I have a small web app that uses a simple username/password login scheme. I've noticed several times it won't allow a user to login when they correctly input the password.
The code originally was just encrypting the user's typed in password on initial registration as:
function encode5t($str) {
for($i=0; $i<5;$i++) {
$str=strrev(base64_encode($str)); //apply base64 first and then reverse the string
}
return $str;
}
$password=mysql_real_escape_string($_POST['password']);
$pass=encode5t($password);
and then $pass is inserted into a MySQL database. Then the same function is used to encrypt the password on login and is checked against the database like so:
$username = $_POST['username'];
$psw = $_POST['password'];
$npsw=encode5t($psw);
$query = sprintf("SELECT * FROM members WHERE username='%s' AND password='%s'",
mysql_real_escape_string($username),
mysql_real_escape_string($npsw));
The problem arises depending on how the password is input into the form. If it's simply typed in, there is no problem, but if the password is copied/pasted into the form (as from an email containing a newly generated password), it fails. The encryption function creates and entirely different hash and doesn't match, so the user isn't logged in.
I've played with the encoding and changed it to a just use md5() but I get the same end result - a cut/paste results in a different hash than what simply typing the password into the form results in.
Is there something in the page encoding that would make a copy/paste text different from a typed one?