Jump to content

Recommended Posts

Hi All

See the code give given below. I was fighting with this code since last 5 hours to know why isset() is eveluating the condition as false if value is posted exactly what it shall POST.

If I uncomment the line no. - 4,5,6,7,8 and put rest of the code from line no. 10 to 28 I can see the POSTED value .

Can Anyone help in this by any guidance or suggestion. I will be thankful.

<?php
   include 'dbconnection.php';
   include 'functions.php';
   //sec_session_start();
 //  $email = $_POST['logemail'];
 //  $password = $_POST['p'];
   // echo $password;
   // echo $email;
 // Our custom secure way of starting a php session.

   if(isset($_POST['logemail'], $_POST['p'])) {
   $email = $_POST['logemail'];
   $password = $_POST['p']; // The hashed password.
   if(login($email, $password, $mysqli) === true) {
	  // Login success
	  //$url = 'mwq';
    //echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';
 echo $password;
 echo $email;

   } else {
	  // Login failed
	  header('Location: login.php?error=1');
   }
   } else {
   // The correct POST variables were not sent to this page.
   echo 'Invalid Request Data Not POSTED';
   }

Your code does 2 redirects (both incorrectly). POST generally doesn't follow redirects.

 

How are you sure POST is being set and yet it's not being set? How can you view it if it's not there? Your problem description doesn't make sense.

 

Do a print_r($_POST); at the top of your page, that will show you what's in $_POST.

Dear Maniac Dan.

First of all thank you for considering my problem.

I have 2 forms on my index.php here it is

<FORM ID="Login" ACTION="login.php" METHOD="POST">
<h1>welcome to the login page</h1>
please input the login details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Login" onclick="formhash2(this.form,this.form.logpass1);">
</FORM>
<FORM ID="Register" ACTION="register.php" METHOD="POST">
<h1>welcome to the registration page</h1>
please input the registration details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input name="regemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="regpass1" name="regpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Register" onclick="formhash1(this.form,this.form.regpass1);">
</FORM>

1. As you can see in the code Second form also have same code with minor changes like the name of function in onclick() when this is working perfectly Why not 1st form is working.

2. But interesting part of the code is if I remove the comment from these

// $email = $_POST['logemail'];

// $password = $_POST['p'];

// echo $password;

// echo $email;

 

and rest of the code I commented then I get waht I expect from POST.

Now can you explain this...

           $password = $_POST['p']; // The hashed password.

Your code contains no input named "p". Even if it did, the password would not be hashed.

 

I'm still not sure how you think randomly commenting half the script proves POST is working. Ignore the fact that you have two separate and unrelated pages. Fix ONE first.

Please check this code for formhash2() and formhash1() -

// Javascript Document csnip
function formhash2(form,password) {
 // Create a new element input, this will be out hashed password field.
  alert(form.id + " " + password.value);
  var p = document.createElement("input");
   // Add the new element to our form.

  p.name = "p";
  p.type = "hidden"
  p.value = hex_sha512(password.value);
  // Make sure the plaintext password doesn't get sent.
  password.value = "";
  // Finally submit the form.
  form.appendChild(p);
  form.submit();
}
function formhash1(form,password) {
alert(form.id + " " + password.value);
 // Create a new element input, this will be out hashed password field.
 var pl = document.createElement("input");
 // Add the new element to our form.

  pl.name = "pl";
  pl.type = "hidden"
  pl.value = hex_sha512(password.value);
  // Make sure the plaintext password doesn't get sent.
  password.value = "";
  // Finally submit the form.
  form.appendChild(pl);
  form.submit();
}

1. As you can see in the code Second form also have same code with minor changes like the name of function in onclick() when this is working perfectly Why not 1st form is working.

 

Based upon your last post you have two functions: formhash1() and formhash2(). The first function is dynamically creating a field with the name "p1" whereas the second function is dynamically creating a field with the name "p". If those two functions are used for forms 1 and 2 respectively then that explains why form 1 does not have a POST value for "p".

 

But, this is a terrible implementation. You should not be doing any hashing on the client side.

If I delete the entire code from isset to the bottom and leave only this part in login.php file -

 
<?php
include 'dbconnection.php';
include 'functions.php';
sec_session_start();
echo var_dump($_POST);
print_r($_REQUEST);
?>

See the output

array(3) { ["logemail"]=> string(6) "ankush" ["logpass1"]=> string(0) "" ["p"]=> string(128) "704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db59fccd93cc0a36458f9d3f04773ea" } Array ( [logemail] => ankush [logpass1] => [p] => 704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db59fccd93cc0a36458f9d3f04773ea )

@Psycho

Thank you very much for this great information, unnecessarly I was banging my head on these code.

Can you please tell me from where I can get good security tutorial for php for the same purpose.

So, I can do same job in PHP

Regards

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.