Jump to content

Recommended Posts

Hi, i wrote a login form with some validation - problem is it is skipping the first part of the validation where it checks if the form had any data entered in the first place...

 


$sub = $_POST["submit"];
$username = $_POST["username"];
$password = sha1($_POST["password"]);

if($sub){
if(!$username && !$password){
$err .= "You tried to login without providing the informtion required.";
}else{
if(!$username){
$err .= "Please enter a username.";
}else{
if(!$password){
$err .= "Please enter a password.";
}else{
$getLogin = select("*", "users", "username = '$username'");
$get = mysql_fetch_assoc($getLogin);

if($get["username"] != $username){
$err .= "The username didn't match the database.";
}else{
if($get["password"] != $password){
$err .= "The password didn't match the database.";
}else{
session_start();
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
$_SESSION["user_level"] = $get["user_level"];

header("Location: main.php");
}
}
}
}
}

echo '<div class="error">ERROR: '.$err.'</div>';
}

 

can anyone see why?

 

(it goes straight to checking the username field rather then checking the entire form)

Link to comment
https://forums.phpfreaks.com/topic/269396-login-validation-is-skipping-a-check/
Share on other sites

You aren't checking whether the form had any data entered. You're checking whether $sub evaluates to FALSE, then whether $username and $password evaluate to FALSE. At least one of them does not evaluate to FALSE.

The problem lies in the third line. sha1 () always produces a salt, even for an empty string ('da39a3ee5e6b4b0d3255bfef95601890afd80709', btw).

 

That said, you really should check for isset () directly on the $_POST values. By assigning them to variables before you check whether they're set or not, will always produce a notice about undefined indices if nothing has been posted. There is really no need to assign them to individual variables either, unless you've modified (or after validating) them. And then only to give a clear divide on what's the unmodified user-inputted data, and what's "safe" to use in the script.

 

You definitely should salt and hash the password as well, storing plain-text passwords is really bad. Not only because you will then be able to see your users' passwords, which they're almost certainly using for other sites as well, but also because anyone who gains access to your database (by legit means or not) can do the same.

I'm sure you've seen me post the link to this article about secure login systems before, and I still strongly recommend following its guidelines.

 

PS: You also should have a die () after any header ('Location: ....'); calls, to prevent the PHP parser from executing any remaining code in the script.

You should NOT tell the user that the username or password do not match. Doing that gives a malicious user information that they can use to exploit the system. If you are not going to track invalid login attempts against usernames then you can simply do a query usign both the username AND the password. If there is no match then prevent login. You would only do a SELECT using just the username THEN compare the password if you want to keep track of invalid logins.

 

Also, do NOT store the password in session data. There is no (good) reason to do so. There are several other problems as wll: not using a salt, not escaping the username, etc.

 

Here is a much more logical flow:

 

Edit: removed code since OP is not appreciative of help given

Edited by Psycho

Christian is right, it generates a value whether theres a post input or not, also - just writing if($variable) does check whether there is a value or not. Its just easier than writing if(isset($variable))

 

Just because somethign works and is easier does not mean it is the correct way. There are plenty of un-strict behavior that is changes in later versions of PHP. Best to use proper coding now than to have a lot of code break with newer versions of PHP.

The way I work is this:

 

Write the code in the easiest way for me,

 

If it works, leave it alone.

If it does NOT work, change it.

And you've been doing this how long?

 

There's a difference between code that just barely works, and code that is built correctly from the ground up. When you have professionals giving you advice on how to do things the right way, and you choose to ignore it, you look like a child.

BTW - Your re-written code would return an error since the $get variable for $get["user_level"] doesnt exist without $get = mysql_fetch_assoc($getLogin);

 

OK, I rewrote your code in about 5 minutes in a much more logical and sound format. I don't have your database or other files needed to even test the code. So, I missed changing one single variable name. You sure put me in my place.

 

If you are not interested in learning good standard coding practices, that's your perogative. I'll just remember not to provide any help to you in the future.

Edited by Psycho

As I said, if my code doesn't work (which it didn't otherwise I wouldn't of posted this topic in the first place) then I change it. So I changed it to something that does work (which is your re-written code with the mysql_fetch_assoc() line where its needed). and it works fine now.

 

No need to get in a huff about it.

 

I'm interested in learning code otherwise I wouldn't have a job as a web developer. I just don't see why I should change something that works.

Edited by White_Lily

I just don't see why I should change something that works.

 

And therein lies the problem. You've been given reasons you should make changes, but instead of doing some research or testing on your own, you just hand wave sound advice away because you seem to think the mere fact that something "works" means it's the right way to do it. That's what they thought about the Hindenburg, too.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.