Jump to content

MrGeezer

New Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

    Never

 Content Type 

Everything posted by MrGeezer

  1. MrGeezer
    Hi anupamsaha, Sorry didnt see your post until now. As above, it seems to update the token value in the mysql database, the cookie is also updated (i have tested this) but when check_remembered is run again, it runs the select query using the older token
  2. MrGeezer
    Hi Zurev, Thanks for the suggestion, I am modifying a login class that was given to me from a friend, though there has been many bugs in it that I have fixed up, I didnt know what it did so didnt want to touch it. I have echoed the query "SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"; and the UPDATE query under set_session SELECT * FROM members WHERE email = 'ryan@myemail.com' AND token ='ff84793a1ae2076bca5ed721374105c1' AND ip_address LIKE '118%' SUCCESS UPDATE members SET session='c7a3beded5bb3c5b907ece2b496f27d6', token='10b91a8cb9ef510c8ccd9bb39ce4a7e9', ip_address='118.93.xx.xx' WHERE member_id='23' SELECT * FROM members WHERE email = 'ryan@myemail.com' AND token ='ff84793a1ae2076bca5ed721374105c1' AND ip_address LIKE '118%' FAIL As you can see, the first time it runs check remembered, it works fine, the cookie matches the token value in the database. But after it runs set_session and updates the token value in mysql and the cookie, check remembered is run again and the token value has not updated to 10b91a8cb9ef510c8ccd9bb39ce4a7e9. it is using the original token value of ff84793a1ae2076bca5ed721374105c1 which fails.
  3. MrGeezer
    Hey guys! I have spent the last 5 and a half hours banging my head up against the wall trying to fix this to no avail so I guess its time to ask the experts!!! I am having a problem with my membership class. Basically, it works perfectly if a user logs in using sessions and not cookies. But when remember is set to 1 (they ticked the remember me checkbox), the mysql query fails on this line when we run $member_class->member_class(); $result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC) or DIE ($this->query_error); Everything matches up except for the $token value. Basicly I believe that a new token is updated in the mysql database, before the token value in the cookie is updated as when I print $token, it definitly matches up with the token value in the mysql database. But from reading through the code, it all looks perfectly fine to me which is why i am so confused. If i change $newtoken = $this->token(); // generate a new token to $newtoken = '1234'; the script also works perfectly fine without errors (though not very secure so would like the token to change values! Really appreciate any input! Cheers <?php // member class // handlers member logon class member_class { var $message = ''; var $query_error = 'ERROR: something went wrong when accessing the database. Please consult your webmaster'; function member_class() { //constructor if (!$_SESSION['member_id']) { //fills session with empty values $this->set_session_defaults();; } if ($_SESSION['logged_in']) { //already logged in $this->check_session(); } if ($_COOKIE['remember']) { $this->check_remembered($_COOKIE['remember']); } } function check_login($email,$password,$remember,$redirect) { $email = mysql_escape_string($email); $salt='s+(_v'; $password = mysql_escape_string(hash('sha512', $salt . $password)); $result=mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND password = '{$password}'"), MYSQL_ASSOC); if ($result) { $this->set_session($result,$remember,true); return true; } else { $this->failed = true; $this->logout(); //create error message telling user that either the email address does not exist, or they have entered the wrong password associated with the email address $result=mysql_fetch_array(mysql_query("SELECT email FROM members WHERE email = '{$email}'")); if($result) { $this->message .= 'Incorrect Password. Please try again'; } else { $this->message .= 'The email address '.$email.' does not exist. Please try again or <a href="/register.php" class=" cboxElement">create a new account</a>.'; } return false; } } function logout() { // blowup cookie setcookie('remember',time()-3600); $this->set_session_defaults(); } function set_session($result,$remember,$init = true) { $member_id=$result['member_id']; if ($init) { $session = mysql_escape_string(session_id()); $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']); $newtoken = $this->token(); // generate a new token // generate a random token $update = mysql_query("UPDATE members SET session='{$session}', token='{$newtoken}', ip_address='{$ip_address}' WHERE member_id='{$member_id}'") or DIE ($this->query_error); } $_SESSION['member_id'] = $result['member_id']; $_SESSION['email'] = htmlspecialchars($result['email']); $_SESSION['fullname'] = $result['fullname']; $_SESSION['token'] = $newtoken; $_SESSION['logged_in'] = true; if ($remember) { $this->update_cookie($newtoken); } } function update_cookie($token) { $cookie = serialize(array($_SESSION['email'],$token)); //print $token; setcookie('remember',$cookie, time()+12099600); } function check_remembered($cookie) { $serializedArray=$cookie; $serializedArray = stripslashes($serializedArray); list($email,$token) = unserialize($serializedArray); if(empty($email) or empty($token)) { return; } else { $email = mysql_escape_string($email); $token = mysql_escape_string($token); $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']); //changed from = '{ip_address} to like '{ipaddress}% so we are not strict in ip address we only limit to first 3 charactors of ip $ip_address = substr($ip_address, 0, 3); $query = "SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"; print $query; $result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC) or DIE ($this->query_error); if (!$result) { // $this->set_session($result,false,false); }else{ $this->set_session($result,true,true); } } } function token() { // generate a random token for($i=1;$i<33;$i++) { $seed .= chr(rand(0,255)); } return md5($seed); } function check_session() { $email = mysql_escape_string($_SESSION['email']); $token = mysql_escape_string($_SESSION['token']); $session = mysql_escape_string(session_id()); //if ip address changes it will fail POSSIBLY DO NOT NEED THIS! $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']); //check only the first 4 charactors of ip address incase user changes ip in corporate workplace etc ALSO CHANGED = TO LIKE IN MYSQL QUERY AND ADDEED % TO THE END AS WILDCARD $ip_address = substr($ip_address, 0, 3); $result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email='{$email}' AND token='{$token}' AND session='{$session}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC or DIE ($this->query_error)); if ($result != false){ }else{ $this->logout(); } } }?>
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.