Jump to content


Photo

Login script completely busted


  • Please log in to reply
13 replies to this topic

#1 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 01:40 AM

i am writting a login script, that checks by comparing $_POST['User_Name']  to $_DATABASE_REQUEST['User_Name'] and the same with the password. basically it goes if(password and usernames match) {complete login sequence}
else{echo there was an error and prompt to login again}

here is the login script, and the include file

SCRIPT:

<html>

<head>

<link rel="stylesheet" type="text/css" href="B_A-CSS.css">
<title>Login</title>
</head>

<body>


<table>
<thead>
	<td  class = left>
		<img src="Graphics/Draft Logo.jpg"
			alt="Logo">
	</td>

	<td class = centre>
	<b><font color = "#006600"><center><h1>TITLE</h1></center></font></b>
	</td>

	<td class = right>
		<img src="Graphics/Draft Logo.jpg"
			alt="Logo">
	</td>

</thead>

<tbody>
<tr>

<td class = left>
</td>

<td class = centre>
	
	
	<?PHP

	include("inc files/Database link.inc");
                $User_Name = $_POST['User_Name'];
	$User_SQL = "SELECT User_Name, Password FROM Table_1 WHERE User_Name = '" . $_POST['User_Name'] ."' ";
	
	$result = @mysql_query($User_SQL, $DB_Server);

                if(!$result){
                        echo "Unable to perform query: $User_SQL<br>";
                        echo mysql_error();
                 }

	$confirm = mysql_fetch_array($result);

	if($confirm['User_Name'] == $_POST['User_Name'] and $confirm['Password'] == $_POST['Password']){

		echo "<p>Please type what you see in the image.This is to stop scripts from playing the game for you.  Please read the Rules for more information.  The Image is Case sensitive.</p>";
		$pic = rand(1,6);
		echo "<img src = 'Graphics/Login $pic.jpeg' alt = 'Login'>";
                                $User_Name = $_POST['USer_Name'];
                                $Password = $_POST['Password'];
                                $Pic_Value = $_POST['Pic_Value'];



		echo "<form action = 'B_A-Home.php' method = 'POST'>";
		echo "<input type = 'hidden' name = 'User_Name' value = $User_Name>";
		echo "<input type = 'hidden' name = 'Password' value = $Password>";
		echo "<input type = 'hidden' name = 'Pic_Name' value = '$pic'>";
		echo "<input type = 'text' name = 'Pic_Value' value = $Pic_Value>";
		echo "</form>";
		echo "<input type = 'submit' value = 'Login'>";
	}
	
	else{
		echo "<p>There has been an error with the login, please try to login again.  <a href = 'B_A-Home.html'>Try again here</a></p><br>";
	}

?>


</td>

<td class = right>
</td>

</tr>
</tbody>
</table>

</body>

</html>


INCLUDE FILE:

<?php


$host="localhost";
$account="ACCOUNT";
$password="PASSWORD";
$dbname="DBNAME";
$Error_Log[1] = "";
$Error_Log[2] = "";




$DB_Server = mysql_connect($host, $account, $password);

if(!$DB_Server){echo "<p>There was an error in connecting to the database server.  Please try again later.</p>";
	$Error_Log[1] = "DB_Server";}
else{}


$DB = mysql_select_db($dbname);

if(!$DB){echo "<p>There was an error connecting to the Database.  Please try Again later.</p>";
	$Error_Log[2] = "DB_Connect";}
else{}



if(empty($Error_Log[1])){}
elseif(empty($Error_Log[2])){}
else{echo "<p>WE apologises for any and all inconveniences caused by this fualt in the system.  We are working on fixing the connection problem.  Why not explore the public site for FAQ's and other help sections to become more aquainted with the game.</p>";}

?>

i cant see any errors.  i made sure that the database entries matched the form entries.  but there is still this error.  ass i said there are no error messages, eg warning undefined variable et.c, but the scrript isnt doing what i told it to do

all help apprectiated

P.S

im working on the new user script now, so ill keep you posted if that could have any changes in this script

thanks

#2 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 02:02 AM

Can you explain what it is doing?
Why doesn't anyone ever say hi, hey, or whad up world?

#3 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 02:17 AM

		echo "<p>Please type what you see in the image.This is to stop scripts from playing the game for you.  Please read the Rules for more information.  The Image is Case sensitive.</p>";
		$pic = rand(1,6);
		echo "<img src = 'Graphics/Login $pic.jpeg' alt = 'Login'>";
                                $User_Name = $_POST['User_Name'];
                                $Password = $_POST['Password'];
                                $Pic_Value = $_POST['Pic_Value'];



		echo "<form action = 'B_A-Home.php' method = 'POST'>";
		echo "<input type = 'hidden' name = 'User_Name' value = $User_Name>";
		echo "<input type = 'hidden' name = 'Password' value = $Password>";
		echo "<input type = 'hidden' name = 'Pic_Name' value = '$pic'>";
		echo "<input type = 'text' name = 'Pic_Value' value = $Pic_Value>";
		echo "<input type=\"submit\" value=\"Login\">";
is gonna return the post values empty no matter what btw... the form is how you set the POST variables, so setting them as '' does nothing....
Why doesn't anyone ever say hi, hey, or whad up world?

