[Help Request - Debug] PHP code - login problem

["Error: Username must be characters only".]

I am customizing a PHP program for our website than someone else designed. After a lot of tinkering, I managed to get the majority of it working (to the best of my knowledge at least lol), but not one single person can login to the server.

I am not 100% sure on how our friends set it up (who made the code), but from talking with someone who has used the program, there was no need to create an account, because it used the forum accounts. Below is some of the code (some renamed for posting purposes), as well as the database build. I commented out the parts I suspect:

Code:

<?php



$relative_root = "";



$is_login_page = true;



require($relative_root . "util/wrapper.php");



global $_POST;


$char_name = $_POST["memberName"];

$password  = $_POST["pass"];


//Next 2 lineS may be a suspect.
if (strlen($char_name) == 0 || !isAlphaNumeric($char_name))

{

httpRedirect("login.php?error=" . urlencode("Username must be only characters"));

}


//Next 2 line may be a suspect.
if (strlen($password) == 0 || !isAlphaNumeric($password))

{

httpRedirect("login.php?error=" . urlencode("Invalid password"));

}


//Next line may be a suspect. (passwordSalt)
$authQuery = "SELECT memberName, pass, passwordSalt FROM forum_user_table WHERE LOWER(username)='" . strtolower($char_name) . "'";

$connect = mysql_connect("server", "username", "password") or die("Cannot connect.");

mysql_select_db("forum_database") or die("Cannot access DB.");

$sth = mysql_query($authQuery, $connect) or die("Error in query, unable to retrieve password.");

mysql_close($connect);


if (mysql_num_rows($sth) == 0) httpRedirect("login.php?error=" . urlencode("Invalid username or password"));



$row = mysql_fetch_assoc($sth);

//Next line may be a suspect.
if (md5(md5($password). $row["passwordSalt"]) != $row["passwd"]) httpRedirect("login.php?error=" . urlencode("Invalid username or password"));



//Next line may be a suspect.
$result = dbQuery("SELECT * FROM user WHERE LOWER(char_name)='" . strtolower($char_name) . "'");



$row = mysql_fetch_assoc($result);

if ($row["is_active"] == "0") httpRedirect("login.php?error=" . urlencode("User is inactive. Contact an administrator."));

if ($row["parent_user_id"] != "0") httpRedirect("login.php?error=" . urlencode("User is a controlled non-entity. Cannot login."));



$uid = $row["user_id"];



session_start();

session_regenerate_id();



$_SESSION["var"] = $row["test"];



mysql_free_result($result);



dbQuery("UPDATE user SET session_id='" . session_id() . "' WHERE user_id=" . $uid);



httpRedirect("index.php");



?>

The error we get is: "Error: Username must be characters only". This is the database for our SMF forums...a different database than we use for the main part of the program, but just incase there is something in it that is causing the problem, here is the SQL lines for its construction:

Code:

-- Table "forum_database" DDL

CREATE TABLE `forum_database` (
  `ID_MEMBER` mediumint(8) unsigned NOT NULL auto_increment,
  `memberName` varchar(80) NOT NULL default '',
  `dateRegistered` int(10) unsigned NOT NULL default '0',
  `posts` mediumint(8) unsigned NOT NULL default '0',
  `ID_GROUP` smallint(5) unsigned NOT NULL default '0',
  `lngfile` tinytext NOT NULL,
  `lastLogin` int(10) unsigned NOT NULL default '0',
  `passwordSalt` varchar(5) NOT NULL default '',
   --------------------------------------
- lots of other user info that isn't in the code above, but isn't pertinent...

  PRIMARY KEY  (`ID_MEMBER`),
  KEY `memberName` (`memberName`(30)),
  KEY `dateRegistered` (`dateRegistered`),
  KEY `ID_GROUP` (`ID_GROUP`),
  KEY `birthdate` (`birthdate`),
  KEY `posts` (`posts`),
  KEY `lastLogin` (`lastLogin`),
  KEY `lngfile` (`lngfile`(30)),
  KEY `ID_POST_GROUP` (`ID_POST_GROUP`)
) ENGINE=MyISAM AUTO_INCREMENT=6 DEFAULT CHARSET=latin1;

If anyone can help me out, I would greatly appreciate it. Also, if more info is needed than would be able to be posted, please feel free to PM me.

Thank you all very much!

anyone?

if you check both you will see that you php code is using different code than the tables you posted

I changed some things around to make it secure (no personal info on there). I will review all of the info though...but I am sure, overall, things are correct. I just made a formatting error on the post.

If you, or anyone, would be willing to help me via PM, I will show you the exact documents.

check the table name from your php code

//Next line may be a suspect. (passwordSalt)
$authQuery = "SELECT memberName, pass, passwordSalt FROM forum_user_table WHERE LOWER(username)='"

and from the database table you posted:

CREATE TABLE `forum_database` (

I rechecked everything, found a few mistakes too. However, one of my issues is that the information needed pulls from one database, created for this program, and another database which I am almost sure is the forum boards. Reason being to use the same account on SMF as the application (they did not use SMF though).

So, if I have a few variables in one database I need, and a few in another, what is the best way to handle that? Can I copy all active data from the forum database to the other database (that continues to update both databases)?

Last things I am a little confused about...(I've included here the information originally in the code):

Code:

$char_name = $_POST["txt_char_name"];

$password  = $_POST["txt_password"];

There is no "txt_char_name" or "txt_password" on either database.

Code:

$_SESSION["var"] = $row["test"];

There is also no "test", and I'm assuming "var" becomes "test" here.



Thanks for the help.

this will not work, you need to ask the guy who wrote that or you need to look for "paid" help. I don't think that someone will analyze your whole application for free

[Guest]

[62.885]

Googlebot, facebooklog22