Jump to content

Login script, session password issue..

Peuplarchie

By Peuplarchie
in PHP Coding Help

Recommended Posts

Peuplarchie Regular Member

Peuplarchie

Posted
Posted

Good day to you all,

          I'm working on a flat file database login script.

 

I have notice that once the user have input his/her username in the field what ever he/she put as password, as long as they put something in the field, matching or not, they are in.

 

I'm sure I'm doing something wrong.

 

Don't worries, I hide my flat file behind a httpassword file.

 

Here is my code:

 

 


<?php
//sessions must be initialized prior to any output if output buffering if off
session_start();

//the list of files containing passwords
$files = array(
    "../../MurSec/FSC/memmob.txt", 
    "../../MurSec/FSC/memmob.txt", 
    "../../MurSec/FSC/memmob.txt"
);

//if list of users not set create a new array
if(!isset($_SESSION['users']))
    $_SESSION['users'] = array();
    
if(isset($_POST['username']) && isset($_POST['password'])){
    
    //need to remove slashes from POST if magic_quotes are on 
    if(get_magic_quotes_gpc()){
        $_POST['username'] = stripslashes($_POST['username']);
        $_POST['password'] = stripslashes($_POST['password']);
    }            
    
    $userFound = false; //we need this to exit the loops
    foreach($files as $file){ //loop every file in the $files array
        if($fh = fopen($file, "r")){
            while(!feof($fh) && !$userFound){ //while not the end of the current file or the user was not found
                list($username, $password, $url) = explode(",", fgets($fh,1024));
            
                if(($username == $_POST['username']) && ($password = $_POST['password'])){
                    $_SESSION['username'] = $username;
                    $_SESSION['present'] = true;
				$_SESSION['legal'] = true;
				$_SESSION['profile'] = $username.".txt";
                    array_push($_SESSION['users'], $username); //add the current user to the list of users
                    header("Location: ".$url);
                    $userFound = true; //confirm that the user was found

// other session and log action


}
                }    
            }
            
            fclose($fh);
            //we need to use break to exit the foreach loop if the user is found in one of the files
            if($userFound)
                break;
        } else
            echo "Unable to open a required password file: $file";
    }
    if(!$userFound)
        login('Wrong username or password.<br />');
} else {
    login();
}
?>
<?php

function login($response='Bienvenue, invité(e) !') {
?>

<html>
</head>





</head>
<body>




<fieldset  style="background-color:#cccccc;">
  <legend><?=$response?></legend>
<form action="" method="post">
        <label for="nom">Membre :</label><input name="username" type="text" /><br>
        <label for="nom">Passe :</label><input name="password" type="password"><br>
        <br><center><input type="submit" value="Valider" /><br/></center>
</form>
</fieldset>

</body>
</html>




<?php } ?>

 

 

Thanks !

Link to comment
https://forums.phpfreaks.com/topic/196148-login-script-session-password-issue/
Share on other sites
schilly Regular Member

schilly

Posted
Posted

this is likely your culprit.

if(($username == $_POST['username']) && ($password = $_POST['password'])){

 

$password = $_POST['password'] should be $password == $_POST['password']

 

as a suggestion, you should hash you passwords instead of storing in plaintext.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.