Jump to content

PHP Secure Login Failing - Ideas?

DeX

By DeX
in PHP Coding Help

 Share

Recommended Posts

DeX Advanced Member

DeX

Posted
Posted

I'm working on a members' login script but cannot seem to figure this out. The site currently has a bunch of html pages with this at the top:

 

<?php

require('../admin/includes/config/config.inc.php');

require('../admin/includes/classes/Database.class.php');

require('../admin/includes/func.php');

session_start();

/***************************************************

LOGIN CHECK

***************************************************/

if (isset($_SESSION['auth'])){

$db3 = new Database($config['server'], $config['user'], $config['pass'], $config['database']);

$db3->connect();

$sql3 = "SELECT * FROM member WHERE auth='" . $_SESSION['auth'] ."'";

        $row3 = $db3->query($sql3);

        if($db3->affected_rows != 1){

            header("Location: index.php?error=noacccess");

        }

$db3->close();

} else {

header("Location: index.php?error=noauth");

}

?>

 

So I'm writing a PHP script on a login page to take advantage of this. My login page has a simple table:

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">

<tr>

<form name="form1" method="post" action="checklogin.php">

<td>

<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">

<tr>

<td colspan="3"><strong>Member Login </strong></td>

</tr>

<tr>

<td width="78">Username</td>

<td width="6">:</td>

<td width="294"><input name="myusername" type="text" id="myusername"></td>

</tr>

<tr>

<td>Password</td>

<td>:</td>

<td><input name="mypassword" type="text" id="mypassword"></td>

</tr>

<tr>

<td> </td>

<td> </td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</td>

</form>

</tr>

</table>

 

And another checklogin.php page:

<?php

ob_start();

$host="localhost"; // Host name

$username="*********"; // Mysql username

$password="*********"; // Mysql password

$db_name="*********"; // Database name

$tbl_name="********"; // Table name

 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

 

// Define $myusername and $mypassword

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and rawpass='$mypassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

session_register("auth");

header("location:index.html");

}

else {

echo "Wrong Username or Password";

}

 

ob_end_flush();

?>

 

Now it functionally works, I just edited out the database information. It does the check and then redirects to index.html but then redirects to index.php?=noauth every time. I can't figure it out, it's looking for the "auth" variable to be assigned in the session which it is. What am I missing? Here's my database columns:

id

firstname

lastname

password

rawpass

email

subscription

phone

access

auth

ip

 

The username for my user is "myusername" and the password is "mypassword".

Link to comment
Share on other sites
Zyx Newbie

Zyx

Posted
Posted

session_register() does not create a variable, but registers an existing one in the session. Your login script does not create this variable. Another problem is that you mix two ways to register a session variable. In the first script, you use correctly $_SESSION superglobal array, and the login script uses incorrectly session_register(). In PHP user manual, we can read:

 

If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().

 

And:

 

This function (session_register()) has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

 

It means that you should not use this function in favour of $_SESSION:

 

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['auth'] = 1;

 

PS. Do not insert the variables as function arguments like this: mysql_connect("$host", "$username", "$password"). Try to pass an array in this way and see, what happens. mysql_connect($host, $username, $password) is the correct way.

Link to comment
Share on other sites
DeX Advanced Member

DeX

Posted
  • Author
Posted

Okay thanks. So my new checklogin.php looks like so:

 

<?php
ob_start();
$host="localhost"; // Host name
$username="*********"; // Mysql username
$password="********"; // Mysql password
$db_name="*********"; // Database name
$tbl_name="member"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and rawpass='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['auth'] = 1;
header("location:index.html");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

 

The problem is it's still not working. I've been staring at the code and can't figure out why it keeps redirecting me to index.php?=noauth. Here's some more things that might help you help me:

- In the index.html there's a full page worth of HTML code below that PHP function. So is it correct to assume if the function exits properly that it won't redirect at all and will display the page?

- The file is named index.html even though it has a PHP function in it. It seems to work as it is redirecting, could this cause issues?

- The function is redirecting to index.php?=noaccess if true and index.php?=noauth if false. At least that's what it seems to me, is there any way for this type of if/else to not redirect to one of these pages? The guy before me built the index.html page so I didn't want to modify it too much. Or at all.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.