Question
I am setting up a login for a website (perhaps the way I am doing it is just wrong, but that's for another question).
The way I am doing it is like this:
I can get the database to connect. I can extract the password from the database. I can collect the value from post. But I CANNOT compare these two values - it always says they are not equal, even though echoing them says they are.
To collect the posted values I use:
https://stackoverflow.com/questions/22741942
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$posted_username = $_POST['uname'];
$posted_password = $_POST['passwd'];
To query the DB I use:
$result = mysql_query("SELECT passwd FROM usrs where usrname = '".$posted_username."'");
Next, if I include this line:
echo "Posted Username: " . $posted_username . "<br>" . " Posted Password: " . $posted_password . "<br>";
I can see that my posted values have been assigned correctly. I get this output when I run the PHP:
Posted Username: admin Posted Password: admin2
To step through my DB I use:
while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
And inside this while loop I go:
$password_fromdb = $row['passwd'];
echo "Password from db is: " . $password_fromdb . "<br>";
echo "Password from POST is: " . $posted_password . "<br>";
$equal = strcmp($password_fromdb,$posted_password);
The output of the two echo lines gives me this:
Password from db is: admin2 Password from POST is: admin2
So I can see that the two passwords DO match.
However, whether I use strcmp, or whether I use =, == or ====, I ALWAYS get told that my two passwords do not match. I get told they don't match even if they do!
WHAT am I doing wrong? I would appreciate help as I know nothing about PHP, have to do this for a class, and our tutuor has decided he's not going to TEACH us PHP.
Solution 2
It might depend on how you're using $equal.
strcmp returns 0 if they are equal (https://secure.php.net/manual/en/function.strcmp.php)
so if you are using if ($equal ) it will fail (because equal was 0)
try to use var_dump($equal) to see what the result is, and try:
var_dump($equal);
if ( $equal === 0 ) {
echo "It works!";
}
OTHER TIPS
There's a few (I'd say pretty significant) issues with your code, but your actual issue is looking to be simple.
As you didn't include the code for where you check, I'm going to build off the fact you're using something like if ($equal) { execute your code }:
strcmp returns 0 for being equal. >1 if string1 is greater than string2, and <0 if string2 is greater than string1
See the PHP docs for reference
You can stop reading past this if you're not interested in developing yourself, but I figured I might as well explain a few things you could learn from:
That said however, there are a few issues I would like to raise awareness of, even if this never makes production level. It's a wise experience.
First of all, let me emphasise that what I am about to explain is difficult, and few people get it right - I myself am probably not the most proficient person on this skill either. Later versions of PHP have this covered for us though. But I'll give you the general gist.
In all cases, you will want to hash your passwords. Hashing is a one-way transformation of text that is not humanly readable. Because it is not readable by humans, if your database gets compromised, the passwords are not all publically visible to the intruder, and he will have a harder time getting any data out of it at all.
There is also this thing called salting your passwords, salting is just a way of saying that we add our own string to their password, so it's never completely their password. There's a few ways to do this, but I won't go into detail, because php offers a library that does this for us. Which means we won't have to do anything difficult at all, and can just use their methods. password_hash() and password_verify() - it is only since PHP 5.5, but there are backports to php 5.3.7
You'll have to look up the methods yourself from PHP's official website, as I'm limited to posting only two links. They're found at php.net/password_verify and php.net/password_hash
There is another issue, you're using MySQL, mysql is incredibly old and even deprecated at this point, it is advised you move over to mysqli or even pdo.
Security Issue 2:
Your code ($result = mysql_query("SELECT passwd FROM usrs where usrname = '".$posted_username."'");) is vulnerable to MySQL Injection.
MySQL injection is where someone tries to cut off your query, and uses his own. Because you do not properly sanitise user input (never trust the user), The code you're actually executing is not what you may expect it to look like, and may even consist of multiple queries (that could, for example, drop your tables, or even attempt to look up some of those clear-text passwords).
PDO has this covered for us, if you properly make use of the PDO wrapper (located at php.net/pdo), you won't have to worry about this at all. (Well, you do, but it's a whole lot easier to do it right after you get the hang of it).
There also is MySQLi, which is just MySQL_* improved. It allows for OOP programming and is faster. It doesn't sanitise user input for you, you'll have to make use of mysqli_real_escape_string($str), $mysqli->real_escape_string($str), or if you insist on using MySQL_* functions, mysql_real_escape_string($str).
I'll cut off for now, this is a lot of difficult information to process. But I hope someone learnt something from it. And if not, well that's a shame really. As you're really using a few very unsafe ways. Given you may test locally, it's still a good thing to learn good practises.
G'day!
I ran into this same (or similar) issue when comparing passwords. strcmp() told me the two strings didn't match, == told me they didn't match... They definitely matched.
My issue is that mcrypt_decrypt() was returning a 32 character string regardless of how long the string actually was. Tre bizarre.
Sample var_dump() output was:
var_dump($password_entered,$password_decrypted_from_database);
string(11) "ThisIsATest"
string(32) "ThisIsATest"
A simple trim() after decryption solved the issue.
