Php Login And Redirect - Need Help Please

[dlc3172]

Hello -

 

First off, I just want to note that I'm not a programmer whatsoever. Also, I'm hoping I posted this question in the right place.

 

I found a pretty nice PHP script that I've installed. It lets users register for accounts, and then when they login, it redirects them to whatever page I've indicated for their account via an admin system. The script can be found here: http://www.mpdolan.com/#downloads - but I think this is a defunct site. Nobody has responded to my emails there.

 

Anyway, I've been able to set everything up and it all works very nicely, but now I'm having a problem. There is a "forgot your password" function, but I can't get it to send the email to the users who request their login. Would anyone mind looking at the following code? This seems to be the file, emailpass.php, that sends the email. Do you see anything that may be causing the email not to be sent?

 

I'm hoping someone can help me. I've spent some time installing the script and getting it to work the way I want, but I can't really use this on my site if there's no way for users to request their passwords.

 

THANKS!!! Here's the emailpass.php file:

 

 

 

<?

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

session_start();

//require the config file
require ("config.php");

//make the connection to the database
$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());

//build and issue the query
$sql ="SELECT * FROM $table_name WHERE email = '$_POST[email]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

//get the number of rows in the result set
$num = mysql_num_rows($result);

//If match was found, get username and email from database
if ($num != 0)
{
while ($sql = mysql_fetch_object($result))
{
$email = $sql -> email;
$uname = $sql -> username;
}

//Update database with new password
$newpass = rand(10000000,99999999);
$chng = "UPDATE $table_name SET
password = password('$newpass'), pchange = '1'
WHERE email = '$email'";

$result2 = @mysql_query($chng,$connection) or die(mysql_error());

//create message to user
$msg = "<p>Your username & temporary password has been emailed to you.</p>";
$msg .= "<p>You must change this password immediately after your next login.</p>";
$msg .= "<p></p>";
$msg .= "<p><a href=\"login.html\">Login</a></p>";

//create mail message
$mailheaders = "From: www$domain\n";
$mailheaders .= "Your username is $uname.\n";
$mailheaders .= "Your password is $newpass.\n";
$mailheaders .= "http://url.com/login.html";
}
else
{

//If no email was found in the database send a notification to the admin
$email = $adminemail;
$msg = "<p>Your email address could not be located</p>";
$msg .="<p>The Website Administrator has been emailed, you should contacted by them shortly.</p>";

$mailheaders = "From: www$domain\n";
$mailheaders .= "A user with the email address of $_POST[email] has requested a username and password reminder.\n";
$mailheaders .= "$_POST[email] could not be located in the database.\n";
}

//Email the request
$to = "$email";
$subject = "Your Username & Password for www$domain";

mail($to, $subject, $mailheaders, "From: No Reply <$adminemail>\n");

?>
<HTML>
<HEAD>
<TITLE>Username and Password Request</TITLE>
</HEAD>
<BODY>

<? echo "$msg"; ?>

</BODY>
</HTML>

[MDCode]

The site where you got this off of does not provide secure code at all you will want to look that up. I used this exact script when I just started off and learned how awful it was first-hand. You should've gotten an emailpass.html file to go with it. You need to go there first for the form, if they entered an email that exists in the database it will work.

[Christian F.]

I strongly recommend that you read this article about secure login systems. Drop the code you downloaded from that other site, and KILL IT WITH FIRE!

 

Ehem.. Yeah, as noted by SocialCloud: That code is not secure by one iota, and as such should never, ever, be used. The article I linked you to will give you a proper, and secure, login system. Plus all the information you'll need on both how to use it, and how to write one for your own should you want to.

[dlc3172]

Thanks for the feedback, but I think we're getting a little off topic here. First, as I noted in my post, I'm not a programmer. I won't be able to write my own script. Second, I'm not too concerned with how secure the script is because I'm not storing any personal information in the user accounts. Third, as for finding another script that IS secure, I specifically need a user login script that redirects the user to their own account page; that's why I decided to use this particular script.

 

In response to SocialCloud: Yes, I have the emailpass.html and emailpass.php files installed. Everything looks like it should be working, but emails never get delivered. I included the emailpass.php code because that's the file that send the email. I was hoping somebody might notice something that looked wrong and could be preventing the email from being delivered.

[MDCode]

Second, I'm not too concerned with how secure the script is because I'm not storing any personal information in the user accounts.

 

Do you know how many people use the same information for other places on the internet?

 

If I recall, the script stores the passwords with the mysql password() function, in which people keep databases for. That along with the disregard of security, the script will give a hacker all the information they need for multiple websites.

Edited December 6, 2012 by SocialCloud

[dlc3172]

ok, you've convinced me. I won't use this script, which I guess makes my original question moot now. But, seriously, why does't the original programmer take the script down if it's dangerous? People with no programming knowledge like me would have no clue that it's not secure.

 

All that being said, can anyone recommend a SECURE php/mysql script that will register/login a user and also redirect them to whatever page I want upon login?

[Christian F.]

Because some people just don't care, and others have simply forgot about it and moved on. Others doesn't know any better, but that's not really an excuse if you ask me; If you're going to write a tutorial, you're responsible for making at least an attempt to research how to write secure code.

Others, well... Let's just say that Einstein's quote about infinity can be applied.

 

As for the secure script you're looking for: You could take the one I linked to above, and add the header ('Location: ....') to the user's page. Where it says "Authentication succeeded". Just remember to use die () afterwards, to ensure that the PHP parser doesn't execute the following code.

