vishalonne Posted October 2, 2012 Share Posted October 2, 2012 Hi All See the code give given below. I was fighting with this code since last 5 hours to know why isset() is eveluating the condition as false if value is posted exactly what it shall POST. If I uncomment the line no. - 4,5,6,7,8 and put rest of the code from line no. 10 to 28 I can see the POSTED value . Can Anyone help in this by any guidance or suggestion. I will be thankful. <?php include 'dbconnection.php'; include 'functions.php'; //sec_session_start(); // $email = $_POST['logemail']; // $password = $_POST['p']; // echo $password; // echo $email; // Our custom secure way of starting a php session. if(isset($_POST['logemail'], $_POST['p'])) { $email = $_POST['logemail']; $password = $_POST['p']; // The hashed password. if(login($email, $password, $mysqli) === true) { // Login success //$url = 'mwq'; //echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">'; echo $password; echo $email; } else { // Login failed header('Location: login.php?error=1'); } } else { // The correct POST variables were not sent to this page. echo 'Invalid Request Data Not POSTED'; } Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 2, 2012 Share Posted October 2, 2012 Your code does 2 redirects (both incorrectly). POST generally doesn't follow redirects. How are you sure POST is being set and yet it's not being set? How can you view it if it's not there? Your problem description doesn't make sense. Do a print_r($_POST); at the top of your page, that will show you what's in $_POST. Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 Dear Maniac Dan. First of all thank you for considering my problem. I have 2 forms on my index.php here it is <FORM ID="Login" ACTION="login.php" METHOD="POST"> <h1>welcome to the login page</h1> please input the login details to create an account here<br /> <table border="2"> <tr> <td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td> </tr> <tr> <td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td> </tr> </table> <input type="button" value="Login" onclick="formhash2(this.form,this.form.logpass1);"> </FORM> <FORM ID="Register" ACTION="register.php" METHOD="POST"> <h1>welcome to the registration page</h1> please input the registration details to create an account here<br /> <table border="2"> <tr> <td>email :</td><td><input name="regemail" type="text" size"30"></input></td> </tr> <tr> <td>password :</td><td><input id="regpass1" name="regpass1" type="password" size"20"></input></td> </tr> </table> <input type="button" value="Register" onclick="formhash1(this.form,this.form.regpass1);"> </FORM> 1. As you can see in the code Second form also have same code with minor changes like the name of function in onclick() when this is working perfectly Why not 1st form is working. 2. But interesting part of the code is if I remove the comment from these // $email = $_POST['logemail']; // $password = $_POST['p']; // echo $password; // echo $email; and rest of the code I commented then I get waht I expect from POST. Now can you explain this... Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 2, 2012 Share Posted October 2, 2012 $password = $_POST['p']; // The hashed password. Your code contains no input named "p". Even if it did, the password would not be hashed. I'm still not sure how you think randomly commenting half the script proves POST is working. Ignore the fact that you have two separate and unrelated pages. Fix ONE first. Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 Please check this code for formhash2() and formhash1() - // Javascript Document csnip function formhash2(form,password) { // Create a new element input, this will be out hashed password field. alert(form.id + " " + password.value); var p = document.createElement("input"); // Add the new element to our form. p.name = "p"; p.type = "hidden" p.value = hex_sha512(password.value); // Make sure the plaintext password doesn't get sent. password.value = ""; // Finally submit the form. form.appendChild(p); form.submit(); } function formhash1(form,password) { alert(form.id + " " + password.value); // Create a new element input, this will be out hashed password field. var pl = document.createElement("input"); // Add the new element to our form. pl.name = "pl"; pl.type = "hidden" pl.value = hex_sha512(password.value); // Make sure the plaintext password doesn't get sent. password.value = ""; // Finally submit the form. form.appendChild(pl); form.submit(); } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted October 2, 2012 Share Posted October 2, 2012 Why are you hashing data on the client side? Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 Actually I got this code from http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 2, 2012 Share Posted October 2, 2012 1. As you can see in the code Second form also have same code with minor changes like the name of function in onclick() when this is working perfectly Why not 1st form is working. Based upon your last post you have two functions: formhash1() and formhash2(). The first function is dynamically creating a field with the name "p1" whereas the second function is dynamically creating a field with the name "p". If those two functions are used for forms 1 and 2 respectively then that explains why form 1 does not have a POST value for "p". But, this is a terrible implementation. You should not be doing any hashing on the client side. Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 If I delete the entire code from isset to the bottom and leave only this part in login.php file - <?php include 'dbconnection.php'; include 'functions.php'; sec_session_start(); echo var_dump($_POST); print_r($_REQUEST); ?> See the output array(3) { ["logemail"]=> string(6) "ankush" ["logpass1"]=> string(0) "" ["p"]=> string(128) "704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db59fccd93cc0a36458f9d3f04773ea" } Array ( [logemail] => ankush [logpass1] => [p] => 704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db59fccd93cc0a36458f9d3f04773ea ) Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 @Psycho Thank you very much for this great information, unnecessarly I was banging my head on these code. Can you please tell me from where I can get good security tutorial for php for the same purpose. So, I can do same job in PHP Regards Quote Link to comment Share on other sites More sharing options...
vishalonne Posted October 2, 2012 Author Share Posted October 2, 2012 Here in PHP Frreaks I saw in one thread you suggested to use library for this purpose like Ion auth is simple and secure. Can you suggest me more library which can give a strong security features. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted October 3, 2012 Share Posted October 3, 2012 I can recommened this article about secure login systems. It contains a lot of valuable information, and a PHP class to handle most of the login for you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.