Jump to content

Issue with Login


DillimoreSO

Recommended Posts

Whats the issue with this?

<?php
//
include('config.php');

$link = mysql_connect($mysql_host, $mysql_user, $mysql_pass);
if (!$link) {
    die('System could not connect to MySQL. Please view the MySQL Error below:<br />' . mysql_error());
}
else
{
mysql_select_db($mysql_db);
}

// login code
session_start();

if($_GET['do'] == "error")
{
die("Hacking attempt detected. If you received this message in error, contact an Administrator. Administration notified.");
}
if($_GET['do'] == "guest")
{
$form_name = "Guest";
$form_pass = "imaguestaccount";
$hash_pass = md5($form_pass.$saltpass);
$check = mysql_query("SELECT * FROM logins WHERE username = '" . $form_name . "' AND password = '" . $hash_pass . "' LIMIT 1") or die(mysql_error());
$valid = mysql_num_rows($check);

    if(!empty($form_name) && !empty($form_pass)){
        if($valid > 0){
            $row = mysql_fetch_assoc($check);

            $_SESSION['acp'] = true;
            $_SESSION['hkusername'] = $row['username'];
            $_SESSION['hkpassword'] = $hash_pass;

            $my_id = $row['databaseid'];
            
// First of Andrew's IP Checker Thingy
            mysql_query("UPDATE logins SET ip = '".$ip."' WHERE databaseid = '$my_id' LIMIT 1") or die(mysql_error());
    $valid = mysql_num_rows($check);

                
            header("Location: index.php");
        } else {
            $message = ">> Invalid username or password";
        }
    } else {
        $message = ">> Please fill in all fields.";
    }

}
if($_GET['do'] == "logout")
{
session_unset();
session_destroy();
}
 else {}


if(session_is_registered(acp))
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }

header("Location: index.php");
exit;
}



if($_GET['do'] == "submit")
{
    $form_name = $_POST['username'];
        $form_name = strip_tags($form_name, "'");
        $form_name = strip_tags($form_name, '"');
        $form_name = strip_tags($form_name, ";");

    $form_pass = $_POST['password'];
    $form_pass = strip_tags($form_pass, "'");
    $form_pass = strip_tags($form_pass, '"');
    $form_pass = strip_tags($form_pass, ";");

    $hash_pass = md5($form_pass.$saltpass);
     $check = mysql_query("SELECT * FROM logins WHERE username = '" . $form_name . "' AND password = '" . $hash_pass . "' LIMIT 1") or die(mysql_error());
    $valid = mysql_num_rows($check);

    if(!empty($form_name) && !empty($form_pass))
    {
        if($valid > 0)
        {
            $my_id = $row['databaseid'];
            $row = mysql_fetch_assoc($check);
            $_SESSION['acp'] = true;
            $_SESSION['hkusername'] = $row['username'];
            $_SESSION['hkpassword'] = $hash_pass;
            mysql_query("UPDATE logins SET ip = '$ip' WHERE databaseid = '$my_id' LIMIT 1") or die(mysql_error());
            $valid = mysql_num_rows($check);
            header("Location: index.php");
        }
        else
        {
            $message = ">> Invalid username or password";
        }
    }
    else
    {
        $message = ">> You didn't fill in all the fields.";
    }

} else {}





if($_GET['do'] == "logout")
{
    $message = "";
}
?>
<html>
<head>
<style type="text/css">
a { text-decoration:none }
button {
  color: #00FF00;
  border: 1px solid #00FF00;
  background: #000000;
  font-weight: bold;
}
</style>





<title>SA:DPS - Log In</title>
<embed src="thedangerzone.wav" hidden="true" autostart="true" loop="true">
</head>
<body bgcolor="black" text="00FF00" alink="00FF00" link="00FF00" vlink="00FF00">
<font face="Lucida Console">
<?php if(!empty($message))
{
    echo $message;
    echo "<br /><br /><br />";
}
?>
<br /><br /><p align=center>
<br /><br /><font color="#FFFFFF"><a href=''>CHANGELOG</a><br /></font>
<br /><br />
<form action="login.php?do=submit" method="POST" align=center>
USERNAME:   <input type="text" name="username" maxlength="20"><br />
PASSWORD:   <input type="password" name="password" maxlength="20"><br /> <br />
  <button type="submit" value="Submit">PROCEED</button>
</form>
<br /><br /><br /><br /><br /><br /><br /></font></p>
    <font face="Lucida Console" size="2">
    >
    </font>
Link to comment
https://forums.phpfreaks.com/topic/286594-issue-with-login/
Share on other sites

    $form_name = $_POST['username'];
        $form_name = strip_tags($form_name, "'");
        $form_name = strip_tags($form_name, '"');
        $form_name = strip_tags($form_name, ";");

    $form_pass = $_POST['password'];
    $form_pass = strip_tags($form_pass, "'");
    $form_pass = strip_tags($form_pass, '"');
    $form_pass = strip_tags($form_pass, ";");

This is code is very insecure, you should use mysql_real_escape_string instead (or better yet convert your code over to use PDO or mysqli and use prepared statements) to protect against sql injection. 

if(session_is_registered(acp))

session_is_registered is a deprecated function and should not be used. Instead use

if(isset($_SESSION['acp']))
Link to comment
https://forums.phpfreaks.com/topic/286594-issue-with-login/#findComment-1471030
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.