I am trying to use the below code to have my users login to other parts of my website. PHP: <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password="nonya"; // Mysql password $db_name="someserver"; // Database name $tbl_name="ohyyeahtable"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); // Encrypting Password $encrypted_mypassword=md5($mypassword); $sql= "SELECT * FROM $tbl_name WHERE username='$myusername' and passwort='$encrypted_mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?> But I get the error: I have looked up examples of mysql_num_rows(), but can not find any issue with my script, also it seems to always say wrong username and password no matter what... don't know if that is associated to the "$count=mysql_num_rows($result);" being wrong. I am by far not a php master and would appreciate the advise of a more talented coder.
You use a wrong encryption method for the passord. Passwords in ISPConfig are encrypted with crypt together with a salt (thats the Stabndard for Linux servers and more secure them md5). So if you want to verify a password, you have to fetch the encrypted password from the db, extract the salt and then use this salt plus your new password for verification. There are one or two threads here in the dev forum that explain the encryption.
So I read up on the encryption and I want to verify what I am seeing. My first user looks like it has $salt added to it with the password "$1$12345678$123456789.12345678910." (letters have been replaced with *random* numbers) But the rest of my passwords are shorter and look like "d2d11f27a5d0b79ceb504a5f846ff265" (random user password that I created by typing a bunch of letters) The second one does not seem to have a $salt added to it, as I believe the $1$ is a tell sign of the $salt being used. Is the admin the only user that is suppose to look like the first password or are the other users suppose to be like that too?
ISP Config 3.0.3.1 Most were created through the example API script given, two were created from ispconfig's default control panel. I created a new user from the control panel just to verify and I have the same result. I am getting the password in dbispconfig.sys_user.passwort.
It was a bug in the remote API that md5 was used. The correct encryption method is crypt with salt. I've fixed that now in stable SVN branch.
ok Well I still don't have this php coding correct.. I can still test it with the admin account till an update has been made.. otherwise if I get the code done first I will upgrade from SVN.
Why dont you just use the code from the ispconfig login script to verify the passwords? No need to wait for an update as you can easily detect the password encoding and use th correct method for verification as ispconfig is doing it.
That is a great idea that I didn't even think of... Before I get to finalizing the script, I did an upgrade to the latest version of ispconfig 3.0.3.3 RC1. I then created a user from the control panel and the user password looks like this, "e807f1fcf82d132f9bb018ca6738a19f" (from phpmyadmin) Is everyone having the issue with salt not being added or is it just me?
For ISPConfig, the encryptiom method does not matter. But I will check that and correct the code if the old encryption method is still used in some parts of the scripts.
OK no big deal just wanted to make sure my installation was not flawed. I am looking into the ispconfig/login/ folder now to look for the login script I can use for my website.
