password() and select statement

ch******@hotmail.com wrote:

Hello
I have a problem in retrieving a row form a table that I created in
mysql db.
I insert these values in the table
'Bell',password('123').
But the problem is in my php application I cant retrieve this row
because the password that I pass dosn't match the password value in the
table.
this is the code that I wrote in my php application

$user = $_POST[username];
$pass = $_POST[password];
$q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
password =PASSWORD('$pass')");

if(mysql_num_rows($q)==0){
echo "Acces denied. User not allowed to connect.";
mysql_close();
}
else
{
echo
"<script>window.location.replace('administrator2.p hp')</script>";
}

so if any body has an idea about this problem please tell me about it.
thanx in advance
Shameram Sadaki

How are you putting the values into the table? What versions are the
MySQL server and the client libraries you're using in PHP?

What do you get if you do echo the password in the database and the
results of PASSWORD('$pass')?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

*** ch******@hotmail.com escribió/wrote (24 Jul 2006 06:45:12 -0700):

$user = $_POST[username];
$pass = $_POST[password];

Unquoted strings are constants that you must define this way:

define('foo', 'bar');
echo foo; // prints bar

You probably mean:

$user = $_POST['username'];
$pass = $_POST['password'];

$q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
password =PASSWORD('$pass')");

I suggest you read this article about SQL Injection:

http://en.wikipedia.org/wiki/SQL_Injection

if(mysql_num_rows($q)==0){
echo "Acces denied. User not allowed to connect.";
mysql_close();
}

You're retrieving all the row data when all you need is knowing whether the
record exists. It's not good programming practice and, believe me, it's far
easier to learn the right way from the beginning than changing your habits
afterwards. I suggest you either get the primary key.

else
{
echo
"<script>window.location.replace('administrator2.p hp')</script>";
}

I presume you're aware of the fact that you must also protect
"administrator2.php" or anyway will be able to bypass the login screen.

so if any body has an idea about this problem please tell me about it.

The first test you must do is printing all strings on screen:

echo '<pre>';
var_dump($_POST);
var_dump($q);
echo '</pre>';

If SQL query looks OK, paste it in your favourite MySQL front end check if
it returns the expected result.

Also, check whether mysql_query() returned a result resouce or FALSE, don't
use the value blindly.
--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--

Alvaro G. Vicario wrote:

*** ch******@hotmail.com escribió/wrote (24 Jul 2006 06:45:12 -0700):

$user = $_POST[username];
$pass = $_POST[password];

Unquoted strings are constants that you must define this way:

define('foo', 'bar');
echo foo; // prints bar

You probably mean:

$user = $_POST['username'];
$pass = $_POST['password'];

$q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
password =PASSWORD('$pass')");

I suggest you read this article about SQL Injection:

http://en.wikipedia.org/wiki/SQL_Injection

if(mysql_num_rows($q)==0){
echo "Acces denied. User not allowed to connect.";
mysql_close();
}

You're retrieving all the row data when all you need is knowing whether the
record exists. It's not good programming practice and, believe me, it's far
easier to learn the right way from the beginning than changing your habits
afterwards. I suggest you either get the primary key.

else
{
echo
"<script>window.location.replace('administrator2.p hp')</script>";
}

I presume you're aware of the fact that you must also protect
"administrator2.php" or anyway will be able to bypass the login screen.

so if any body has an idea about this problem please tell me about it.

The first test you must do is printing all strings on screen:

echo '<pre>';
var_dump($_POST);
var_dump($q);
echo '</pre>';

If SQL query looks OK, paste it in your favourite MySQL front end check if
it returns the expected result.

Also, check whether mysql_query() returned a result resouce or FALSE, don't
use the value blindly.
--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--

Actually my problem is not in quoted strings, cos if I execute this
statement I get a row:

$q = mysql_query("SELECT username FROM admin WHERE username = '$user'
");
well the real problem is that after inserting for example this record
by using the function
Password()

mysql_query("insert into admin values('$user',password('$pass'))");

I cant retrieve this record by using this statement:
$q = mysql_query("SELECT username FROM admin WHERE username = '$user'
and password= password('$pass')");

cos the password now is encrypted in the table admin, for example '123'
is in the table '773359240e'
so how can I get the record ??? Cos I tried to print the result of
mysql_query but it was empty.

Shameram Sadaki

ch******@hotmail.com wrote:

Hello
I have a problem in retrieving a row form a table that I created in
mysql db.
I insert these values in the table
'Bell',password('123').
But the problem is in my php application I cant retrieve this row
because the password that I pass dosn't match the password value in the
table.
this is the code that I wrote in my php application

$user = $_POST[username];
$pass = $_POST[password];
$q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
password =PASSWORD('$pass')");

if(mysql_num_rows($q)==0){
echo "Acces denied. User not allowed to connect.";
mysql_close();
}
else
{
echo
"<script>window.location.replace('administrator2.p hp')</script>";
}

so if any body has an idea about this problem please tell me about it.
thanx in advance
Shameram Sadaki

The Password Function in MySQL is only meant for the MySQL user table.

Quote from MySQL docs: "The PASSWORD() function is used by the
authentication system in MySQL Server; you should not use it in your
own applications" See
http://dev.mysql.com/doc/refman/5.0/...ction_password

You had the right idea, though. I use SHA(), and store the password in
a column with a CHAR(40) datatype.

Noodle wrote:

ch******@hotmail.com wrote:

Hello
I have a problem in retrieving a row form a table that I created in
mysql db.
I insert these values in the table
'Bell',password('123').
But the problem is in my php application I cant retrieve this row
because the password that I pass dosn't match the password value in the
table.
this is the code that I wrote in my php application

$user = $_POST[username];
$pass = $_POST[password];
$q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
password =PASSWORD('$pass')");

if(mysql_num_rows($q)==0){
echo "Acces denied. User not allowed to connect.";
mysql_close();
}
else
{
echo
"<script>window.location.replace('administrator2.p hp')</script>";
}

so if any body has an idea about this problem please tell me about it.
thanx in advance
Shameram Sadaki

The Password Function in MySQL is only meant for the MySQL user table.

Quote from MySQL docs: "The PASSWORD() function is used by the
authentication system in MySQL Server; you should not use it in your
own applications" See
http://dev.mysql.com/doc/refman/5.0/...ction_password

You had the right idea, though. I use SHA(), and store the password in
a column with a CHAR(40) datatype.

Thank you, it is working now. But I used md5() instead of sha() in both
the insert and the select statements.

thanx
shameram sadaki

According to the MySql manual:

The SET PASSWORD statement assigns a password to an existing MySQL user account.

meaning that you only use it for MySql administration purposes.

You can use the following statement to setup your userid/password using the SHA1 (or something else). The other one shows how to retrieve it from the database:

[PHP]
The passsword create MySql code:

CREATE TABLE IF NOT EXISTS authorized_users (
userid VARCHAR(20) NOT NULL PRIMARY KEY,
passwd CHAR(40) NOT NULL);

INSERT INTO authorized_users VALUES ( 'johnny', sha1('mypw') );

The retrieve MySql code:

SELECT * FROM authorized_users WHERE userid='$userid'
AND passwd=sha1('$passwd')[/PHP]

Hope it is more clear now.

Ronald :cool: