"Invalid username or password&quo

pfwilliams wrote on Friday, November 16, 2012:

Grr… what have I done now.
For my first test of using the mysqldbcopy.exe utility to create a parallel test database I used syntax examples I’d found on the web. Those examples showed source-database and destination-database as being separate (space-delimited) parameters.  I ran a test and it backfired and wiped the production database. I ended up with empty tables across the board.  Digging deeper it seems that today’s version of mysqldbcopy expects the source and destination databases to be specified as a single colon-delimited parameter, like “openemr:test_openemr”.

So, I don’t have an exported backup of the production database, I haven’t gotten far enough along in implementing  OpenEMR to have set that up yet (I may bump the priority on that after this).  I did although setup a simple nightly file backup of the mysql/data/openemr folder.  I figured I have nothing to lose, replacing empty tables, so I drug all the .frm, .MYD and .MYI files from the backup location and dropped them into mysql/data/openemr folder. I expected there might be some unique database ID, or timestamp, something at the MySQL level I’d need to synchronize.  But I’m seeing behavior I wouldn’t have expected. 

With the dragged-and-dropped database files I am still able to access the database from the stand-alone phpMyAdmin or MySQL Workbench programs. But when I launch an instance of OpenEMR, the initial main/login screen comes up with “Invalid username or password” already displayed, before even entering values for those fields.  Attempting to enter correct login data for any user, still results in the “Invalid username or password”. 

Am I the first to create this sort of mess?
Would anyone have any suggestions?
Thank you so much.

yehster wrote on Friday, November 16, 2012:

What happens if you query the users table from MySQL Workbench?

pfwilliams wrote on Friday, November 16, 2012:

I get 20 fully-populated rows returned from the query of openemr.users.
The first row being the admin record showing a password string of “1a1dc91c907325c69271ddf0c944bc72”.

yehster wrote on Friday, November 16, 2012:

Anything in your apache error.log?

There is some pretty convoluted logic in the “login” sequence which allows both MD5 and SHA1 hashes.  It looks like you’ve still got MD5 passwords, and application may be “wigging out”.

If you want to try something bold, then change the password field of the admin record to:

"9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684"

That’s the SHA1 hash for “pass”, which is what it looks like you have as the current MD5 password.
After updating admin’s password try logging in again.

Incidentally, since there’s not salt, OpenEMR’s user passwords are rather insecure.  The SHA1 we switched to from MD5 doesn’t really help since there are pretty easy ways to recover passwords from hashes with either algorithm when values are unsalted.

pfwilliams wrote on Friday, November 16, 2012:

No joy with the SHA1 hash :frowning:
Still invalid username/password.

I parked this line:
echo “>>>”.$defaultLangID."-".$defaultLangName."<<<";
after line 82 of login.php, just to see if I was getting any database access at all. It stuck a pretty “>>>1-English (Standard)<<<” on the main screen.
it looks like login.php is called by login_frame.php. Where is the actual read of the user table? I could park an echo there to show the SQL statement and the query result?  (I’m hoping this won’t involve any of the javascript I’m seeing all over the login functions).

yehster wrote on Friday, November 16, 2012:

library/auth.inc
function authCheckSession ()

yehster wrote on Friday, November 16, 2012:

actually for first time login it happens in authNewSession() (same file).

pfwilliams wrote on Friday, November 16, 2012:

I’m guessing there’s no where for the echo to go (a frame?) at the point that auth.inc is being called.
I’ll have to track down some lazy debuggers way of kicking out the values to some sort of popup window or to a file, etc.
It’s just about quitting time here, so I (we) may not get to see what goes into and comes out of the query until Monday.
You, Sir, are a savior!  Am going to run the idea of donating financially to the effort past the doctors.

yehster wrote on Friday, November 16, 2012:

you can also use error_log and output stuff to the apache log file, since echo can “get eaten up” by the browser

http://php.net/manual/en/function.error-log.php

pfwilliams wrote on Tuesday, November 20, 2012:

It turned out the cheesy drag-and-drop “backup” of the mysql/data/openemr folder resulted in all the gacl tables being corrupt.  MySQL Workbench showed the tables as defined in the database, but a query would report “table does not exist”. phpMyAdmin didn’t even show the tables as defined. “REPAIR TABLE” failed, mysqlcheck.exe failed. So I exported the remaining tables, reinstalled OpenEMR, and then imported the data. Had to recreate all the gacl permissions, but that wasn’t difficult. It seems to be working fine again. Thanks for all the help.