if ($pass==$pass2) check not working as expected

Forum Moderators: coopster

Message Too Old, No Replies

if ($pass==$pass2) check not working as expected

Password verification failing in PHP login script.

oilyflutesalad

12:01 pm on Nov 23, 2008 (gmt 0)

I've spent the last few hours writing a login script for my website, but I've been stumped on a problem verifying passwords...

When a user registers, their information is stored in a database. On the login page they enter the username and password, which is then checked against the information held in the database before setting a cookie. Passwords are stored base64 encoded.

Here's the code I'm having problems with:


$pass = $_POST['pass'];
$pass = strip_tags($pass);
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass = base64_encode($pass);
$pass2 = $array['password'];
if ($pass == $pass2)
{
echo "password matches";
}
else
{
echo "password doesn't match";
}

Later on in the script, for testing purposes, I echoed both $pass and $pass2, and they match up fine. However the script still says the passwords don't match...

Any ideas? This has been baffling me for hours! Thanks for your help.

amznVibe

12:18 pm on Nov 23, 2008 (gmt 0)

$pass = mysql_real_escape_string($pass);

That's probably your problem.
Slashes won't show up when displayed but they are in the string and will fail comparison. You also don't need to escape a string until you are ready to place it into the db via a mysql call.

oilyflutesalad

12:24 pm on Nov 23, 2008 (gmt 0)

Thanks, but I took that line out and I still have the same problem. I think earlier I decoded the password from the database instead of encoding the form password, and that worked (if I remember rightly)... If that's the case, why are the two base64_encoded strings not showing to PHP as a match?

EDIT
I just tried it again. Using the code below instead works fine, but I can't understand why it should make any difference? Also, since the password will be stored in a cookie I kind of need it encrypted... Maybe I should just add another column in the database for the md5($pass)?


$pass = $_POST['pass'];
$pass = strip_tags($pass);
$pass = stripslashes($pass);
//$pass = base64_encode($pass);
$pass2 = $array['password'];
$pass2 = base64_decode($pass2);

amznVibe

1:13 pm on Nov 23, 2008 (gmt 0)

You should never store the raw password in the db in case you are hacked.

Store the md5 of the password in the db only.

Then when the user submits the password to login,
md5 what they submitted and compare the md5 to what's in the db.

[edited by: amznVibe at 1:14 pm (utc) on Nov. 23, 2008]

oilyflutesalad

1:23 pm on Nov 23, 2008 (gmt 0)

I've never saved a raw password in the database, I use base64_encode() so a password can be decoded at a later date for use in a forgot password script when I write one.

As per the edit in my last post, I've added a second column in the database to store an md5 encoded password in addition to the base_64 version. Everything is now working fine, but I'm intrigued as to why PHP fails to match two equal values when they are base64_encoded. Maybe it has something to do with symbols such as "=" at the end of the string?

enigma1

2:56 pm on Nov 23, 2008 (gmt 0)

base64_encode does not provide one way encryption something you do need for passwords. You should create a new password for the password-forgotten cases apply a one-way encryption scheme and store the key only in the database, then send the password via email to the original owner from the accounts table.

People won't like it if they know their passwords can be decrypted. Even the md5 is not sufficient by itself, without using some other salt sub-key preferably custom to your site.