PHP/Mysql authentication script getting NULL result from query

Question

I am working on a test project, trying to learn more about PHP and Mysql and what not. So I have decided to build an Authentication engine for my test website but I am having issues with the query.

Basically, if I run...

SELECT * FROM users WHERE name="tester" and passwd=md5('pass');

from the mysql console, I get...

+--------+---------------+----------------------------------+
| name   | email         | passwd                           |
+--------+---------------+----------------------------------+
| tester | test@test.com | 1a1dc91c907325c69271ddf0c944bc72 |
+--------+---------------+----------------------------------+
1 row in set (0.00 sec)

However,when I issue the same query (at least I think it is the same) from my PHP code (see below) I appear to be getting a NULL result, thus authentication fails.

<?php
    include 'db_connect.php';

    $username = $_POST['username'];
    $passwd = $_POST['passwd'];

    // To protect MySQL injection (more detail about MySQL injection)
    //$username = stripslashes($username);
    //$passwd = stripslashes($passwd);
    //$username = mysql_real_escape_string($username);
    //$passwd = mysql_real_escape_string($passwd);

    //Encrypted password
    $secpasswd = md5($passwd);

    $sql="SELECT * FROM users WHERE name='$username' and passwd = $secpasswd";

    $result=mysql_query($dbconnect,$sql);
    var_dump($result);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    //var_dump($count);

    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){

        // Register $myusername, $mypassword and redirect to file "login_success.php"
        session_register("username");
        session_register("passwd"); 
        header("location:login_success.php");
        }
    else {
        echo "Wrong Username or Password";
        }
    ob_end_flush();
?>

Answer 1

Right off the bat I noticed that your password string is not enclosed in quotes. Try changing this:

    $sql="SELECT * FROM users WHERE name='$username' and passwd = $secpasswd";

to this

    $sql="SELECT * FROM users WHERE name='$username' and passwd = '$secpasswd'";

Answer 2

There are s lot of problems with your code.

• you SQL query format is wrong
• you don't actually fetch any values from the query result
• your hashing is weak
• you aren't using prepared statements
• you are using outdated session functions

Here is how it have to be

<?php
include 'db_connect.php';

//Encrypted password
$secpasswd = sha512($_POST['passwd'].$_POST['username']);

$sql = "SELECT * FROM users WHERE name = ? and passwd = ?";
$stm = $pdo->prepare($sql);
$stm->execute(array($_POST['username'], $secpasswd));
$row = $stm->fetch();

if($row){
    $_SESSION["username"] = $row[username];
    header("location:login_success.php");
    exit;
} else {
    echo "Wrong Username or Password";
}

Note this code is using PDO for the database interaction

Answer 3

As Sean pointed out in the comment above, you need to wrap your $secpasswd in single quotes. So

$sql="SELECT * FROM users WHERE name='$username' and passwd = $secpasswd";

becomes

$sql="SELECT * FROM users WHERE name='$username' and passwd = '$secpasswd';";

But the main reason I am answering is to let you know the mysql method you're using is deprecated. You should look at using mysqli or PDO instead.

Answer 4

Your queries aren't equivalent:

SELECT ... passwd=md5('pass')

is NOT the same as

SELECT ... passwd=password_hash_here

In the first case, mysql KNOWS you're getting a string back from the md5 call. In the second case, you're just stuffing a bare string into the query, which MySQL is forced to treat as a field name (if it starts with an alphabetical character), or an invalid number (if it starts with a digit).

Try

SELECT ...passwd='$password_hash'

instead.