    echo (MD5($password));
    echo ("You entered password");
    echo ($password);

    echo ("Database has user of ");
    echo ($dbarray['username']);
    echo ("Database has password of ");
    echo ($dbarray['password']);

    /* Validate that password is correct */
    if(MD5($password) == $dbarray['password']){
    return 0; //Success! Username and password confirmed
    }
    else{
    return 2; //Indicates password failure
    }
    }

    /**
    * checkLogin - Checks if the user has already previously
    * logged in, and a session with the user has already been
    * established. Also checks to see if user has been remembered.
    * If so, the database is queried to make sure of the user's
    * authenticity. Returns true if the user has logged in.
    */
    function checkLogin(){
    /* Check if user has been remembered */
    if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
    $_SESSION['username'] = $_COOKIE['cookname'];
    $_SESSION['password'] = $_COOKIE['cookpass'];
    }

    /* Username and password have been set */
    if(isset($_SESSION['username']) && isset($_SESSION['password'])){
    /* Confirm that username and password are valid */
    if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
    /* Variables are incorrect, user not logged in */
    unset($_SESSION['username']);
    unset($_SESSION['password']);
    return false;
    }
    return true;
    }
    /* User not logged in */
    else{
    return false;
    }
    }

    /**
    * Determines whether or not to display the login
    * form or to show the user that he is logged in
    * based on if the session variables are set.
    */
    function displayLogin(){
    global $logged_in;
    if($logged_in){
    echo "<h1>Logged In!</h1>";
    echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"logout.php\">Logout</a>";
    }
    else{
    ?>

    <h1>Login</h1>
    <form action="" method="post">
    <table align="left" border="0" cellspacing="0" cellpadding="3">
    <tr><td>Username/td><td><input type="text" name="user" maxlength="30"></td></tr>
    <tr><td>Password/td><td><input type="password" name="pass" maxlength="30"></td></tr>
    <tr><td colspan="2" align="left"><input type="checkbox" name="remember">
    <font size="2">Remember me next time</td></tr>
    <tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login"></td></tr>
    <tr><td colspan="2" align="left"><a href="register.php">Join</a></td></tr>
    </table>
    </form>

    <?
    }
    }


    /**
    * Checks to see if the user has submitted his
    * username and password through the login form,
    * if so, checks authenticity in database and
    * creates session.
    */
    if(isset($_POST['sublogin'])){
    /* Check that all fields were typed in */
    if(!$_POST['user'] || !$_POST['pass']){
    die('You didn\'t fill in a required field.');
    }
    /* Spruce up username, check length */
    $_POST['user'] = trim($_POST['user']);
    if(strlen($_POST['user']) > 30){
    die("Sorry, the username is longer than 30 characters, please shorten it.");
    }

    /* Checks that username is in database and password is correct */
    $md5pass = md5($_POST['pass']);
    $result = confirmUser($_POST['user'], $md5pass);

    /* Check error codes */
    if($result == 1){
    die('That username doesn\'t exist in our database.');
    }
    else if($result == 2){
    die('Incorrect password, please try again.');
    }

    /* Username and password correct, register session variables */
    $_POST['user'] = stripslashes($_POST['user']);
    $_SESSION['username'] = $_POST['user'];
    $_SESSION['password'] = $md5pass;

    /**
    * This is the cool part: the user has requested that we remember that
    * he's logged in, so we set two cookies. One to hold his username,
    * and one to hold his md5 encrypted password. We set them both to
    * expire in 100 days. Now, next time he comes to our site, we will
    * log him in automatically.
    */
    if(isset($_POST['remember'])){
    setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
    }

    /* Quick self-redirect to avoid resending data on refresh */
    echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
    return;
    }

    /* Sets the value of the logged_in variable, which can be used in your code */
    $logged_in = checkLogin();

    ?>
    I was angered, for I had no shoes,
    then I met a man who had no feet.

  7. #7
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Clearly you've proven that the MySQL PASSWORD() function is not the same as PHP's md5() function, so stop trying to compare them. Throwing a huge code block at us (please, please put that in [PHP] tags next time) won't change that.

    Your goal is to have the two passwords compared in the same format so you can compare them. You have two choices:

    1) Use md5() hashes. Save the passwords by md5()'ing them in PHP before inserting into the database, and compare md5()'s whenever you need to test equality.

    2) Use MySQL's PASSWORD(). On both passwords. Ask MySQL if the passwords are equal, as I provided an example of above.

  8. #8
    SitePoint Enthusiast
    Join Date
    Sep 2004
    Location
    Liverpool
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Talking Got it working now

    For those who are interested, the solution was to use the MYSQL MD5() function when placing the data in the database.

    i.e. MYSQL MD5'd data matches against a password field within a form, clearly password fields must use MD5 format implicity (I didn't know that)

    The issue for me was always, that I needed to convert either one or both sides of the equation when comparing, but I had no idea which needed converting and to what format.

    Thanks.
    I was angered, for I had no shoes,
    then I met a man who had no feet.

  9. #9
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Andymcc77
    i.e. MYSQL MD5'd data matches against a password field within a form, clearly password fields must use MD5 format implicity (I didn't know that)
    A password field within a form is plain text. If I type "god" as my password, $_POST['password'] will contain the text "god". There's no automatic converting, encoding, or encrypting at any point. The choice to store an md5 hash of the string is entirely up to you.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •