On a recent project I am having issues when matching a password in the database.
The query is as follows:
mysql_query("SELECT * FROM user_accounts WHERE username = '$username' AND password = '$encryptedPass'")
This outputs
SELECT * FROM user_accounts WHERE username = 'T-McFarlane' AND password = 'äê1\Y¸c'
It can find me with just the user but with the password it cannot. I have echoed out both the database password and the encrypted password provides and they are exactly identical - this is what is in the database but it cannot find the matching row.
My question is that does this password contain any special characters or would there be any other reason that this is failing?
I have tried both utf8_swedish_ci and latin1_swedish_ci for my collation setting in the database.
You need to escape special characters in the string:
$username = mysql_real_escape_string($username);
$encryptedPass = mysql_real_escape_string($encryptedPass);
mysql_query("SELECT * FROM user_accounts WHERE username = '$username' AND password = '$encryptedPass'")
However, it would be even better to switch to PDO or mysqli, and use parametrized queries.
Related
i'm trying to make a log in form where the password where encrypted in oracle DB, i can't decrypt the password in my select statement in php. when i put the correct password the error message pop out and when i try to put the encpryted password it proceeds to log in ,
$strSQL = "SELECT USER_ID, PASS_WORD FROM VW_SMF_USERS WHERE USER_ID =
'".trim($_POST['txtUseremail'])."'
AND PASS_WORD = '".trim($_POST['txtUserpassword'])."'";
$objParse = oci_parse ($objConnect, $strSQL);
oci_execute ($objParse,OCI_DEFAULT);
$objResult = oci_fetch_array($objParse);
As i can understand your current scenario, you have hashed password in database, and you are querying user_input password direct to database, that is why application logged in with hash but not with plain text password.
You need to encrypt user_input password first in desired hash (md5,sha), example md5:
"SELECT USER_ID, PASS_WORD FROM VW_SMF_USERS WHERE USER_ID =
'".trim($_POST['txtUseremail'])."'
AND PASS_WORD = '".md5($_POST['txtUserpassword'])."'";
I have sql query
$query = "select * from users where username = '".$username."' and password = '".$password."'";
How to use mysql bind_param in this query
Trying this link and don't know how to give two conditions in where.
http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/
This has surely come up before but I haven't found a solution. I am trying to select username and password from a database to verify users a simple login script. It should simply find a row in the users table with a username and password matching those submitted through the login form.
I can match the username without any problem but not the password and I have no idea why.
The table contains columns called "username" and "password" and there is only 1 row in the table with a username 'admin' and a password 'testpassword'.
Here is the function containing three options - options 1 and 4 work, the other two don't. Option 2 is the same as option 1 except it looks up a different column. I have checked that the column name in the query matches the columns in the table and that the submitted values match. I'm not getting any error messages and can't see what might be wrong (something basic, I'm sure...).
function new_session ($username, $pw, $inactive) {
// echo statements verify that variable match database values
echo "<h2>username = " . $username . "</h2>";
echo "<h2>password = " . $pw . "</h2>";
echo "<h2>inactive = " . $inactive . "</h2>";
$db = mydb::getConnection();
//option 1
$statement = $db->prepare('SELECT * FROM users WHERE username = :parameter');
$statement->bindValue(':parameter', $username);
//option 2
//$statement = $db->prepare('SELECT * FROM users WHERE password = :parameter');
//$statement->bindValue(':parameter', $pw);
//option 3
//$statement = $db->prepare('SELECT * FROM users WHERE password = :parameter1 AND username = :parameter2');
//$statement->bindValue(':parameter1', $username);
//$statement->bindValue(':parameter2', $pw);
//option 4
//$statement = $db->prepare('SELECT * FROM users WHERE username = "admin" AND password = "testpassword"');
$statement->execute();
$row = $statement->fetchAll();
if (count($row) == 1) {
// SESSION data is set here for options 1 and 4
}
}
First thing you need to check is if the passwords in your data base are hashed. They probably should be, and if they are you need to compare using the hashing function PASSWORD
$statement = $db->prepare('SELECT * FROM users WHERE password = PASSWORD(:parameter)');
$statement->bindValue(':parameter', $pw);
Now, if your passwords aren't hashed (shame on you), you might have a different problem. As you can see in the above, password is a function name in mysql. It might be having problems parsing your statement because you are using password as a column name. Put tick-marks around the column name password. Like this:
$statement = $db->prepare('SELECT * FROM users WHERE `password` = :parameter');
$statement->bindValue(':parameter', $pw);
Notice that those are tick marks, not a single quote. They are found on the same key that ~ is on, above the tab key. These tick marks will indicate that password is a column name.
