Login Issues

[MinusMyThoughts]

i found a login script on Free2Code.net, and i'm attempting to integrate it into my site. however, i don't think my server supports PEAR DB scripting......so i've figured out how to successfully retrieve a username/password combination from the server and redirect to my update page (i'm attempting to create an admin login for site users)......my update page includes a file called 'check_login.php' which is almost directly off of Free2Code.net, and i think i'm either setting my session variables incorrectly or i've got a mistake in my verification code......here is my loginScript.php file:

<?php  session_start();  require 'nGe_db-connect.php';  $username = $_POST['username'];  $password = $_POST['password'];  $loggedIN = 0;	$<?php  session_start();  require 'nGe_db-connect.php';  $username = $_POST['username'];  $password = $_POST['password'];	$check = mysql_query("SELECT user, pass FROM nGe_login WHERE user = '".$_POST['username']."'");	$result = mysql_query($check);	  $info = mysql_fetch_array($check);	if (mysql_num_rows($check) == 0)	  {	  $pageName = 'Site';	  include('siteLook.php');	  echo '<html><head>'		.'<link rel="stylesheet" href="nGe.css" type="text/css" media="screen,projection" />'		.'</head>'		.'<body bgcolor="#FCFADB" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">'		.$siteLook		.'<div class="content"><p class="content">That username/password combination is incorrect!</p>'		.'<form action="loginScript.php" method="post">'		.'<input type="text" class="w125" name="username"><br/>'		.'<input type="password" class="w125" name="password"><br/>'		.'<input type="submit" class="updateBTN" name="page_mode" value="Log In"></form></div>'		.'</body></html>';	  exit;	  }	$_POST['password'] = stripslashes($_POST['password']);	$info['pass'] = md5(stripslashes($info['pass']));	$_POST['password'] = md5($_POST['password']);	if ($_POST['password'] != $info['pass'])	  {	  $pageName = 'Site';	  include('siteLook.php');	  echo '<html><head>'		.'<link rel="stylesheet" href="nGe.css" type="text/css" media="screen,projection" />'		.'</head>'		.'<body bgcolor="#FCFADB" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">'		.$siteLook		.'<div class="content"><p class="content">That username/password combination is incorrect!</p>'		.'<form action="loginScript.php" method="post">'		.'<input type="text" class="w125" name="username"><br/>'		.'<input type="password" class="w125" name="password"><br/>'		.'<input type="submit" class="updateBTN" name="page_mode" value="Log In"></form></div>'		.'</body></html>';	  exit;	  }	// if we get here username and password are correct, 	//register session variables and set last login time.	  $_POST['uname'] = stripslashes($_POST['uname']);	  $_SESSION['username'] = $_POST['username'];	  $_SESSION['password'] = $_POST['password'];	  header("Location: phat2575.php");	  exit;	  ?>

...and this is my check_login.php code. i include this file in 'nGe_db-connect.php', which is simply my MySQL login information with an include() for this file at the bottom...

<?phpsession_start();if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) {	$logged_in = 0;	return;} else {	// remember, $_SESSION['password'] will be encrypted.	if(!get_magic_quotes_gpc()) {		$_SESSION['username'] = addslashes($_SESSION['username']);	}	// addslashes to session username before using in a query.	$pass = mysql_query("SELECT pass FROM nGe_login WHERE user = '".$_SESSION['username']."'");	if(mysql_num_rows($pass) < 0) {		$logged_in = 0;		unset($_SESSION['username']);		unset($_SESSION['password']);		// kill incorrect session variables.	}	$db_pass = mysql_fetch_row($pass);	// now we have encrypted pass from DB in 	//$db_pass['password'], stripslashes() just incase:	$db_pass['password'] = md5(stripslashes($db_pass['password']));	$_SESSION['password'] = stripslashes($_SESSION['password']);	//compare:	if($_SESSION['password'] == $db_pass['password']) { 		// valid password for username		$logged_in = 1; // they have correct info					// in session variables.	} else {		$logged_in = 0;		unset($_SESSION['username']);		unset($_SESSION['password']);		// kill incorrect session variables.	}}// clean upunset($db_pass['password']);$_SESSION['username'] = stripslashes($_SESSION['username']);?>

i've been troubleshooting this system with absolutely no luck, and i'm out of ideas. i'm hoping someone who hasn't been staring at this code for hours will be able to pick out the error without too much trouble......thanks so much for your help!love,jason

[jlhaslip]

I hope that is a stutter right at the top of the first code-block.What sort of errors or faulty behaviour are you getting? Have you set the mysql error reporting on for this? Try putting some error checking code in place. Trap the values of the variables in an array and have the array printed at the error escape points, for instance. And every time you set the session variables.Also, I sense there is a fatal flaw in the code since you seem to be manipulating the $_POST['password'] throughout all program in spite of the presence of the $password variable into which you copy the $_POST['password'] right at the start of the code? Do you know what the value is at various stages of the program including when you set the session variables? Some Basic Debugging techniques are in order.Here is something to check, though.

$db_pass['password'] = md5(stripslashes($db_pass['password']));$_SESSION['password'] = stripslashes($_SESSION['password']);

In the second line, you are stripping the slashes from a password which I think is already hashed, whereas the retrieved db password is MD5'd AFTER the stripslashes. Possible you are getting a difference there. Store the values both (before and after) to compare the results. Might have to reverse the sequence of the hashing and stripslashes on the retrieved password.

$db_pass['password'] = stripslashes(md5($db_pass['password']));	$_SESSION['password'] = stripslashes($_SESSION['password']);

Like so.

[MinusMyThoughts]

i'm a rather rare breed of idiot......i was calling the wrong row names...love,jason