Jump to content

Php Login And Redirect - Need Help Please


dlc3172

Recommended Posts

Hello -

 

First off, I just want to note that I'm not a programmer whatsoever. Also, I'm hoping I posted this question in the right place.

 

I found a pretty nice PHP script that I've installed. It lets users register for accounts, and then when they login, it redirects them to whatever page I've indicated for their account via an admin system. The script can be found here: http://www.mpdolan.com/#downloads - but I think this is a defunct site. Nobody has responded to my emails there.

 

Anyway, I've been able to set everything up and it all works very nicely, but now I'm having a problem. There is a "forgot your password" function, but I can't get it to send the email to the users who request their login. Would anyone mind looking at the following code? This seems to be the file, emailpass.php, that sends the email. Do you see anything that may be causing the email not to be sent?

 

I'm hoping someone can help me. I've spent some time installing the script and getting it to work the way I want, but I can't really use this on my site if there's no way for users to request their passwords.

 

THANKS!!! Here's the emailpass.php file:

 

 

 

<?

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

session_start();

//require the config file
require ("config.php");

//make the connection to the database
$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());

//build and issue the query
$sql ="SELECT * FROM $table_name WHERE email = '$_POST[email]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

//get the number of rows in the result set
$num = mysql_num_rows($result);

//If match was found, get username and email from database
if ($num != 0)
{
while ($sql = mysql_fetch_object($result))
{
$email = $sql -> email;
$uname = $sql -> username;
}

//Update database with new password
$newpass = rand(10000000,99999999);
$chng = "UPDATE $table_name SET
password = password('$newpass'), pchange = '1'
WHERE email = '$email'";

$result2 = @mysql_query($chng,$connection) or die(mysql_error());

//create message to user
$msg = "<p>Your username & temporary password has been emailed to you.</p>";
$msg .= "<p>You must change this password immediately after your next login.</p>";
$msg .= "<p></p>";
$msg .= "<p><a href=\"login.html\">Login</a></p>";

//create mail message
$mailheaders = "From: www$domain\n";
$mailheaders .= "Your username is $uname.\n";
$mailheaders .= "Your password is $newpass.\n";
$mailheaders .= "http://url.com/login.html";
}
else
{

//If no email was found in the database send a notification to the admin
$email = $adminemail;
$msg = "<p>Your email address could not be located</p>";
$msg .="<p>The Website Administrator has been emailed, you should contacted by them shortly.</p>";

$mailheaders = "From: www$domain\n";
$mailheaders .= "A user with the email address of $_POST[email] has requested a username and password reminder.\n";
$mailheaders .= "$_POST[email] could not be located in the database.\n";
}

//Email the request
$to = "$email";
$subject = "Your Username & Password for www$domain";

mail($to, $subject, $mailheaders, "From: No Reply <$adminemail>\n");

?>
<HTML>
<HEAD>
<TITLE>Username and Password Request</TITLE>
</HEAD>
<BODY>

<? echo "$msg"; ?>

</BODY>
</HTML>

Link to comment
Share on other sites

The site where you got this off of does not provide secure code at all you will want to look that up. I used this exact script when I just started off and learned how awful it was first-hand. You should've gotten an emailpass.html file to go with it. You need to go there first for the form, if they entered an email that exists in the database it will work.

Link to comment
Share on other sites

I strongly recommend that you read this article about secure login systems. Drop the code you downloaded from that other site, and KILL IT WITH FIRE!

 

Ehem.. Yeah, as noted by SocialCloud: That code is not secure by one iota, and as such should never, ever, be used. The article I linked you to will give you a proper, and secure, login system. Plus all the information you'll need on both how to use it, and how to write one for your own should you want to.

Link to comment
Share on other sites

Thanks for the feedback, but I think we're getting a little off topic here. First, as I noted in my post, I'm not a programmer. I won't be able to write my own script. Second, I'm not too concerned with how secure the script is because I'm not storing any personal information in the user accounts. Third, as for finding another script that IS secure, I specifically need a user login script that redirects the user to their own account page; that's why I decided to use this particular script.

 

In response to SocialCloud: Yes, I have the emailpass.html and emailpass.php files installed. Everything looks like it should be working, but emails never get delivered. I included the emailpass.php code because that's the file that send the email. I was hoping somebody might notice something that looked wrong and could be preventing the email from being delivered.

Link to comment
Share on other sites

Second, I'm not too concerned with how secure the script is because I'm not storing any personal information in the user accounts.

 

Do you know how many people use the same information for other places on the internet?

 

If I recall, the script stores the passwords with the mysql password() function, in which people keep databases for. That along with the disregard of security, the script will give a hacker all the information they need for multiple websites.

Edited by SocialCloud
Link to comment
Share on other sites

ok, you've convinced me. I won't use this script, which I guess makes my original question moot now. But, seriously, why does't the original programmer take the script down if it's dangerous? People with no programming knowledge like me would have no clue that it's not secure.

 

All that being said, can anyone recommend a SECURE php/mysql script that will register/login a user and also redirect them to whatever page I want upon login?

