mcerveni Posted July 5, 2008 Share Posted July 5, 2008 When I leave the fields blank, it will display 'correct' if i put something in the fields or even put the correct username and password it will say 'false' what's going on with my php code with my ajax? ajax function: var nocache = 0; function login() { document.getElementById('login_response').innerHTML = "Verifying user..." var user = encodeURI(document.getElementById('user').value); var pass = encodeURI(document.getElementById('pass').value); // Set te random number to add to URL request nocache = Math.random(); http.open('get', 'include/check.php?user='+user+'&pass='+pass+'&nocache = '+nocache); http.onreadystatechange = loginReply; http.send(null); } function loginReply() { if(http.readyState == 4){ var response = http.responseText; if(response == 0){ // if login fails document.getElementById('login_response').innerHTML = 'Login failed! Verify username or password'; } else { document.getElementById('login_response').innerHTML = ''+response+ ''; } } } php page: if(isset($_GET['user']) && isset($_GET['pass'])){ $user = $_GET['user']; $pass = $_GET['pass']; $getUser_sql = "SELECT * FROM table WHERE username='$user' && password='$pass'"; $getUser = mysql_query($getUser_sql); $row = mysql_fetch_assoc(mysql_query($getUser)); if ($user == $row['username'] && $pass == $row['password'] ) { echo 'correct'; } else { echo 'false'; } } //isset get Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 5, 2008 Share Posted July 5, 2008 I don't know exactly what's wrong, but your verification method is not secure, nor a best practice. A guess would be that multiple rows are being returned and not in the order that would give you the right result. Suggestions: #1 !! - Do not store password values in the database. Store them as hashes (MD5, SHA, WHIRLPOOL), w/e. Check that the hash of the password you send matches one for a hash pw stored in the database. The username is ok to be sent as is though. #2 $sql = "SELECT COUNT(*) as numrows WHERE username='$user' AND password='$pass'"; $result = mysql_query($sql); $row=mysql_fetch_array($result); if($row['numrows'] != 1) { 0 or more than 1 match, DO NOT LOGIN }else{ 1 valid match! //ok to login } #3 Use POST instead of GET, escape the values for php (mysql_escape_real_string)[or possibly mysql_real_escape_string; I always get the words mixed up] if(isset($_POST['user']) && isset($_POST['pass'])){ $user = mysql_real_escape_string($_POST['user']); $pass = md5($_POST['pass']); Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 6, 2008 Author Share Posted July 6, 2008 thanks, i took out the md5 for my password to try and debug this issue, and mysql real escape i haven't done that yet, just trying to get the login to work for now..but thanks for the advice. i'll play around with it some more. Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 14, 2008 Author Share Posted July 14, 2008 i still can't get this to work my check.php code: if(isset($_POST['user']) && isset($_POST['pass'])){ $user = mysql_real_escape_string($_POST['user']); $pass = md5($_POST['pass']); $sql = "SELECT * FROM admin WHERE username='$user' && password='$pass'"; $result = mysql_query($sql); $row=mysql_fetch_array($result); if($row['username'] == $user && $row['password'] == $pass) { echo 'you are logged in.'; } else{ echo 'incorrect login.'; } } //isset get ?> my ajax code: function login() { document.getElementById('login_response').innerHTML = "Verifying user..." var user = document.getElementById('user').value; var pass = document.getElementById('pass').value; var url = "include/check.php"; var params = "user=+user&pass=+pass"; http.open("POST", url, true); //Send the proper header information along with the request http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); http.onreadystatechange = function() {//Call a function when the state changes. if(http.readyState == 4 && http.status == 200) { var response = http.responseText; document.getElementById('login_response').innerHTML = ''+response+ ''; } } http.send(params); } if I type in the wrong username/password or type in the correct username and password, it will always show me 'incorrect password'. Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 14, 2008 Share Posted July 14, 2008 Do you have this working with just php? IE: make the form submit to the php page, don't use ajax at all, and see if you can get that to work. If you do, start out by sending the values via ajax and make sure that the sent values are received as expected (ie: alert(username)/password and see that javascript is sending them right. After you do these, tell us what specifically is not working.. verification, or ajax? Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 14, 2008 Author Share Posted July 14, 2008 alright. here's what's happening.. ORIGINALLY..i have a functions page that has my login form and a function called do_login();... example code: functions.php else { //ELSE SHOW LOGIN FORM if ($_POST['user'] && $_POST['pass']) { do_login(); } ?