Jump to content

PHP Secure Login Failing - Ideas?


DeX

Recommended Posts

I'm working on a members' login script but cannot seem to figure this out. The site currently has a bunch of html pages with this at the top:

 

<?php

require('../admin/includes/config/config.inc.php');

require('../admin/includes/classes/Database.class.php');

require('../admin/includes/func.php');

session_start();

/***************************************************

LOGIN CHECK

***************************************************/

if (isset($_SESSION['auth'])){

$db3 = new Database($config['server'], $config['user'], $config['pass'], $config['database']);

$db3->connect();

$sql3 = "SELECT * FROM member WHERE auth='" . $_SESSION['auth'] ."'";

        $row3 = $db3->query($sql3);

        if($db3->affected_rows != 1){

            header("Location: index.php?error=noacccess");

        }

$db3->close();

} else {

header("Location: index.php?error=noauth");

}

?>

 

So I'm writing a PHP script on a login page to take advantage of this. My login page has a simple table:

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">

<tr>

<form name="form1" method="post" action="checklogin.php">

<td>

<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">

<tr>

<td colspan="3"><strong>Member Login </strong></td>

</tr>

<tr>

<td width="78">Username</td>

<td width="6">:</td>

<td width="294"><input name="myusername" type="text" id="myusername"></td>

</tr>

<tr>

<td>Password</td>

<td>:</td>

<td><input name="mypassword" type="text" id="mypassword"></td>

</tr>

<tr>

<td> </td>

<td> </td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</td>

</form>

</tr>

</table>

 

And another checklogin.php page:

<?php

ob_start();

$host="localhost"; // Host name

$username="*********"; // Mysql username

$password="*********"; // Mysql password

$db_name="*********"; // Database name

$tbl_name="********"; // Table name

 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

 

// Define $myusername and $mypassword

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and rawpass='$mypassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

session_register("auth");

header("location:index.html");

}

else {

echo "Wrong Username or Password";

}

 

ob_end_flush();

?>

 

Now it functionally works, I just edited out the database information. It does the check and then redirects to index.html but then redirects to index.php?=noauth every time. I can't figure it out, it's looking for the "auth" variable to be assigned in the session which it is. What am I missing? Here's my database columns:

id

firstname

lastname

password

rawpass

email

subscription

phone

access

auth

ip

 

The username for my user is "myusername" and the password is "mypassword".

Link to comment
Share on other sites

session_register() does not create a variable, but registers an existing one in the session. Your login script does not create this variable. Another problem is that you mix two ways to register a session variable. In the first script, you use correctly $_SESSION superglobal array, and the login script uses incorrectly session_register(). In PHP user manual, we can read:

 

If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().

 

And:

 

This function (session_register()) has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

 

It means that you should not use this function in favour of $_SESSION:

 

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['auth'] = 1;

 

PS. Do not insert the variables as function arguments like this: mysql_connect("$host", "$username", "$password"). Try to pass an array in this way and see, what happens. mysql_connect($host, $username, $password) is the correct way.

Link to comment
Share on other sites

Okay thanks. So my new checklogin.php looks like so:

 

<?php
ob_start();
$host="localhost"; // Host name
$username="*********"; // Mysql username
$password="********"; // Mysql password
$db_name="*********"; // Database name
$tbl_name="member"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and rawpass='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['auth'] = 1;
header("location:index.html");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

 

The problem is it's still not working. I've been staring at the code and can't figure out why it keeps redirecting me to index.php?=noauth. Here's some more things that might help you help me:

- In the index.html there's a full page worth of HTML code below that PHP function. So is it correct to assume if the function exits properly that it won't redirect at all and will display the page?

- The file is named index.html even though it has a PHP function in it. It seems to work as it is redirecting, could this cause issues?

- The function is redirecting to index.php?=noaccess if true and index.php?=noauth if false. At least that's what it seems to me, is there any way for this type of if/else to not redirect to one of these pages? The guy before me built the index.html page so I didn't want to modify it too much. Or at all.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.