Nodral Posted July 28, 2011 Share Posted July 28, 2011 Glad to be of help. You all sorted now? Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 just going to try an apply the next part to the log in code Quote Link to comment Share on other sites More sharing options...
Nodral Posted July 28, 2011 Share Posted July 28, 2011 look forward to you reposting in 5 mins then!! lol Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2011 Share Posted July 28, 2011 The section of code you just changed, for registering, doesn't originally have a $password variable in it. Did you add a $password variable (the one that is in your code is inside the login logic and doesn't exist when the registering code executes.) You also have the logic that defines the GetSQLValueString() function in your code THREE times. Delete the second two occurrences. Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 look forward to you reposting in 5 mins then!! lol Wait no more haha changed my login code to: $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } $salt="Any random gobbldy-gook"; $password=md5( md5($salt.$password)); $sql="SELECT uid FROM users WHERE username='$username' AND password='$password'"; if (isset($_POST['Username'])) { $loginUsername=$username; $password=$password; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "index.php"; $MM_redirectLoginFailed = "loginsignup.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { if(isset($_POST['checkcookie'])){ setcookie("cookname", $loginUsername, time()+60*60*24*100, "/"); setcookie("cookpass", $password, time()+60*60*24*100, "/"); } $loginStrGroup = ""; $pullID = mysql_fetch_assoc($LoginRS); $usrID = $pullID['uid']; if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; $_SESSION['MM_userid'] = $usrID; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> but as you can guess, no joy! Quote Link to comment Share on other sites More sharing options...
Nodral Posted July 28, 2011 Share Posted July 28, 2011 What error do you get? Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 no error, im just redirected to my log in page. Quote Link to comment Share on other sites More sharing options...
Nodral Posted July 28, 2011 Share Posted July 28, 2011 Ok Somewhere along the line, you have to change $_POST['password'] into $password. If we refer back to code in previous posts, this line has got distorted. What you acteully are trying to do is take $_POST['password'] hash it and salt it and then call it $password to be used when interacting with your DB change $salt="Any random gobbldy-gook"; $password=md5( md5($salt.$password)); to $salt="Any random gobbldy-gook"; $password=md5( md5($salt.$_POST['password'])); This needs to be the same wherever you refer to $password or $_POST['password'] Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 ok, my code is now $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } $salt="Any random gobbldy-gook"; $password=md5( md5($salt.$_POST['password'])); if (isset($_POST['Username'])) { $loginUsername=$_POST['Username']; $password=$_Post['Password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "index.php"; $MM_redirectLoginFailed = "loginsignup.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { if(isset($_POST['checkcookie'])){ setcookie("cookname", $loginUsername, time()+60*60*24*100, "/"); setcookie("cookpass", $password, time()+60*60*24*100, "/"); } $loginStrGroup = ""; $pullID = mysql_fetch_assoc($LoginRS); $usrID = $pullID['uid']; if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; $_SESSION['MM_userid'] = $usrID; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> Still not working. Do you think the fact that even before i started changing any code, there was already a $password variable? ($password=$password=$_Post['Password'] already existed? Is the $password in the the $password=md5( md5($salt.$_POST['password'])); overiding the $password in $password=$password=$_Post['Password']; ? Quote Link to comment Share on other sites More sharing options...
Nodral Posted July 28, 2011 Share Posted July 28, 2011 Whichever appears latter in the code will override the others. Your process should be something like if (isset($_POST['password'])){ . . . . . . $password=md5( md5($salt.$_POST['password'])); . . . . . . . either INSERT or SELECT with DB using $password . . . . . . . <form method="post" > <input type="password" name="password"> You shouldn't need to define it any more times than this really. Your user will input in either a reg form or login form This is then returned to the script as $_POST['password'] This will then be hashed and salted to $password Which is then either written to DB or used as part of a SELECT statement to get existing user details. Have a scan through your code and see if it fits to this, if you've got other complications in there (except the bit to prevent numeric SQL injection) you may want to remove them. Hope this makes sense Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 I have tried to go through the whole login/signup code and remove what i can. I am left with <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['Username'])) { $loginUsername=$_POST['Username']; $password=$_POST['Password']; $salt="anything here"; $password=md5( md5($salt.$_POST['Password'])); $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "index.php"; $MM_redirectLoginFailed = "loginsignup.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $pwnedbookv4) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; $pullID = mysql_fetch_assoc($LoginRS); $usrID = $pullID['uid']; if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; $_SESSION['MM_userid'] = $usrID; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if(isset($_POST['username'])){ if($_POST['username'] == ""){ //username empty die("You must enter a username"); } } else { //username not set } if(isset($_POST['password'])){ if($_POST['password'] == ""){ //username empty die("You must enter a password"); } } else { //password not set } $salt="anything here"; $password=md5( md5($salt.$password)); if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO users (username, password, email, fname, sname) VALUES (%s, %s, %s, %s, %s)", GetSQLValueString($_POST['username'], "text"), GetSQLValueString($password, "text"), GetSQLValueString($_POST['email'], "text"), GetSQLValueString($_POST['fname'], "text"), GetSQLValueString($_POST['sname'], "text")); mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $Result1 = mysql_query($insertSQL, $pwnedbookv4) or die(mysql_error()); $insertGoTo = "loginsignup.php"; if (isset($_SERVER['QUERY_STRING'])) { $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?"; $insertGoTo .= $_SERVER['QUERY_STRING']; } header(sprintf("Location: %s", $insertGoTo)); } //send mail $to = $_POST['email']; $subject = "Welcome to ..."; $message = " <html> <head> <title>Welcome to ...</title> </head> <body> <p>Welcome to ...</p> <p>Thank you for registering</p> <p>Hoponhiggo (admin)</p> </body> </html> "; // To send HTML mail, the Content-type header must be set $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: pwnedbookv4@hoponhiggo.co.uk' . "\r\n"; preg_match('/^([0-9a-zA-Z]([-\.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/i'); mail($to,$subject,$message,$headers); ?> Using dreamweaver, it says i have two log in actions as server behaviours. Whenever i try to ammend: if (isset($_POST['Username'])) { $loginUsername=$_POST['Username']; $password=$_POST['Password']; $salt="anything here"; $password=md5( md5($salt.$_POST['Password'])); both of these server behaviors dissapear. Alot of this code has been automatically created by dreamweaver so im not to sure what can stay and what can go to try and make this work Quote Link to comment Share on other sites More sharing options...
Nodral Posted July 28, 2011 Share Posted July 28, 2011 Unfortunately I have no experience of Dreamweaver so con't help there. I tend to write all my code from scratch so I know what everything does and I learn more as I go along. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2011 Share Posted July 28, 2011 Here's a time saving tip - you need to have error_reporting set to E_ALL (or ever better a -1) and display_errors set to ON in your master php.ini so that php will report and display all the errors it detects. Restart your web server to get any changes made to your master php.ini to take effect and confirm that those two settings got changed in case the php.ini that you changed is not the one that php is using. Quote Link to comment Share on other sites More sharing options...
hoponhiggo Posted July 28, 2011 Author Share Posted July 28, 2011 Finally sorted this now. I have posted the code for reference: $salt="asifiwouldtellyou"; $userpass=$_POST['Password']; $md5pass = md5($salt . $userpass); if (isset($_POST['Username'])) { $loginUsername=$_POST['Username']; $password=$md5pass; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "index.php"; $MM_redirectLoginFailed = "loginsignup.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $LoginRS__query=sprintf("SELECT username, password, uid FROM users WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")) Nodral, PFMaBiSmAd and Muddy_Funster: Thank you all very much for your contributions - especially Nodral. Top Guy! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.