> <form action="" method="post"> <div align="center" id="loginTable"> <br><br> <table> <tr><td> Username: </td> <td> <input type="text" name="user" > </td></tr> <tr><td> Password: </td> <td> <input type="password" name="pass"> </td></tr> <tr><td> <input type="submit" name="login" value="Login"> </td></tr> </table> <br><div align="center" id="login_response"> </div> </div> </form> <?php } //else } //end of check admin function function do_login() { $user = $_POST['user']; $pass = $_POST['pass']; $secure_password = md5($pass); //check to see if pass and username matches the database $sql = "SELECT * FROM admin WHERE username='$user' && password='$secure_password'"; $row = mysql_fetch_assoc(mysql_query($sql)); if ($user == $row['username'] && $secure_password == $row['password'] ) { session_start(); $_SESSION['admin_logged_in'] = TRUE; $_SESSION['admin_id'] = $row['admin_id']; $_SESSION['admin_username'] = $row['username']; $_SESSION['admin_last_login'] = $row['last_login']; $username = $_SESSION['admin_username']; //go to home.php header('Location:home.php'); exit(); }//if credentials else { //count how many times the user has failed to login. loginAttemps(); loginError(); //this is the div that shows from the errors.inc.php } } that works perfectly fine... but if i try to paste that do_login function into a file called check.php... and my form changed to... else { //ELSE SHOW LOGIN FORM //if ($_POST['user'] && $_POST['pass']) { //do_login(); //} ?> <form action="include/check.php" method="post"> <div align="center" id="loginTable"> <br><br> <table> <tr><td> Username: </td> <td> <input type="text" name="user" > </td></tr> <tr><td> Password: </td> <td> <input type="password" name="pass"> </td></tr> <tr><td> <input type="submit" name="login" value="Login"> </td></tr> </table> <br><div align="center" id="login_response"> </div> </div> </form> <?php } //else } //end of check admin function check.php code: $user = mysql_real_escape_string($_POST['user']); $pass = $_POST['pass']; $secure_password = md5($pass); $sql = "SELECT * FROM admin WHERE username='$user' && password='$secure_password'"; $row = mysql_fetch_assoc(mysql_query($sql)); if ($user == $row['username'] && $secure_password == $row['password'] ) { echo 'you are logged in.'; } else{ echo 'incorrect login.'; } //} //isset get it just show's me incorrect login if i type the correct username and password or wrong username or password. what the heck is happening? Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 14, 2008 Share Posted July 14, 2008 Hmm, it's hard to decipher the pieces. If you could, post the 2 complete files, or 3 so I can debug it. Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 14, 2008 Author Share Posted July 14, 2008 do you want the actual files?? Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 14, 2008 Share Posted July 14, 2008 Sure. Send me a simple version that includes the php verification, and ajax/login page including the javascript used so I can see and debug it. For the verification I will just hard code vals, so no need for database stuff atm. Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 14, 2008 Author Share Posted July 14, 2008 alright, i'll do that tonight.. i'm at work till 11pm. Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 15, 2008 Author Share Posted July 15, 2008 ok good news.. my check.php works fine now. it's validating the database correctly. when i run my ajax to grab the check.php..i'm not 100% sure it's getting the parameters correctly... i have in my check.php $pass = md5($_POST['pass']); ...do i have to have a md5 to my javascript variable called $pass as well? here's my ajax code.. function login() { document.getElementById('login_response').innerHTML = "Verifying user..." var user = document.getElementById('user').value; var pass = document.getElementById('pass').value; var url = "include/check.php"; var params = "user=+user&pass=+pass"; http.open("POST", url, true); //Send the proper header information along with the request http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); http.onreadystatechange = function() {//Call a function when the state changes. if(http.readyState == 4 && http.status == 200) { var response = http.responseText; document.getElementById('login_response').innerHTML = ''+response+ ''; } } http.send(params); } //function my check.php code: if(isset($_POST['user']) && isset($_POST['pass'])){ $user = mysql_real_escape_string($_POST['user']); $pass = md5($_POST['pass']); $sql = "SELECT * FROM admin WHERE username='$user' && password='$pass'"; $result = mysql_query($sql); $row=mysql_fetch_array($result); if($row['username'] == $user && $row['password'] == $pass) { echo 'you are logged in.'; } else{ echo 'incorrect login.'; } } //isset get Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 15, 2008 Share Posted July 15, 2008 While it's never a good idea to send passwords / userinfo in plain text, it won't make much of a difference while you get started. If anything you can change your server side verification to be non standard[meaning, instead of using the assumed MD5, use another encrypt, or add salt] So, from your form you should send the username and password. From there , verify that javascript picks those values up correctly. (Call your login function, alert username, alert password. From there, create your params var and alert that as well to make sure it's sending the url addon as expected. What may be wrong is your params string. I'm not too familiar with javascript including vars in strings, so you might do this: (ALSO, you might add a preceding ? to your string) var params = "?user=" + user + "&pass=" + pass; alert(params) //check that it is as expected Try that and let me know how it goes. Quote Link to comment Share on other sites More sharing options...
