[PHP] - MaNGOS DB - Getting password (SHA1) for login page

M

MalTeN123

Newbie Spellweaver
Joined
Dec 27, 2006
Messages
23
Reaction score
0
The last time I posted here I got a lot of help from some guys with a registration system for the MaNGOS database in PHP. Now I have been toying around with a login system.

My problem is that when the script that is being called when logging in, I can't get it to find the password. I think it has something to do with the whole encryption in SHA1. So you guys can get a better insight, I will post the code I have for the login below.

PHP: 
<?php
  $conn = mysql_connect('localhost', 'USERNAME', 'PASSWORD') or die(mysql_error());
mysql_select_db('realmd', $conn); // connecting to database

// Start the session
session_start();
 
// Check if user wants to login (GET info)
if($_POST['script'] == 'logi'){
 
    // User logs in
    If(empty($_POST['account_username']) OR empty($_POST['account_password'])) {
 
    // At least one of the file is empty, display an error
    
    header("Refresh: 0; url=http://127.0.0.1/ll/fields_empty.php");
 
    } else {
 
        // User filled it all in!
 
        // Make variables save with mysql_real_escape_string and md5
        $username = mysql_real_escape_string($_POST['account_username']);
        $password = mysql_real_escape_string($_POST['account_password']);
 
   // Search for a combination | as you can see here, 
   //I have changed the password out with email just to check 
   //if it worked, and so it did. Here is my problem. How do I get 
   //the SHA1 encrypted password instead of the email?
        $query = mysql_query("SELECT id FROM account
                       WHERE username = '" . $username . "' 

                       AND email = '" . $password . "'
                      ") or die(mysql_error());

 
        // Save result
        list($user_id) = mysql_fetch_row($query);
 
        // If the user_id is empty no combination was found
        if(empty($user_id)) {
 
            echo 'No combination of username and password found.';
 
        } else {
 
            // the user_id variable doesn't seem to be empty, so a combination was found!
 
            // Create new session, store the user id
            $_SESSION['user_id'] = $user_id;
 
            // Redirect to userpanel.php
            header('location: about.php');
 
        }        
 
    }
 
}
 
?>

If I haven't expressed my self clearly enough, please let me know and I will post more info about this matter :)

I really hope you can help me!

Thanks!

Malte
 
PHP: 
$query = mysql_query("SELECT id FROM account
                       WHERE username = '" . $username . "' 

                       AND email = '" . sha1($password) . "'
                      ") or die(mysql_error());
?
 
Thanks for the answers guys, but I forgot to mention that I have already tried this solution, and it still doesn't work.

Somehow I think I might have to change:

PHP: 
        // Make variables save with mysql_real_escape_string and sha1
        $username = mysql_real_escape_string($_POST['account_username']);
        $password = strtoupper($_POST['account_password']);

to something else. I have also tried with

PHP: 
 $password = sha1($_POST['account_password']);

Doesn't work though.
 
Okay, to make it more understandable, I will post both the registration code and the login code :)

Registration code NOTE: This works as it should. Also note the sha1 encryption.

PHP: 
<?php

 $conn = mysql_connect('localhost', 'USERNAME', 'PASSWORD') or die(mysql_error());
mysql_select_db('realmd', $conn); // Connection
    

if($_GET['script'] == 'reg'){

    // Yes, the user has clicked on the submit button, let's check if he filled in all the fields
    if(empty($_GET['account_username']) OR 
   empty($_GET['account_password']) OR 
   empty($_GET['account_mail']) ) {
    // At least one of the file is empty, display an error
    
    header("Refresh: 0; url=URL ADDRESS");
 
} else {

    $username = $_GET['account_username'];
    $password = strtoupper($_GET['account_password']);
    $email = $_GET['account_mail'];
    if($_GET['account_exp'] == 1){
        $tbc = 1;
    }else{
        $tbc = 0;
    }
    $ip = $_SERVER['REMOTE_ADDR'];
    
    $check = mysql_query("SELECT * FROM `account` WHERE `username` = '$username'") OR DIE("Unable to check if exists: ". mysql_error());
    $result = mysql_num_rows($check);
    
    if($result == 0){
        $query = mysql_query("INSERT INTO `account` (`username`, `sha_pass_hash`, `email`, `last_ip`, `expansion`) VALUES ('$username', SHA1('$password:$password'), '$email', '$ip', '$tbc')") OR DIE("Unable to add account: ". mysql_error());
        header("Refresh: 2; url=URL ADDRESS");
    }else{
        // Username or Email already taken
        header("Refresh: 2; url=URL ADDRESS");
    }
}
}
?>

Login code NOTE: This needs to get the SHA1 encrypted password from the databse, but it doesn't work.
PHP: 
<?php
  $conn = mysql_connect('localhost', 'USERNAME', 'PASSWORD') or die(mysql_error());
mysql_select_db('realmd', $conn); // Connection

// Start the session
session_start();
 
// Check if user wants to login (GET info)
if($_GET['script'] == 'logi'){
 
    // That's nice, user wants to login. But lets check if user has filled in all information
    If(empty($_GET['account_username']) OR empty($_GET['account_password'])) {
 
    // At least one of the file is empty, display an error
    
    header("Refresh: 0; url=URL ADDRESS");
 
    } else {
 
        // User filled it all in!
 