The word "PASSWORD" is a mysql command. so escape it first like this:
//option 3
//$statement = $db->prepare('SELECT * FROM users WHERE `password` = :parameter1 AND username = :parameter2')
If this query gives error, then I think you have your password encoded.
Then use this for md5:
$statement->bindValue(':parameter', md5($pw));
And for sha1:
$statement->bindValue(':parameter', sha1($pw));
I see no other errors which might could result in no rows :o
Thanks for all the suggestions and taking time to look at this, I have escaped the word password as suggested however I'm ashamed to say the problem was that the maxlength on my password form input was trimming the last character and I didn't spot it.
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 8 years ago.
I'm following a tutorial, Creating a Secure Login System the Right Way, about how to create a login system. In the code they use mysql_real_escape_string on the username field before passing it to the database as a query, that is,
$username = mysql_real_escape_string($username);
Is this necessary since I am not adding anything to the database, I am simply checking if this user already exists?
The reason I am not just leaving it in anyway is when I use the above code, it renders my text blank and so is sending an empty string to the database. I don't know why this is, so I thought, if I could leave it out, I would.
Below is for advice about database connection being open from a commenter (passwords, etc. been changed):
function dbConnect(){
$connection = mysql_connect('localhost', 'username', 'password');
$database=mysql_select_db('database', $connection);
return $connection;
}
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);
$username = mysql_real_escape_string($username);
$query = mysql_query("SELECT *
FROM members
WHERE username = '$username'
AND password = '$password'",dbConnect());
You may want to use PDO with prepared statements. Prepared statements are like placeholders in an SQL query and you're later on shipping the data that will then be inserted on those places. This makes escaping strings obsolete.
As I've already mentioned in the comments above: every SQL query with user input is vulnerable to SQL injection attacks.
The proper code is:
dbConnect();
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);
$sql = "SELECT * FROM members WHERE username = '$username' AND password = '$password'";
$res = mysql_query($sql) or trigger_error(mysql_error().$sql);
Yes it is necessary because the username could contain special character not allowed in SQL that need to be escaped like ' or / for instance
Example:
Not escaping ' in the username McDonald's would lead to an illegal SQL statement:
select * from your_table where username = 'McDonald's'
This question already has answers here:
How to check username and password matches the database values
(3 answers)
Closed 11 months ago.
I have a form which has a textbox with the name attribute username and another one with the name attribute password.
I also have a database with columns called user and pass. When my users signed up it added the username to the user column and password to the pass column.
How would I make a MySQL query to check if the form submitted the right username and password and then if it did have a branch to let me input the code for if it succeeded?
I really need some code, this bit isn't going well I know it should be something like SELECT * FROM table WHERE username == $username AND... but then I'm stuck because I have an MD5 password in the database and that first bit is probably wrong. Please help. :)
Thanks
//set vars
$user = $_POST['user'];
$pass = md5($_POST['pass']);
if ($user&&$pass)
{
//connect to db
$connect = mysql_connect("$server","$username","$password") or die("not connecting");
mysql_select_db("users") or die("no db :'(");
$query = mysql_query("SELECT * FROM $tablename WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
//while loop
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
else
die("incorrect username/password!");
}
else
echo "user does not exist!";
}
else
die("please enter a username and password!");
Instead of selecting all the columns in count count(*) you can limit count for one column count(UserName).
You can limit the whole search to one row by using Limit 0,1
SELECT COUNT(UserName)
FROM TableName
WHERE UserName = 'User' AND
Password = 'Pass'
LIMIT 0, 1
1.) Storage of database passwords
Use some kind of hash with a salt and then alter the hash, obfuscate it, for example add a distinct value for each byte. That way your passwords a super secured against dictionary attacks and rainbow tables.
2.) To check if the password matches, create your hash for the password the user put in. Then perform a query against the database for the username and just check if the two password hashes are identical. If they are, give the user an authentication token.
The query should then look like this:
select hashedPassword from users where username=?
Then compare the password to the input.
Further questions?