mcerveni Posted July 15, 2008 Author Share Posted July 15, 2008 ok, if this line: var params = "?username=" + user + "&password=" + pass; the alert(params) will display correctly, however, the php script will say 'you are logged in' even if i type in the wrong info. if i have var params = "?user=" + user + "&pass=" + pass; the alert(params) will display 'incorrect' every time. ajax script: function login() { document.getElementById('login_response').innerHTML = "Verifying user..." var user = encodeURI(document.getElementById('user').value); var pass = encodeURI(document.getElementById('pass').value); var url = "include/check.php"; var params = "?username=" + user + "&password=" + pass; http.open("POST", url, true); //Send the proper header information along with the request http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); http.onreadystatechange = function() {//Call a function when the state changes. if(http.readyState == 4 && http.status == 200) { var response = http.responseText; document.getElementById('login_response').innerHTML = ''+response+ ''; alert(params); } } http.send(params); } //function check.php: $user = mysql_real_escape_string($_POST['user']); //$pass = md5($_POST['pass']); $pass = $_POST['pass']; $sql = "SELECT * FROM admin WHERE username='$user' && password='$pass'"; $result = mysql_query($sql); $row=mysql_fetch_array($result); if($row['username'] == $user && $row['password'] == $pass) { echo 'you are logged in.'; } else{ echo 'incorrect login.'; } Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 16, 2008 Share Posted July 16, 2008 Hey, So I've got it to work on my end under similar circumstances. Obviously you didn't send me all of your code, so you will need to fill in my stuff into yours and make it work. Change this stuff: 1)Make params like this: var params = "user=" + user + "&pass=" + pass; There is no preceeding ?, and it must match what the check.php expects (user & pass); 2)return false; I'm not sure if you're doing this because it's not in your login function, but might be elsewhere. But it's a good idea to add to the form tag like this: <form onsubmit="return login()">. And then in the last part of your login function have: return false; This stops the form from doing anything on click other than run the login() function. 3)Database verification. I hard coded values and it seems to work. I would strongly recommend you do your query as a "SELECT COUNT(*) as numrows WHERE username='$user' AND pass='$pass'"; Then it would be the same mysql stuff... $result = mysql_query($sql); $row=mysql_fetch_array($result). if($row['numrows'] != 1) { echo 'Incorrect login.';}else{ echo 'Success';} The only reason I stress the database thing is so that you make sure you have only ONE match for security purpose. Obviously this is up to you, but it's good form and practice IMO. The code I have, it's slightly changed from yours, but commented. index.html <html> <head> <script type="text/javascript" src="http://www.xtopolis.com/z_phpfreaks/simplelogin/ajax.js"></script> <script type="text/javascript"> http = new newXHRO();//### I used my own XMLHttpRequestObject, linked off my site, feel free to copy function login() { document.getElementById('login_response').innerHTML = "Verifying user..." var user = encodeURI(document.getElementById('user').value); var pass = encodeURI(document.getElementById('pass').value); var url = "check.php"; //####CHANGED from include/check.php, change it back var params = "user=" + user + "&pass=" + pass; http.open("POST", url, true); //Send the proper header information along with the request http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); http.onreadystatechange = function() {//Call a function when the state changes. if(http.readyState == 4 && http.status == 200) { var response = http.responseText; document.getElementById('login_response').innerHTML = ''+response+ ''; } } http.send(params); return false; //####ADDITION } //function </script> </head> <body> <form onsubmit="return login()"><!-- ### NOTICE THE RETURN HERE--> <label>Username</label><input type="text" name="user" id="user" /><br /> <label>Password</label><input type="password" name="pass" id="pass" /><br /> <input type="submit" value="Login" /> </form> <div id="login_response"> </div> </body> </html> check.php <?php $user = $_POST['user'];//mysql_real_escape_string($_POST['user']); $pass = md5($_POST['pass']); /* $sql = "SELECT * FROM admin WHERE username='$user' && password='$pass'"; $result = mysql_query($sql); $row=mysql_fetch_array($result); */ //## HARD CODED FOR TEST $row['username'] = 'xtops'; $row['password'] = '1a1dc91c907325c69271ddf0c944bc72'; if($row['username'] == $user && $row['password'] == $pass) { echo 'you are logged in.'; } else{ echo 'incorrect login.'; } ?> If you still have trouble, let me know. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.