Jump to content

Page just submitting to self

zimmo

By zimmo
in PHP Coding Help

 Share

Recommended Posts

zimmo Regular Member

zimmo

Posted
Posted

I am trying to see why and most importantly where I have an issue with my code, it works fine, but I tested by turning cookies off in my browser (safari) and tried with internet explorer by changing the setting to block from my site so I could see what happens. I am unsure how to find out, when you fill in the form with your log in details (its a php self post) it just keeps reloading the same page? Please can someone spot why for me? not sure where in my code?

 

<?php 
include("inc/connect.php");

$username = "";
$password = "";
$errorMessage = "";

function quote_smart($value, $handle) {

   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }

   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value, $handle) . "'";
   }
   return $value;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$username = $_POST['username'];
$password = $_POST['password'];

$username = htmlspecialchars($username);
$password = htmlspecialchars($password);

$db_found = mysql_select_db($db, $connection);

if ($db_found) {

  $username = quote_smart($username, $connection);
  $password = quote_smart($password, $connection);

  $SQL = "SELECT * FROM tablea WHERE username = $username AND password = '".md5($_POST['password'])."'";
  $result = mysql_query($SQL);
  $num_rows = mysql_num_rows($result);


  if ($result) {
   if ($num_rows > 0) {
    session_start();
    $_SESSION['username'] = "$_POST[username]";
    header ("Location: index.html");
   }

   /* New Block Log in attempts*/

   else {
        
     session_start();
     $_SESSION['attempts'] = "+1";

     # setup SQL statement
     $SQL = " INSERT INTO tableb ";
     $SQL = $SQL . " (sid, username, password, attempts, ipaddress) VALUES ";
     $SQL = $SQL . " ('$_COOKIE[phpSESSID]', '$_POST[username]', '$_POST[password]', '$_SESSION[attempts]', '$_SERVER[REMOTE_ADDR]') ";
    
     #execute SQL statement
     $result = mysql_db_query( *****,"$SQL",$connection );

     # check for error
     if (!$result) { 
     echo("ERROR: " . mysql_error() . "\n$SQL\n");  
     } 
      else {
        # setup SQL statement 2
        $SQL = "SELECT * FROM tableb WHERE sid = '$_COOKIE[phpSESSID]' ";
        $result = mysql_query($SQL);
       
        if (mysql_num_rows($result) ==0) {
           $errorMessage = "Please check your username and/or password is correct";
        }
        elseif (mysql_num_rows($result) >=3) {
           header ("Location: index2.html");
        }
        else {
         $errorMessage = "Please check your username and/or password is correct";
        }
       }
    }
   /* END */

  }
  else {
   $errorMessage = "Please check your username and/or password is correct";
  }

mysql_close($connection);

}

else {
  $errorMessage = "Please check your username and/or password is correct";
}

}
?>

Link to comment
Share on other sites
scampbell Newbie

scampbell

Posted
Posted

Does you connect.php page output any html? I preume it outputs your login form?

If so, the header command wont work as there cant be anything output to the page before using this command. See this post.

 

Also MD5 isnt a secure way to hash passwords. Google MD5 rainbow tables.

 

And some of your POST inputs have been sanitized before running the SQL query. Google SQL injection.

Link to comment
Share on other sites
zimmo Regular Member

zimmo

Posted
  • Author
Posted

The connect is standard database connection, no html there at all, and I am aware of the output issue, I dont get any errors for headers sent. I found the issue is that safari and firefox do not return the error for some reason, yet internet explorer does but its working now.

 

Why is md5 not secure, it seems to be recommended everywhere?

 

Where do you see this for the posts? So much to learn....

 

I am trying to now change my sql query and not sure how to go about this.

 

        $SQL = "SELECT attempts FROM tablea WHERE sid = '$_COOKIE[phpSESSID]' ";
        $result = mysql_query($SQL);
       
        if (mysql_num_rows($result) ==0) {
           $errorMessage = "Please check your username and/or password is correct";
        }
        elseif (mysql_num_rows($result) >=3) {
           header ("Location: index2.html");

 

The third statement I know is wrong, as I am trying to see if the field in the table has the value of 3 or more? Not sure how to fix this with my query. Appreciate help!

Link to comment
Share on other sites
zimmo Regular Member

zimmo

Posted
  • Author
Posted

Cheers, that database only contains invalid data that people enter and is not presented or queried live on site, could they gain access to any other tables if I have not properly santized the input?

 

Thanks

Link to comment
Share on other sites
zimmo Regular Member

zimmo

Posted
  • Author
Posted

Thanks, I agree, I will get that changed so its sanitized properly thanks again. So if anyone can help with my query now would be most grateful, just need to figure out how to put it together in its current state.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.