PHP Forum

**MDwebdev85** · 08:33 AM

Hey guys, maybe someone can help me out on this one. I have a client (contract) through my work that asked for my assistance with an internal web site. It's a php site with a mySQL database. They migrated from a Red Hat server to a Sun Solaris 10 server and cannot log into anything with their passwords. They can select the tables and what not, and the link diag page shows a successful connection to the database. My concern was that the hashses for the passwords were being generated differently between the 2 different php engines.

Red Hat - 4.3.2

Sun Solaris - 4.4.5

Here's the log in form:
----------------------------------------------------------------------

PHP Code:


			
<?php
    
    
    function login($Code, $Password){
        include("config.php");
        $data = 'training';
        $table = 'Agency';

        if($Code == NULL || $Password ==NULL)
            return "Agency Code or Password is incorrect";
            
        //connects to database
        if (!($link=mysql_pconnect($_SESSION['hostname'],$_SESSION['username'], $_SESSION['password']))) {
            error(sprintf("error connecting to host %s, by user %s", $_SESSION['hostname'], $_SESSION['username']));
            exit();
        }
        
        //select database
        if (!mysql_select_db($data, $link)){
            error(sprintf("error in executing %s database", $data));
            error(sprintf("error:%d %s", mysql_errno($link), mysql_error($link)));
            exit();
        }
    
        $query = "SELECT id, Code FROM $table WHERE ((Code = '$Code')) AND ((Password = md5('$Password')))";
        
        //stores the result of the query to the array $result
        if(!$result = mysql_query($query, $link)){
            error(sprintf("Error in executing %s stmt", $result));
            error(sprintf("error:%d %s", mysql_errno($link), mysql_error($link)));
            exit();
        }
        
        
        
        //if the user exists 
        if(mysql_num_rows($result)){
            //update last login and ip address
        
        
        $date = mktime();
        $id = mysql_result($result, 0, id);
        $ip = ip();
        $update = "UPDATE Agency SET Last_Visit = '$date', ip_address = '$ip' WHERE id = '$id'";
        
        if(!mysql_query($update, $link)){
            error(sprintf("Error in executing %s stmt", $update));
            error(sprintf("error:%d %s", mysql_errno($link), mysql_error($link)));
            exit();
        }
            $_SESSION['Code'] = mysql_result($result, 0, Code);
            $_SESSION['AgencyID'] = mysql_result($result, 0, ID);
            
            header("Location: $currentsite"); //after success it redirects
            exit;
        } else {
            return "Username or Password is incorrect";
        }
    }
    
    
?>

--------------------------------------------------------------------------

Now, someone also mentioned to me that the encoding could be different. As in the old server interpreting the characters as ASCII or ANSI...and the new server interpreting the opposite.

--------------------------------------------------------------------------

PHP Code:


			
<? php


 * MySQL settings
 */
// Column types;
// varchar, tinyint, text and date are listed first, based on estimated popularity
$cfg['ColumnTypes'] = array(
   'VARCHAR',
   'TINYINT',
   'TEXT',
   'DATE',
   'SMALLINT',
   'MEDIUMINT',
   'INT',
   'BIGINT',
   'FLOAT',
   'DOUBLE',
   'DECIMAL',
   'DATETIME',
   'TIMESTAMP',
   'TIME',
   'YEAR',
   'CHAR',
   'TINYBLOB',
   'TINYTEXT',
   'BLOB',
   'MEDIUMBLOB',
   'MEDIUMTEXT',
   'LONGBLOB',
   'LONGTEXT',
   'ENUM',
   'SET'
);

// Atributes
$cfg['AttributeTypes'] = array(
   '',
   'BINARY',
   'UNSIGNED',
   'UNSIGNED ZEROFILL'
);

// Available functions
if ($cfg['ShowFunctionFields']) {
    $cfg['Functions'] = array(
       'ASCII',
       'CHAR',
       'SOUNDEX',
       'LCASE',
       'UCASE',
       'NOW',
       'PASSWORD',
       'MD5',
       'ENCRYPT',
       'RAND',
       'LAST_INSERT_ID',
       'COUNT',
       'AVG',
       'SUM',
       'CURDATE',
       'CURTIME',
       'FROM_DAYS',
       'FROM_UNIXTIME',
       'PERIOD_ADD',
       'PERIOD_DIFF',
       'TO_DAYS',
       'UNIX_TIMESTAMP',
       'USER',
       'WEEKDAY',
       'CONCAT'
    );
    
