Error Verifing Username/Password

Discussion in 'Developers' Forum' started by otacon, Mar 10, 2011.

  1. otacon

    otacon New Member

    I am trying to use the below code to have my users login to other parts of my website.
    PHP:
    <?php
    ob_start
    ();
    $host="localhost"// Host name 
    $username="root"// Mysql username 
    $password="nonya"// Mysql password 
    $db_name="someserver"// Database name 
    $tbl_name="ohyyeahtable"// Table name 

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // Define $myusername and $mypassword 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
    $myusername mysql_real_escape_string($myusername);
    $mypassword mysql_real_escape_string($mypassword);
    // Encrypting Password
    $encrypted_mypassword=md5($mypassword);

    $sql"SELECT * FROM $tbl_name WHERE username='$myusername' and passwort='$encrypted_mypassword'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    if(
    $count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword"); 
    header("location:login_success.php");
    }
    else {
    echo 
    "Wrong Username or Password";
    }

    ob_end_flush();
    ?>

    But I get the error:


    I have looked up examples of mysql_num_rows(), but can not find any issue with my script, also it seems to always say wrong username and password no matter what... don't know if that is associated to the "$count=mysql_num_rows($result);" being wrong.

    I am by far not a php master and would appreciate the advise of a more talented coder.
     
  2. till

    till Super Moderator

    You use a wrong encryption method for the passord. Passwords in ISPConfig are encrypted with crypt together with a salt (thats the Stabndard for Linux servers and more secure them md5). So if you want to verify a password, you have to fetch the encrypted password from the db, extract the salt and then use this salt plus your new password for verification. There are one or two threads here in the dev forum that explain the encryption.
     
  3. otacon

    otacon New Member

    So I read up on the encryption and I want to verify what I am seeing.


    My first user looks like it has $salt added to it with the password "$1$12345678$123456789.12345678910." (letters have been replaced with *random* numbers)

    But the rest of my passwords are shorter and look like "d2d11f27a5d0b79ceb504a5f846ff265" (random user password that I created by typing a bunch of letters)

    The second one does not seem to have a $salt added to it, as I believe the $1$ is a tell sign of the $salt being used.

    Is the admin the only user that is suppose to look like the first password or are the other users suppose to be like that too?
     
    Last edited: Mar 11, 2011
  4. till

    till Super Moderator

    Which ispconfig version do you use and how did you create these users?
     
  5. otacon

    otacon New Member

    ISP Config 3.0.3.1

    Most were created through the example API script given, two were created from ispconfig's default control panel.

    I created a new user from the control panel just to verify and I have the same result.

    I am getting the password in dbispconfig.sys_user.passwort.
     
  6. till

    till Super Moderator

    It was a bug in the remote API that md5 was used. The correct encryption method is crypt with salt. I've fixed that now in stable SVN branch.
     
  7. otacon

    otacon New Member

    ok Well I still don't have this php coding correct.. I can still test it with the admin account till an update has been made.. otherwise if I get the code done first I will upgrade from SVN.
     
  8. till

    till Super Moderator

    Why dont you just use the code from the ispconfig login script to verify the passwords? No need to wait for an update as you can easily detect the password encoding and use th correct method for verification as ispconfig is doing it.
     
  9. otacon

    otacon New Member

    That is a great idea that I didn't even think of...

    Before I get to finalizing the script, I did an upgrade to the latest version of ispconfig 3.0.3.3 RC1.

    I then created a user from the control panel and the user password looks like this, "e807f1fcf82d132f9bb018ca6738a19f" (from phpmyadmin)

    Is everyone having the issue with salt not being added or is it just me?
     
  10. till

    till Super Moderator

    For ISPConfig, the encryptiom method does not matter. But I will check that and correct the code if the old encryption method is still used in some parts of the scripts.
     
  11. otacon

    otacon New Member

    OK no big deal just wanted to make sure my installation was not flawed. I am looking into the ispconfig/login/ folder now to look for the login script I can use for my website.
     

Share This Page