Need help adding rules/exceptions so that php page works with a login page

[nickharambee]

Hi,

 

I am a php newbie, who has a page that relies on some php scripts, and to which I am trying to add a login page written in php.  I took the example from here:

 

http://www.howtodothings.com/computers-internet/how-to-make-a-login-system-for-your-website

 

Basically it consists of adding:

 

<?

require("log.php");

?>

 

to the top of any page I want to protect, a log.php file which performs the actions of the form, linking to a mySQL database, and a login.php file which contains the form.

 

I have the login working fine, but it breaks one of the PHP scripts on the page that is protected.  It is an upload script, called Weaverbox, based on FancyUpload.  The uploads which are handled by a file called upload.php, aren't happening.  The progress shows that they are being uploaded, but nothing is uploaded, and there is no success message.  As soon as I remove the code from the top of the page requiring log.php all works fine again.

 

I think I may have to add some rules/extensions to resolve this conflict, but I don't know how to go about this.  Would someone be able to help me get it sorted?

 

Thanks

 

Nick

[Pikachu2000]

On cursory review, the code in that tutorial appears to be outdated. Short <? open tags, session_register() and session_is_registered() are all deprecated. The code also does nothing to guard against SQL injection or XSS attack, and appears to be generally rather poor.

 

Nonetheless, if you want help figuring out the problem, post the relevant code and form within

 . . . 

tags.

[nickharambee]

Thanks. Like I said, I'm a PHP newbie. Basically I'm just looking for a customised login page. Could you recommend a more secure script/method?

[Pikachu2000]

That code could be rewritten and updated if you want to stick with it, or if you already have a database table with member info in it, it *shouldn't* be a terribly big deal to write something that will work with it.

[nickharambee]

OK, here's the code for the log.php

 

<?
session_name("MyLogin");
session_start();

if($_GET['action'] == "login") {
$conn = mysql_connect("localhost","user","password"); // your MySQL connection data
$db = mysql_select_db("DATABASENAME"); //put your database name in here 
$name = $_POST['user'];
$q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'");

if(mysql_num_rows($q_user) == 1) {

$query = mysql_query("SELECT * FROM USERS WHERE login='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password']) { 
session_register("name");
header("Location: yourpage.php"); // success page. put the URL you want 
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}

// if the session is not registered
if(session_is_registered("name") == false) {
header("Location: login.php");
}
?>

 

And here's the code for the login.php:

 

<?
session_name("MyLogin");
session_start();
session_destroy();

if($_GET['login'] == "failed") {
print $_GET['cause'];
}
?>
<form name="login_form" method="post" action="log.php?action=login">
Login: <input type="text" name="user"><BR>
Password: <input type="password" name="pwd"><BR>
<input type="submit">
</form>

 

And here's the code for the upload.php which I believe there is a conflict with:

 

<?php
/**
* Styx::Upload - Handles file uploads
*
* @package Styx
* @subpackage Utility
*
* @license MIT-style License
* @author Christoph Pojer <[email protected]>
*/

class Upload {

/**
 * Moves the uploaded file to the specified location. It throws a UploadException
 * if anything goes wrong except for if the upload does not exist. This can be checked with {@link Upload::exists()}
 *
 * @param string $file
 * @param string $to
 * @param array $options
 * @return bool|string Path to moved file or false if the specified upload does not exist
 */
public static function move($file, $to, $options = null){
	if(!self::exists($file)) return false;

	$options = array_merge(array(
		'name' => null,
		'extension' => null,
		'size' => null,
		'chmod' => 0777,
		'overwrite' => false,
		'mimes' => array(),
	), $options);

	$file = $_FILES[$file];

	if($options['size'] && $file['size']>$options['size'])
		throw new UploadException('size');

	$pathinfo = pathinfo($file['name']);
	if($options['extension']) $pathinfo['extension'] = $options['extension'];
	if(!$pathinfo['extension'])
		throw new UploadException('extension');

	if(count($options['mimes'])){
		$mime = self::mime($file['tmp_name'], array(
			'default' => $file['type'],
			'extension' => $pathinfo['extension'],
		));

		if(!$mime || !in_array($mime, $options['mimes']))
			throw new UploadException('extension');
	}

	$file['ext'] = strtolower($pathinfo['extension']);
	$file['base'] = basename($pathinfo['basename'], '.'.$pathinfo['extension']);

	$real = realpath($to);
	if(!$real) throw new UploadException('path');
	if(is_dir($real)) $to = $real.'/'.($options['name'] ? $options['name'] : $file['base']).'.'.$file['ext'];

	if(!$options['overwrite'] && file_exists($to))
		throw new UploadException('exists');

	if(!move_uploaded_file($file['tmp_name'], $to))
		throw new UploadException(strtolower($_FILES[$file]['error']<=2 ? 'size' : ($_FILES[$file]['error']==3 ? 'partial' : 'nofile')));

	chmod($to, $options['chmod']);

	return realpath($to);
}

/**
 * Returns whether the Upload exists or not
 *
 * @param string $file
 * @return bool
 */
public function exists($file){
	return !(empty($_FILES[$file]['name']) || empty($_FILES[$file]['size']));
}

/**
 * Returns (if possible) the mimetype of the given file
 *
 * @param string $file
 * @param array $options
 */
public function mime($file, $options = array()){
	$file = realpath($file);
	$options = array_merge(array(
		'default' => null,
		'extension' => strtolower(pathinfo($file, PATHINFO_EXTENSION)),
	), $options);

	$mime = null;
	$ini = error_reporting(0);
	if (function_exists('finfo_open') && $f = finfo_open(FILEINFO_MIME, getenv('MAGIC'))){
		$mime = finfo_file($f, $file);
		finfo_close($f);
	}
	error_reporting($ini);

	if(!$mime && in_array($options['extension'], array('gif', 'jpg', 'jpeg', 'png'))){
		$image = getimagesize($file);
		if(!empty($image['mime']))
			$mime = $image['mime'];
	}

	if(!$mime && $options['default']) $mime = $options['default'];

	if((!$mime || $mime=='application/octet-stream') && $options['extension']){
		static $mimes;
		if(!$mimes) $mimes = parse_ini_file(pathinfo(__FILE__, PATHINFO_DIRNAME).'/MimeTypes.ini');

		if(!empty($mimes[$options['extension']])) return $mimes[$options['extension']];
	}

	return $mime;
}

}

class UploadException extends Exception {}

 

 

[nickharambee]

just to say that I now have a new upload script that does not conflict with the php login I posted above, but with Pikachu2000 suggesting that the script is outdated and "generally rather poor", I would be grateful for any advice in either updating it, or looking elsewhere for a better php login script.

 

thanks

 

nick

[Pikachu2000]

Can you post the new code please?

[nickharambee]

The login code is the same as the code above, i.e. log.php and login.php

[Pikachu2000]

Oh, OK. I misread what you were saying there. I'll have a look at it for you.