Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th March 2011, 02:03
otacon otacon is offline
Senior Member
 
Join Date: Sep 2010
Posts: 109
Thanks: 5
Thanked 5 Times in 5 Posts
Default Error Verifing Username/Password

I am trying to use the below code to have my users login to other parts of my website.
PHP Code:
<?php
ob_start
();
$host="localhost"// Host name 
$username="root"// Mysql username 
$password="nonya"// Mysql password 
$db_name="someserver"// Database name 
$tbl_name="ohyyeahtable"// Table name 

// Connect to server and select databse.
mysql_connect("$host""$username""$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername stripslashes($myusername);
$mypassword stripslashes($mypassword);
$myusername mysql_real_escape_string($myusername);
$mypassword mysql_real_escape_string($mypassword);
// Encrypting Password
$encrypted_mypassword=md5($mypassword);

$sql"SELECT * FROM $tbl_name WHERE username='$myusername' and passwort='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if(
$count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo 
"Wrong Username or Password";
}

ob_end_flush();
?>

But I get the error:

Quote:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/clients/client0/web2/web/checklogin.php on line 29
Wrong Username or Password

I have looked up examples of mysql_num_rows(), but can not find any issue with my script, also it seems to always say wrong username and password no matter what... don't know if that is associated to the "$count=mysql_num_rows($result);" being wrong.

I am by far not a php master and would appreciate the advise of a more talented coder.
Reply With Quote
Sponsored Links
  #2  
Old 10th March 2011, 15:01
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

You use a wrong encryption method for the passord. Passwords in ISPConfig are encrypted with crypt together with a salt (thats the Stabndard for Linux servers and more secure them md5). So if you want to verify a password, you have to fetch the encrypted password from the db, extract the salt and then use this salt plus your new password for verification. There are one or two threads here in the dev forum that explain the encryption.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 11th March 2011, 15:33
otacon otacon is offline
Senior Member
 
Join Date: Sep 2010
Posts: 109
Thanks: 5
Thanked 5 Times in 5 Posts
Default

So I read up on the encryption and I want to verify what I am seeing.


My first user looks like it has $salt added to it with the password "$1$12345678$123456789.12345678910." (letters have been replaced with *random* numbers)

But the rest of my passwords are shorter and look like "d2d11f27a5d0b79ceb504a5f846ff265" (random user password that I created by typing a bunch of letters)

The second one does not seem to have a $salt added to it, as I believe the $1$ is a tell sign of the $salt being used.

Is the admin the only user that is suppose to look like the first password or are the other users suppose to be like that too?

Last edited by otacon; 11th March 2011 at 15:37.
Reply With Quote
  #4  
Old 11th March 2011, 15:39
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Which ispconfig version do you use and how did you create these users?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 11th March 2011, 17:14
otacon otacon is offline
Senior Member
 
Join Date: Sep 2010
Posts: 109
Thanks: 5
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by till View Post
Which ispconfig version do you use and how did you create these users?
ISP Config 3.0.3.1

Most were created through the example API script given, two were created from ispconfig's default control panel.

I created a new user from the control panel just to verify and I have the same result.

I am getting the password in dbispconfig.sys_user.passwort.
Reply With Quote
  #6  
Old 14th March 2011, 11:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

It was a bug in the remote API that md5 was used. The correct encryption method is crypt with salt. I've fixed that now in stable SVN branch.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 14th March 2011, 23:14
otacon otacon is offline
Senior Member
 
Join Date: Sep 2010
Posts: 109
Thanks: 5
Thanked 5 Times in 5 Posts
Default

ok Well I still don't have this php coding correct.. I can still test it with the admin account till an update has been made.. otherwise if I get the code done first I will upgrade from SVN.
__________________
Debian 7.4 Server:
ISPConfig Version: 3.0.5.3

Please visit my Mini-howto, "How To Create Remote API Scripts For ISPConfig 3"
Reply With Quote
  #8  
Old 15th March 2011, 09:49
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Why dont you just use the code from the ispconfig login script to verify the passwords? No need to wait for an update as you can easily detect the password encoding and use th correct method for verification as ispconfig is doing it.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 15th March 2011, 17:12
otacon otacon is offline
Senior Member
 
Join Date: Sep 2010
Posts: 109
Thanks: 5
Thanked 5 Times in 5 Posts
Default

That is a great idea that I didn't even think of...

Before I get to finalizing the script, I did an upgrade to the latest version of ispconfig 3.0.3.3 RC1.

I then created a user from the control panel and the user password looks like this, "e807f1fcf82d132f9bb018ca6738a19f" (from phpmyadmin)

Is everyone having the issue with salt not being added or is it just me?
__________________
Debian 7.4 Server:
ISPConfig Version: 3.0.5.3

Please visit my Mini-howto, "How To Create Remote API Scripts For ISPConfig 3"
Reply With Quote
  #10  
Old 15th March 2011, 17:27
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
 
Default

For ISPConfig, the encryptiom method does not matter. But I will check that and correct the code if the old encryption method is still used in some parts of the scripts.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Username/Password Problems brohism Installation/Configuration 2 9th March 2006 10:04


All times are GMT +2. The time now is 06:20.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.