#4 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 02:46 AM

i dont quite get what you saying.  if your saying that i need tio enclose the variable being used as '$VARIABLE'  then it makes no difference to the conversion, i just tried it

could you clarify, what your saying


#5 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 02:54 AM

if($confirm['User_Name'] == $_POST['User_Name'] and $confirm['Password'] == $_POST['Password']){

		echo "<p>Please type what you see in the image.This is to stop scripts from playing the game for you.  Please read the Rules for more information.  The Image is Case sensitive.</p>";
		$pic = rand(1,6);
		echo "<img src = 'Graphics/Login $pic.jpeg' alt = 'Login'>";
                                $User_Name = $_POST['USer_Name'];
                                $Password = $_POST['Password'];
                                $Pic_Value = $_POST['Pic_Value'];



		echo "<form action = 'B_A-Home.php' method = 'POST'>";
		echo "<input type = 'hidden' name = 'User_Name' value = $User_Name>";
		echo "<input type = 'hidden' name = 'Password' value = $Password>";
		echo "<input type = 'hidden' name = 'Pic_Name' value = '$pic'>";
		echo "<input type = 'text' name = 'Pic_Value' value = $Pic_Value>";
		echo "</form>";
		echo "<input type = 'submit' value = 'Login'>";
	}

The entire purpose of the form is to set the $_POST items... so if theyre echo'ing this data into hidden fields it doesnt work... since $user_name isnt set its just gonna out put <input type="hidden" name="user_name" value="">

Also on the HTML side of this script the submit button should be before the </form> tag or it wont do anything.
Why doesn't anyone ever say hi, hey, or whad up world?

#6 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 03:08 AM

ok, so how should i send the $_POST data to the next page, when the user submits the form on the page

#7 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 03:22 AM

Explain the process which the pages do to me please like page x goes to y and y goes to z...
Why doesn't anyone ever say hi, hey, or whad up world?

#8 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 04:09 AM

w = initial form

x = rough validation and additional login (anti spam etc (type what you see in the picture))

y = create cookies, login data etc

z = final site

w -> x
x -> y
y - >z


#9 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 06:09 AM

Oh, ok then yeah that works... the hidden fields... Lemme write a simple login script real quick and see if i can get it to do what you want...
Why doesn't anyone ever say hi, hey, or whad up world?

#10 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 06:11 AM

thanks



#11 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 06:17 AM

with change db.php to your include files name or change your include's name to db.php and try...

<?
session_start();
include("db.php");
if(!$_SESSION['authed']) {
if(($_COOKIE['cuser']) || ($_COOKIE['cpass'])) {
$_SESSION['username'] = $_COOKIE['cuser'];
$pass_md5 = $_COOKIE['cpass']; }
if(($_POST['user_name']) || ($_POST['password'])) {
$_SESSION['password'] = $_POST['password'];
$_SESSION['username'] = $_POST['user_name'];
}
if($_SESSION['username']) { $username = $_SESSION['username']; }
if($_SESSION['password']) { $password = $_SESSION['password']; }
if(!$pass_md5) { $pass_md5 = md5($password); }
if($_POST['sublogin']) { $sublogin = $_POST['sublogin']; }
if($_POST['remember']) { $remember = $_POST['remember']; }
$q = "SELECT * from accounts where (user_name = '$username') and (password = '$pass')"; //use $pass_md5 if the passwords in the db are encrypted with md5
$r = mysql_num_rows(mysql_query($q));
if($r > 0) {
$_SESSION['authed'] = "yes";

$success = "y";
if($remember == "y") {
setcookie("cuser", $username, time()+60*60*24*100); 
setcookie("cpass", $pass_md5, time()+60*60*24*100);
}
}
}
if($success) { echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">"; }
echo "<center><h2>Login</h2>";
if($_SESSION['authed']) { echo "You are now logged in."; }
if($sublogin) {
if($r < 1) { echo "Sorry, the username you entered does not exist or the password you input was incorrect.  Please try again."; }
}
if(!$_SESSION['authed']) { ?>
<form method=POST action="login.php">
Username: <input type="text" name="user_name"><br>
Password: <input type="password" name="password"><br>
<font size=2>Remember you?</font><input type="checkbox" name="remember" value="y" CHECKED><input type="submit" value="Login" name="sublogin" value="Login"><br>
<? }
?>

Why doesn't anyone ever say hi, hey, or whad up world?

#12 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 06:18 AM

tthanks


#13 PC Nerd

PC Nerd
  • Members
  • PipPipPip
  • Advanced Member
  • 1,122 posts
  • LocationAustralia

Posted 07 July 2006 - 07:17 AM

so the only way to continue passing data is to use cookies or sessions



#14 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 July 2006 - 08:10 AM

No, but if you ever wanted to expand past just that one file at the end and possibly protect multiple files you could just make a file named "auth.php" or something like that with:
<?
session_start();

if($_SESSION['authed'] == "yes") { }
if($_SESSION['authed'] != "yes") { header('Location: login.php?ref=forced'); }
?>

and on the page youre tryin to protect just put <? include("auth.php"); ?>
Why doesn't anyone ever say hi, hey, or whad up world?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users