Hey guys,

I am learning PHP working with a local server on my laptop. I am trying to create a membership site and so I have created a MySQL database for it. My registration script works just fine, whenever I register an account it goes into the users table in the appropriate database with no problem. Here's my problem, all my scripts where a user's email and password have to be matched to authenticate them to do things registered members are allowed to do (to change a password or just to log in) I keep getting the same problem: "email and password do not match"

Unfortunately I do not have the script on this computer from which I am posting so I can't show it to you guys, but what are some possible errors that I might be making? I simply cannot log in with any of the user accounts I create. The problem is not that the email and password don't really match. So what could it be? Are there common mistakes that beginners like me typically make in this situation?

I appreciate any feedback you guys might be able to provide!

Thanks a lot in advance

a common problem I can see is input errors.. If you have magic_quotes_gpc on or improper filtering of the inputs for different fields you may get mismatched

my recommendation is first turn magic_quotes_gpc off (if not already) and just compare the input to the database field

so something like

PHP Code:

var_dump($_POST['password']);
var_dump( mysql_result ( mysql_query("SELECT password FROM table WHERE user_id=1"), 0, 'password')); 


with some mods to the last line of course, see what the output of both are... if there are slashes or escape characters in there

You could do a simple select like:

session_start();
$pass = $_POST['password'];
// md5 encrypt it if you have encrypted it in the database.
$mail = $_POST['email'];

$sql = mysql_query("SELECT * FROM users WHERE email = '$email' AND password = '$password' limit 1");

Then check how many rows are returned,
If 1 row is returned do:
$_SESSION['loggedin'] = "1";
else $_SESSION['loggedin'] = "0";

Then , On any page you want to be members only,
do this at the very top.

session_start();
// If loggedin does not equal 1, Die. ( End script )
if ($_SESSION['loggedin'] != "1") {
die ('Your not loggedin');
}

Hope this helps,
This is a basic way to do it, But works.

Thanks a lot for the feedback guys. I will give them a try and let you know later how it worked.

Cheers

Ok here's another question. In the registration script I have the SQL query inserting the passwords as SHA1('$password'). Do I need to do some tinkering in phpmyadmin on the users table? Is this encryption somehow the reason why the email and password matches are never working for me?

Quote:

Originally Posted by Frank Drebin

Ok here's another question. In the registration script I have the SQL query inserting the passwords as SHA1('$password'). Do I need to do some tinkering in phpmyadmin on the users table? Is this encryption somehow the reason why the email and password matches are never working for me?

If you literally mean:

PHP Code:

sha1('$password'); 


then the problem is you are inserting the string '$password' into the database. Otherwise using a hash shouldn't cause any problems provided you are using the same hash function prior to checking the input password against the database password.

PHP Code:

$password = sha1($_POST['password']);
$email = $_POST['email']; //make sure to sanitize and validate this as it will be inserted into a query
$sql = mysql_query("SELECT * FROM users WHERE email = '$email' AND password = '$password' limit 1"); 


Also, an sha1 hash is 40 characters long. Make sure the password field in the database is set to varchar(40)

Don't forget to escape your email value, to avoid SQL injection:

PHP Code:

$email=mysql_real_escape_string($_POST['email']); 


Quote:

Originally Posted by Colton

Don't forget to escape your email value, to avoid SQL injection:

PHP Code:

$email=mysql_real_escape_string($_POST['email']); 


Thanks Colton, but yes I am already escaping it with the mysql_real_escape_string()

Quote:

Originally Posted by NullPointer

If you literally mean:

PHP Code:

sha1('$password'); 


then the problem is you are inserting the string '$password' into the database. Otherwise using a hash shouldn't cause any problems provided you are using the same hash function prior to checking the input password against the database password.

PHP Code:

$password = sha1($_POST['password']);
$email = $_POST['email']; //make sure to sanitize and validate this as it will be inserted into a query
$sql = mysql_query("SELECT * FROM users WHERE email = '$email' AND password = '$password' limit 1"); 


Also, an sha1 hash is 40 characters long. Make sure the password field in the database is set to varchar(40)

my query is as follows:

PHP Code:

$query = "INSERT INTO users (first_name, last_name, email, password, register_date) VALUES ('$fn', '$ln', '$e', SHA1('$password'), NOW() )";
$result = @mysqli_query ($dbc, $q); 


Are you saying that the SHA1('$password') in this SQL query is sending the $password as a string and not as the variable I created earlier in my script?

My mistake, I was thinking you were using the php function sha1, not the mysql function SHA1. The query is correct as far as I can tell.

Quote:

Originally Posted by Frank Drebin

my query is as follows:
Are you saying that the SHA1('$password') in this SQL query is sending the $password as a string and not as the variable I created earlier in my script?

Thats what hes saying yes, if you wanted a string you would use sha1('some string data') for a variable use sha1($variable) note no ' '