Link to comment
Share on other sites

Because some people just don't care, and others have simply forgot about it and moved on. Others doesn't know any better, but that's not really an excuse if you ask me; If you're going to write a tutorial, you're responsible for making at least an attempt to research how to write secure code.

Others, well... Let's just say that Einstein's quote about infinity can be applied.

 

As for the secure script you're looking for: You could take the one I linked to above, and add the header ('Location: ....') to the user's page. Where it says "Authentication succeeded". Just remember to use die () afterwards, to ensure that the PHP parser doesn't execute the following code.

 

Link to comment
Share on other sites

Thanks SocialCloud, I would appreciate that. As long as it will also redirect the user to their own html page that I can modify manually. That's the critical part of the script that I need. I know there are lots of php login scripts available, but the insecure one has been the only one I've found that will let the admin put in a unique redirect for each user.

 

Christian, I need a ready-to-use script with an installer (or at least easy installation instructions). I'm not a programmer and don't have the knowledge to modify a script.

 

Thanks guys!!!

Edited by dlc3172
Link to comment
Share on other sites

As long as it will also redirect the user to their own html page that I can modify manually.

 

will let the admin put in a unique redirect for each user.

 

Err...this might take me a bit longer. I was planning on doing a script for my site somewhat like this anyways. Since it is provided free either way, I don't care if anyone on here uses it.

 

But I will tell you now it will be somewhat basic

Edited by SocialCloud
Link to comment
Share on other sites

ok - in the meantime, I'm going to keep looking around for a login/redirect script that is secure. I think I may have found one that might work for me (lets the admin assign user groups for redirection purposes, and maybe I can give each user their own unique usergroup). I'll see if I can install it and try it out, and I'll let you know how it goes.

Link to comment
Share on other sites

If you mean the original script at the start of this thread? I wouldn't bother.

 

I browsed through all the .php files making up that application and none of them are validating/escaping data being put into database queries or the data going into the mail() parameters. At least two of the 'admin' .php files aren't effectively testing if the current visitor is even logged in and allows anyone to add/delete or update user information. The script is also doing things like storing the user's password in plain text in a cookie and is relying on register_globals (turned off by default over 10 years ago and has been completely removed in php5.4) to get cookie values into program variables. There's also an inconstant usage of both short and full opening php tags (and a lot of other inconstant coding in it.) And several more things, I not going to take the time to write up...

 

In short, that application is doing a number of things we are constantly telling noob programmers not to do. It looks like the author probably did this as a school project, got a passing grade on it, thought he had accomplished something useful, and posted it on the Internet.

Edited by PFMaBiSmAd
Link to comment
Share on other sites

I don't think he's going to post here, but here's what he told me:

 

The script hashes all logins via am md5 function, granted MD5 hashes can be reverse engineered, but this would require direct access to the database (and if that happens, you have bigger problems to worry about).

 

As I said above, the script is meant as a foundation to build your site on top of. It is very easy for a user with minimal knowledge of PHP to add some sort of salt to the script to make the passwords even more secure). Even with salted values, if someone gains access to your datacbase, you still have problems

Link to comment
Share on other sites

That statement is actually incorrect. The code is using the mysql password() function. There are two problems with using that function -

 

1) The size of the hash changed between mysql versions, breaking any data that used it,

 

2) -

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.
Link to comment
Share on other sites

Going to have to change the "tomorrow" (today) that I said I would post it to possibly tomorrow or monday :-\

 

As you may have figured out...I'm coding it myself from scratch for my site's tutorial on basic login and registration (All user files and installation are done and 100% error, warning, and notice free) and although it's pretty basic, I suck at css and making the admin back-end neat requires css. I'm going to take a break as I've been coding this for 8 hours on and off but I'll work on it some more later.

Edited by SocialCloud
Link to comment
Share on other sites

Apparently the original author doesn't quite know what he's talking about, at the very least he's mixing his terminology quite a lot. He's clearly confused about the function of the hash, that's for sure.

 

In any case, I've gone ahead and changed the files in demo 6 from the link I posted above. To include the functionality that you require. It's just a rough example, mind you, but it should give you a base you can integrate into your own site. It has all of the necessary functions, but you'll probably want to split the different forms up a bit. Add some restrictions to the new user generation, for example. ;)

 

Unfortunately there's too much code to paste here, so I've zipped it up and attached it to this post.

You'll find all of my changes if you search for "CF: ". The only file I've left alone is pwqcheck.php.

 

demo6_cf-mod.tar.gz

Edited by Christian F.
Link to comment
Share on other sites

Just post it here in this thread, SocialCloud, so that others might benefit from it as well. :)

 

Sorry it took so long, but here we go...please take into consideration the following quote before downloading (too many files, so it has to be provided as an attachment) Before complaining or asking question, please refer to README.txt provided in the download

But I will tell you now it will be somewhat basic

 

Basic_Login_Registration_v1.0.zip

Link to comment
Share on other sites

Hey guys,

 

I decided to purchase a login/registration script, because it lets me redirect users to whatever specific page I want. I confirmed with the author that it's compliant with the latest security standards (encryption, salting, etc.).

 

In the meantime, even with this new script I'm having trouble sending email with php (you may remember that this was my original reason for posting! :) ). I posted a new thread in this forum, if you're interested in checking it out.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.