Peuplarchie Posted March 22, 2010 Share Posted March 22, 2010 Good day to you all, I'm working on a flat file database login script. I have notice that once the user have input his/her username in the field what ever he/she put as password, as long as they put something in the field, matching or not, they are in. I'm sure I'm doing something wrong. Don't worries, I hide my flat file behind a httpassword file. Here is my code: <?php //sessions must be initialized prior to any output if output buffering if off session_start(); //the list of files containing passwords $files = array( "../../MurSec/FSC/memmob.txt", "../../MurSec/FSC/memmob.txt", "../../MurSec/FSC/memmob.txt" ); //if list of users not set create a new array if(!isset($_SESSION['users'])) $_SESSION['users'] = array(); if(isset($_POST['username']) && isset($_POST['password'])){ //need to remove slashes from POST if magic_quotes are on if(get_magic_quotes_gpc()){ $_POST['username'] = stripslashes($_POST['username']); $_POST['password'] = stripslashes($_POST['password']); } $userFound = false; //we need this to exit the loops foreach($files as $file){ //loop every file in the $files array if($fh = fopen($file, "r")){ while(!feof($fh) && !$userFound){ //while not the end of the current file or the user was not found list($username, $password, $url) = explode(",", fgets($fh,1024)); if(($username == $_POST['username']) && ($password = $_POST['password'])){ $_SESSION['username'] = $username; $_SESSION['present'] = true; $_SESSION['legal'] = true; $_SESSION['profile'] = $username.".txt"; array_push($_SESSION['users'], $username); //add the current user to the list of users header("Location: ".$url); $userFound = true; //confirm that the user was found // other session and log action } } } fclose($fh); //we need to use break to exit the foreach loop if the user is found in one of the files if($userFound) break; } else echo "Unable to open a required password file: $file"; } if(!$userFound) login('Wrong username or password.<br />'); } else { login(); } ?> <?php function login($response='Bienvenue, invité(e) !') { ?> <html> </head> </head> <body> <fieldset style="background-color:#cccccc;"> <legend><?=$response?></legend> <form action="" method="post"> <label for="nom">Membre :</label><input name="username" type="text" /><br> <label for="nom">Passe :</label><input name="password" type="password"><br> <br><center><input type="submit" value="Valider" /><br/></center> </form> </fieldset> </body> </html> <?php } ?> Thanks ! Quote Link to comment Share on other sites More sharing options...
schilly Posted March 22, 2010 Share Posted March 22, 2010 this is likely your culprit. if(($username == $_POST['username']) && ($password = $_POST['password'])){ $password = $_POST['password'] should be $password == $_POST['password'] as a suggestion, you should hash you passwords instead of storing in plaintext. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.