        // Make variables save with mysql_real_escape_string and sha1
        $username = mysql_real_escape_string($_GET['account_username']);
        $password = SHA1($_GET['account_password']);
 
        // Search for a combination
        $query = mysql_query("SELECT id FROM account
                       WHERE username = '" . $username . "' 
                       AND sha_pass_hash = '" . $password . "'
                      ") or die(mysql_error());

 
        // Save result
        list($user_id) = mysql_fetch_row($query);
 
        // If the user_id is empty no combination was found
        if(empty($user_id)) {
 
            echo 'No combination of username and password found.';
 
        } else {
 
            // the user_id variable doesn't seem to be empty, so a combination was found!
 
            // Create new session, store the user id
            $_SESSION['user_id'] = $user_id;
 
            // Redirect to page.member_area.php
            header('location: page.member_area.php');
 
        }        
 
    }
 
}
 
?>

Thats it. For me to see, it should work perfectly, but maybe some of you more PHP experienced guys can see the problem?
 
I mean what error message is displayed to you? (So I know where to look for the problem)

I noticed you made a few conditions for errors. I'm guessing you're getting 'No combination of username...' message?

Also I just noticed something else while skimming through your register code.

It says:

PHP: 
    $username = $_GET['account_username'];
    $password = strtoupper($_GET['account_password']); //Declare pass to all uppercase??? nooo
    $email = $_GET['account_mail'];
just change it to be like this:
PHP: 
$username = mysql_real_escape_string($_GET['account_username']);
$password = SHA1(mysql_real_escape_string($_GET['account_password']));
$email = mysql_real_escape_string($_GET['account_mail']);

and later on when you send the date to MySQL:
PHP: 
$query = mysql_query("INSERT INTO `account` (`username`, `sha_pass_hash`, `email`, `last_ip`, `expansion`) VALUES ('$username', SHA1('$password:$password'), '$email', '$ip', '$tbc')")
reduce the password:
PHP: 
$query = mysql_query("INSERT INTO `account` (`username`, `sha_pass_hash`, `email`, `last_ip`, `expansion`) VALUES ('$username', '$password', '$email', '$ip', '$tbc')")

That way there can't be any confusion between PHP and SQL encrytions.
Also, don't make sure passwords are all caps.. No point, and redundancy causes problems later on.

As for the login script, try this:
PHP: 
<?php
session_start(); // ***Always apply session_start(); before anything else - Spence ;)***
$conn = mysql_connect('localhost', 'USERNAME', 'PASSWORD') or die(mysql_error());
mysql_select_db('realmd', $conn);
 
// Check if user wants to login (GET info)
if($_GET['script'] == 'logi'){
  $user = mysql_real_escape_string($_GET['account_username']);
  $pass= SHA1(mysql_real_escape_string($_GET['account_password']));

  if(strlen($user)>0 && strlen($pass)>0) {
     $loginQuery = mysql_query('SELECT `id` 
                             FROM `account` 
                             WHERE `username` = "'.$user.'"
                             AND `sha_pass_hash` = "'.$pass.'"
                             LIMIT 1') or die(mysql_error());  //troubleshoot testing.
     $loginRow = mysql_fetch_row($loginQuery);
     $user_id = $loginRow['id'];
     if(strlen($user_id)>0) {
            // Create new session, store the user id
            $_SESSION['user_id'] = $user_id;
 
            // Redirect to page.member_area.php
            header('location: page.member_area.php');
     } else 
            echo 'Username and Password do not match.';
  }
}
?>
 
Last edited:
Hey S-P-N!

Im sorry that im replying so late :)

I tried your code but it didn't work out quiet right. I can see that you have used some terms that im not that familiar with, forexample:

PHP: 
 if(strlen($user_id)>0) {

So I think it messed up with my setting of the whole together, if you know what I mean.

Anyways, the code you provided looked more right than the one I had in the first place, so I replaced some of the lines that you wrote down instead of it all, and guess what?

It worked!

I really don't know how to thank you enough for this, cause this has been a nightmare for me!

It's nice that you all put so much effort in to this for helping someone in need :)

I would like to show you what the outcome of the whole thing, but that would be like advertising my server in here, so PM me if you are curious :)

Thanks again!!!!
 
For some reason, the SHA1 password that is in the database is different to the one I echo on the web-page.

MaNGOS may use a salt.
 
the strlen function checks how many characters are in a varriable.

So if $name = 'Spence';
strlen($name) would echo 6.

if(strlen($name)>0) checks to see if the name has more than 0 characters.

When using the $_GET method, the varriable can be set even if it's empty. So instead of checking if it's empty() or isset(), I use strlen() most of the time.

Now you know ;)
 
You must log in or register to reply here.

RaGEZONE Sponsor

    HyperFilter

About RaGEZONE

RaGEZONE® is the top forum for MMO, MMORPG, and mobile game development. We provide binaries, source codes, and tutorials for your favorite games, making it the go-to resource for developers and fans. You can also find and share private servers, fostering a vibrant gamer community.

Forum Statistics

Members online
912
Guests online
2,993
Total visitors
3,905
Totals may include hidden visitors.

RaGEZONE Partners

    nongamstopbets.com UK sites not on GamStop Casino Deps NZ
Back