nickharambee Posted March 3, 2011 Share Posted March 3, 2011 Hi, I am a php newbie, who has a page that relies on some php scripts, and to which I am trying to add a login page written in php. I took the example from here: http://www.howtodothings.com/computers-internet/how-to-make-a-login-system-for-your-website Basically it consists of adding: <? require("log.php"); ?> to the top of any page I want to protect, a log.php file which performs the actions of the form, linking to a mySQL database, and a login.php file which contains the form. I have the login working fine, but it breaks one of the PHP scripts on the page that is protected. It is an upload script, called Weaverbox, based on FancyUpload. The uploads which are handled by a file called upload.php, aren't happening. The progress shows that they are being uploaded, but nothing is uploaded, and there is no success message. As soon as I remove the code from the top of the page requiring log.php all works fine again. I think I may have to add some rules/extensions to resolve this conflict, but I don't know how to go about this. Would someone be able to help me get it sorted? Thanks Nick Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 3, 2011 Share Posted March 3, 2011 On cursory review, the code in that tutorial appears to be outdated. Short <? open tags, session_register() and session_is_registered() are all deprecated. The code also does nothing to guard against SQL injection or XSS attack, and appears to be generally rather poor. Nonetheless, if you want help figuring out the problem, post the relevant code and form within . . . tags. Quote Link to comment Share on other sites More sharing options...
nickharambee Posted March 3, 2011 Author Share Posted March 3, 2011 Thanks. Like I said, I'm a PHP newbie. Basically I'm just looking for a customised login page. Could you recommend a more secure script/method? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 3, 2011 Share Posted March 3, 2011 That code could be rewritten and updated if you want to stick with it, or if you already have a database table with member info in it, it *shouldn't* be a terribly big deal to write something that will work with it. Quote Link to comment Share on other sites More sharing options...
nickharambee Posted March 4, 2011 Author Share Posted March 4, 2011 OK, here's the code for the log.php <? session_name("MyLogin"); session_start(); if($_GET['action'] == "login") { $conn = mysql_connect("localhost","user","password"); // your MySQL connection data $db = mysql_select_db("DATABASENAME"); //put your database name in here $name = $_POST['user']; $q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'"); if(mysql_num_rows($q_user) == 1) { $query = mysql_query("SELECT * FROM USERS WHERE login='$name'"); $data = mysql_fetch_array($query); if($_POST['pwd'] == $data['password']) { session_register("name"); header("Location: yourpage.php"); // success page. put the URL you want exit; } else { header("Location: login.php?login=failed&cause=".urlencode('Wrong Password')); exit; } } else { header("Location: login.php?login=failed&cause=".urlencode('Invalid User')); exit; } } // if the session is not registered if(session_is_registered("name") == false) { header("Location: login.php"); } ?> And here's the code for the login.php: <? session_name("MyLogin"); session_start(); session_destroy(); if($_GET['login'] == "failed") { print $_GET['cause']; } ?> <form name="login_form" method="post" action="log.php?action=login"> Login: <input type="text" name="user"><BR> Password: <input type="password" name="pwd"><BR> <input type="submit"> </form> And here's the code for the upload.php which I believe there is a conflict with: <?php /** * Styx::Upload - Handles file uploads * * @package Styx * @subpackage Utility * * @license MIT-style License * @author Christoph Pojer <christoph.pojer@gmail.com> */ class Upload { /** * Moves the uploaded file to the specified location. It throws a UploadException * if anything goes wrong except for if the upload does not exist. This can be checked with {@link Upload::exists()} * * @param string $file * @param string $to * @param array $options * @return bool|string Path to moved file or false if the specified upload does not exist */ public static function move($file, $to, $options = null){ if(!self::exists($file)) return false; $options = array_merge(array( 'name' => null, 'extension' => null, 'size' => null, 'chmod' => 0777, 'overwrite' => false, 'mimes' => array(), ), $options); $file = $_FILES[$file]; if($options['size'] && $file['size']>$options['size']) throw new UploadException('size'); $pathinfo = pathinfo($file['name']); if($options['extension']) $pathinfo['extension'] = $options['extension']; if(!$pathinfo['extension']) throw new UploadException('extension'); if(count($options['mimes'])){ $mime = self::mime($file['tmp_name'], array( 'default' => $file['type'], 'extension' => $pathinfo['extension'], )); if(!$mime || !in_array($mime, $options['mimes'])) throw new UploadException('extension'); } $file['ext'] = strtolower($pathinfo['extension']); $file['base'] = basename($pathinfo['basename'], '.'.$pathinfo['extension']); $real = realpath($to); if(!$real) throw new UploadException('path'); if(is_dir($real)) $to = $real.'/'.($options['name'] ? $options['name'] : $file['base']).'.'.$file['ext']; if(!$options['overwrite'] && file_exists($to)) throw new UploadException('exists'); if(!move_uploaded_file($file['tmp_name'], $to)) throw new UploadException(strtolower($_FILES[$file]['error']<=2 ? 'size' : ($_FILES[$file]['error']==3 ? 'partial' : 'nofile'))); chmod($to, $options['chmod']); return realpath($to); } /** * Returns whether the Upload exists or not * * @param string $file * @return bool */ public function exists($file){ return !(empty($_FILES[$file]['name']) || empty($_FILES[$file]['size'])); } /** * Returns (if possible) the mimetype of the given file * * @param string $file * @param array $options */ public function mime($file, $options = array()){ $file = realpath($file); $options = array_merge(array( 'default' => null, 'extension' => strtolower(pathinfo($file, PATHINFO_EXTENSION)), ), $options); $mime = null; $ini = error_reporting(0); if (function_exists('finfo_open') && $f = finfo_open(FILEINFO_MIME, getenv('MAGIC'))){ $mime = finfo_file($f, $file); finfo_close($f); } error_reporting($ini); if(!$mime && in_array($options['extension'], array('gif', 'jpg', 'jpeg', 'png'))){ $image = getimagesize($file); if(!empty($image['mime'])) $mime = $image['mime']; } if(!$mime && $options['default']) $mime = $options['default']; if((!$mime || $mime=='application/octet-stream') && $options['extension']){ static $mimes; if(!$mimes) $mimes = parse_ini_file(pathinfo(__FILE__, PATHINFO_DIRNAME).'/MimeTypes.ini'); if(!empty($mimes[$options['extension']])) return $mimes[$options['extension']]; } return $mime; } } class UploadException extends Exception {} Quote Link to comment Share on other sites More sharing options...
nickharambee Posted March 6, 2011 Author Share Posted March 6, 2011 just to say that I now have a new upload script that does not conflict with the php login I posted above, but with Pikachu2000 suggesting that the script is outdated and "generally rather poor", I would be grateful for any advice in either updating it, or looking elsewhere for a better php login script. thanks nick Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 6, 2011 Share Posted March 6, 2011 Can you post the new code please? Quote Link to comment Share on other sites More sharing options...
nickharambee Posted March 6, 2011 Author Share Posted March 6, 2011 The login code is the same as the code above, i.e. log.php and login.php Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 6, 2011 Share Posted March 6, 2011 Oh, OK. I misread what you were saying there. I'll have a look at it for you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.