 

[MDCode]

I will provide you with a good login/registration script, along with the one suggested above via Private Message tomorrow. You can decide which you want.

Edited December 6, 2012 by SocialCloud

[Christian F.]

Just post it here in this thread, SocialCloud, so that others might benefit from it as well.

[dlc3172]

Thanks SocialCloud, I would appreciate that. As long as it will also redirect the user to their own html page that I can modify manually. That's the critical part of the script that I need. I know there are lots of php login scripts available, but the insecure one has been the only one I've found that will let the admin put in a unique redirect for each user.

 

Christian, I need a ready-to-use script with an installer (or at least easy installation instructions). I'm not a programmer and don't have the knowledge to modify a script.

 

Thanks guys!!!

Edited December 6, 2012 by dlc3172

[MDCode]

As long as it will also redirect the user to their own html page that I can modify manually.

 

will let the admin put in a unique redirect for each user.

 

Err...this might take me a bit longer. I was planning on doing a script for my site somewhat like this anyways. Since it is provided free either way, I don't care if anyone on here uses it.

 

But I will tell you now it will be somewhat basic

Edited December 6, 2012 by SocialCloud

[dlc3172]

ok - in the meantime, I'm going to keep looking around for a login/redirect script that is secure. I think I may have found one that might work for me (lets the admin assign user groups for redirection purposes, and maybe I can give each user their own unique usergroup). I'll see if I can install it and try it out, and I'll let you know how it goes.

[dlc3172]

Hey guys - I found one of the original developers on another forum. I'm going to ask him to reply on this forum. Interested in hearing your thoughts about what he has to say about security of the script.

[PFMaBiSmAd]

If you mean the original script at the start of this thread? I wouldn't bother.

 

I browsed through all the .php files making up that application and none of them are validating/escaping data being put into database queries or the data going into the mail() parameters. At least two of the 'admin' .php files aren't effectively testing if the current visitor is even logged in and allows anyone to add/delete or update user information. The script is also doing things like storing the user's password in plain text in a cookie and is relying on register_globals (turned off by default over 10 years ago and has been completely removed in php5.4) to get cookie values into program variables. There's also an inconstant usage of both short and full opening php tags (and a lot of other inconstant coding in it.) And several more things, I not going to take the time to write up...

 

In short, that application is doing a number of things we are constantly telling noob programmers not to do. It looks like the author probably did this as a school project, got a passing grade on it, thought he had accomplished something useful, and posted it on the Internet.

Edited December 7, 2012 by PFMaBiSmAd

[dlc3172]

I don't think he's going to post here, but here's what he told me:

 

The script hashes all logins via am md5 function, granted MD5 hashes can be reverse engineered, but this would require direct access to the database (and if that happens, you have bigger problems to worry about).

 

As I said above, the script is meant as a foundation to build your site on top of. It is very easy for a user with minimal knowledge of PHP to add some sort of salt to the script to make the passwords even more secure). Even with salted values, if someone gains access to your datacbase, you still have problems

[PFMaBiSmAd]

That statement is actually incorrect. The code is using the mysql password() function. There are two problems with using that function -

 

1) The size of the hash changed between mysql versions, breaking any data that used it,

 

2) -

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.

[dlc3172]

Here's the forum and thread if you want to reply to him: http://www.webhostingtalk.com/showthread.php?t=1076907

[MDCode]

Going to have to change the "tomorrow" (today) that I said I would post it to possibly tomorrow or monday :-\

 

As you may have figured out...I'm coding it myself from scratch for my site's tutorial on basic login and registration (All user files and installation are done and 100% error, warning, and notice free) and although it's pretty basic, I suck at css and making the admin back-end neat requires css. I'm going to take a break as I've been coding this for 8 hours on and off but I'll work on it some more later.

Edited December 7, 2012 by SocialCloud

[Christian F.]

Apparently the original author doesn't quite know what he's talking about, at the very least he's mixing his terminology quite a lot. He's clearly confused about the function of the hash, that's for sure.

 

In any case, I've gone ahead and changed the files in demo 6 from the link I posted above. To include the functionality that you require. It's just a rough example, mind you, but it should give you a base you can integrate into your own site. It has all of the necessary functions, but you'll probably want to split the different forms up a bit. Add some restrictions to the new user generation, for example.

 

Unfortunately there's too much code to paste here, so I've zipped it up and attached it to this post.

You'll find all of my changes if you search for "CF: ". The only file I've left alone is pwqcheck.php.

 

demo6_cf-mod.tar.gz

Edited December 8, 2012 by Christian F.

[MDCode]

Just post it here in this thread, SocialCloud, so that others might benefit from it as well.

 

Sorry it took so long, but here we go...please take into consideration the following quote before downloading (too many files, so it has to be provided as an attachment) Before complaining or asking question, please refer to README.txt provided in the download

But I will tell you now it will be somewhat basic

 

Basic_Login_Registration_v1.0.zip

[dlc3172]

Thanks, Christian and SocialCloud. I'll check out both these scripts. I appreciated your help!!!!

[dlc3172]

Hey guys,

 

I decided to purchase a login/registration script, because it lets me redirect users to whatever specific page I want. I confirmed with the author that it's compliant with the latest security standards (encryption, salting, etc.).

 

In the meantime, even with this new script I'm having trouble sending email with php (you may remember that this was my original reason for posting! ). I posted a new thread in this forum, if you're interested in checking it out.