    // Which column types will be mapped to which Group?
    $cfg['RestrictColumnTypes'] = array(
       'VARCHAR'      => 'FUNC_CHAR',
       'TINYINT'      => 'FUNC_NUMBER',
       'TEXT'         => 'FUNC_CHAR',
       'DATE'         => 'FUNC_DATE',
       'SMALLINT'     => 'FUNC_NUMBER',
       'MEDIUMINT'    => 'FUNC_NUMBER',
       'INT'          => 'FUNC_NUMBER',
       'BIGINT'       => 'FUNC_NUMBER',
       'FLOAT'        => 'FUNC_NUMBER',
       'DOUBLE'       => 'FUNC_NUMBER',
       'DECIMAL'      => 'FUNC_NUMBER',
       'DATETIME'     => 'FUNC_DATE',
       'TIMESTAMP'    => 'FUNC_DATE',
       'TIME'         => 'FUNC_DATE',
       'YEAR'         => 'FUNC_DATE',
       'CHAR'         => 'FUNC_CHAR',
       'TINYBLOB'     => 'FUNC_CHAR',
       'TINYTEXT'     => 'FUNC_CHAR',
       'BLOB'         => 'FUNC_CHAR',
       'MEDIUMBLOB'   => 'FUNC_CHAR',
       'MEDIUMTEXT'   => 'FUNC_CHAR',
       'LONGBLOB'     => 'FUNC_CHAR',
       'LONGTEXT'     => 'FUNC_CHAR',
       'ENUM'         => '',
       'SET'          => ''
    );

    // Map above defined groups to any function
    $cfg['RestrictFunctions'] = array(
        'FUNC_CHAR'   => array(
            'ASCII',
            'CHAR',
            'SOUNDEX',
            'LCASE',
            'UCASE',
            'PASSWORD',
            'MD5',
            'ENCRYPT',
            'LAST_INSERT_ID',
            'USER',
            'CONCAT'
        ),

        'FUNC_DATE'   => array(
            'NOW',
            'CURDATE',
            'CURTIME',
            'FROM_DAYS',
            'FROM_UNIXTIME',
            'PERIOD_ADD',
            'PERIOD_DIFF',
            'TO_DAYS',
            'UNIX_TIMESTAMP',
            'WEEKDAY'
        ),

        'FUNC_NUMBER' => array(
            'ASCII',
            'CHAR',
            'MD5',
            'ENCRYPT',
            'RAND',
            'LAST_INSERT_ID',
            'COUNT',
            'AVG',
            'SUM'
        )
    );
    
} // end if


/**
 * Unset magic_quotes_runtime - do not change!
 */
set_magic_quotes_runtime(0);

/**
 * File Revision - do not change either!
 */
$cfg['FileRevision'] = '$Revision: 1.182 $';
?>

--------------------------------------------------------------------------

I've tried to do some searching online but haven't been successful in getting in the right direction. If anyone could point me in the right direction it would be greatly appreciated. I can post more info if need be. Thanks.

**MDwebdev85** · 01-29-2010, 02:17 PM

I'm not sure if this was the right room to post in, or if I should be in the database forum...if so MODS, please move it for me...thanks.

**MDwebdev85** · 01-29-2010, 07:10 PM

nothing??

**mtishetsky** · 01-30-2010, 02:03 AM

MD5 cannot return different results for the same input. This does not depend on system type, weather or even moon phase. Log all "SELECT id, Code" queries and ensure they are correct and corresponding rows exists in the table.

I also bet a dollar that it is register_globals related issue. On old machine RG was turned on and on new one it is off, and the form is processed with $code and $password instead of $_POST['code'] and $_POST['password'].

**MDwebdev85** · 01-30-2010, 02:51 AM

OMG! I didn't even think about that. Its currently off... won't have root access until Monday.

**lizciz** · 01-30-2010, 04:13 AM

And it should stay off, for security reasons. Use the super globals instead; $_POST, $_GET.

**MDwebdev85** · 04:44 PM

here's the form php,

it appears to be using super globals... please excuse my ignorance...still new to php

Code:

<?php session_start();
if (isset($_POST['Code'])){
	include_once("login.php");
	$Error = login($_POST['Code'], $_POST['Password']);
}



if(isset($_SESSION['AgencyID'])){
	header("Location: http://".$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF'])."/welcome.php"); //after success it redirects
	exit;
}
	
	
?>

<?php 
			
			if(isset($Error))
				echo '<p align="center"><font color="red">'.$Error.'</font></p>';
			
?>

<form name="form1" method="post" action="index.php">
              <p class="main">&nbsp;Agency Code:<br>
                <input name="Code" type="text" id="Code" value="<?php echo $_POST['$Code'];?>" size="4" maxlength="4">
                <br>
                Password:<br>
                <input type="password" name="Password">
              </p>
              <p align="center" class="main"> 
                <input name="imageField" type="image" src="Images/login_button.gif" width="55" height="22" border="0">
              </p>
            </form>

**mtishetsky** · 01-31-2010, 11:47 AM

If so, log the queries and look if they are valid and have corresponding data in table.