zimmo Posted May 17, 2010 Share Posted May 17, 2010 I am trying to see why and most importantly where I have an issue with my code, it works fine, but I tested by turning cookies off in my browser (safari) and tried with internet explorer by changing the setting to block from my site so I could see what happens. I am unsure how to find out, when you fill in the form with your log in details (its a php self post) it just keeps reloading the same page? Please can someone spot why for me? not sure where in my code? <?php include("inc/connect.php"); $username = ""; $password = ""; $errorMessage = ""; function quote_smart($value, $handle) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value, $handle) . "'"; } return $value; } if ($_SERVER['REQUEST_METHOD'] == 'POST'){ $username = $_POST['username']; $password = $_POST['password']; $username = htmlspecialchars($username); $password = htmlspecialchars($password); $db_found = mysql_select_db($db, $connection); if ($db_found) { $username = quote_smart($username, $connection); $password = quote_smart($password, $connection); $SQL = "SELECT * FROM tablea WHERE username = $username AND password = '".md5($_POST['password'])."'"; $result = mysql_query($SQL); $num_rows = mysql_num_rows($result); if ($result) { if ($num_rows > 0) { session_start(); $_SESSION['username'] = "$_POST[username]"; header ("Location: index.html"); } /* New Block Log in attempts*/ else { session_start(); $_SESSION['attempts'] = "+1"; # setup SQL statement $SQL = " INSERT INTO tableb "; $SQL = $SQL . " (sid, username, password, attempts, ipaddress) VALUES "; $SQL = $SQL . " ('$_COOKIE[phpSESSID]', '$_POST[username]', '$_POST[password]', '$_SESSION[attempts]', '$_SERVER[REMOTE_ADDR]') "; #execute SQL statement $result = mysql_db_query( *****,"$SQL",$connection ); # check for error if (!$result) { echo("ERROR: " . mysql_error() . "\n$SQL\n"); } else { # setup SQL statement 2 $SQL = "SELECT * FROM tableb WHERE sid = '$_COOKIE[phpSESSID]' "; $result = mysql_query($SQL); if (mysql_num_rows($result) ==0) { $errorMessage = "Please check your username and/or password is correct"; } elseif (mysql_num_rows($result) >=3) { header ("Location: index2.html"); } else { $errorMessage = "Please check your username and/or password is correct"; } } } /* END */ } else { $errorMessage = "Please check your username and/or password is correct"; } mysql_close($connection); } else { $errorMessage = "Please check your username and/or password is correct"; } } ?> Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/ Share on other sites More sharing options...
scampbell Posted May 17, 2010 Share Posted May 17, 2010 Does you connect.php page output any html? I preume it outputs your login form? If so, the header command wont work as there cant be anything output to the page before using this command. See this post. Also MD5 isnt a secure way to hash passwords. Google MD5 rainbow tables. And some of your POST inputs have been sanitized before running the SQL query. Google SQL injection. Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059671 Share on other sites More sharing options...
zimmo Posted May 17, 2010 Author Share Posted May 17, 2010 The connect is standard database connection, no html there at all, and I am aware of the output issue, I dont get any errors for headers sent. I found the issue is that safari and firefox do not return the error for some reason, yet internet explorer does but its working now. Why is md5 not secure, it seems to be recommended everywhere? Where do you see this for the posts? So much to learn.... I am trying to now change my sql query and not sure how to go about this. $SQL = "SELECT attempts FROM tablea WHERE sid = '$_COOKIE[phpSESSID]' "; $result = mysql_query($SQL); if (mysql_num_rows($result) ==0) { $errorMessage = "Please check your username and/or password is correct"; } elseif (mysql_num_rows($result) >=3) { header ("Location: index2.html"); The third statement I know is wrong, as I am trying to see if the field in the table has the value of 3 or more? Not sure how to fix this with my query. Appreciate help! Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059688 Share on other sites More sharing options...
scampbell Posted May 17, 2010 Share Posted May 17, 2010 these POSTs $SQL = $SQL . " ('$_COOKIE[phpSESSID]', '$_POST[username]', '$_POST[password]', '$_SESSION[attempts]', '$_SERVER[REMOTE_ADDR]') "; md5 stuff here Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059690 Share on other sites More sharing options...
zimmo Posted May 17, 2010 Author Share Posted May 17, 2010 Cheers, that database only contains invalid data that people enter and is not presented or queried live on site, could they gain access to any other tables if I have not properly santized the input? Thanks Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059694 Share on other sites More sharing options...
scampbell Posted May 17, 2010 Share Posted May 17, 2010 Im no expert on SQL injection but as a rule, I would sanitize everything that is sumbitted by users. That way you cant make any silly mistakes Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059696 Share on other sites More sharing options...
zimmo Posted May 17, 2010 Author Share Posted May 17, 2010 Thanks, I agree, I will get that changed so its sanitized properly thanks again. So if anyone can help with my query now would be most grateful, just need to figure out how to put it together in its current state. Link to comment https://forums.phpfreaks.com/topic/202075-page-just-submitting-to-self/#findComment-1059698 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.