Login-Redirect no longer working in PHP 5.3

[dorkus99]

Hello All
I would appreciate any help anyone could give me in solving this issue.
I have been using this Login-Redirect script from mpdolan, and it was working perfectly fine.  However, my web host has recently just upgraded from php 5.2 to php 5.3 (php 5.3.18 to be exact) and now the redirect function no longer properly works. Unfortunately, the guy who made the script is not responding to any requests for help and has since removed any links to download the script from his site. If you would like the zip file with all the required files I would be happy to upload it to a dropbox or something.
 
Just note, i'm pretty much a noob here.  I know just a little bit about this stuff, but not a lot.  I've tried everything I can think of to find the problem, but with no reasonable luck.  I'll go through what I tried below.
 
Here are parts of the script, let me know if you need more...
 
The html login page references the following php file
 
redirect.php

<?

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

session_start();

//clear session variables
session_unset();


//require the functions file
require ("config.php");
require ("functions.php");

//check to see if cookies are already set, remember me
if ((!$lr_user) || (!$lr_pass))
{

$username = $_POST[username];
$password = $_POST[password];

}else{

$username = $lr_user;
$password = $lr_pass;

}

//if username or password is blank, send to errorlogin.html
if ((!$username) || (!$password))
{

    header("Location:$base_dir/errorlogin.html");
    exit;
}

//sets cookies to remember this computer if the user asks to
if ($_POST[remember] == "Yes")
{
setcookie("lr_user", $username, $duration, "/", $domain);
setcookie("lr_pass", $password, $duration, "/", $domain);
}

if ($_POST[activate] == "Yes")
{
        //make the connection to the database
        $connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
        $db = @mysql_select_db($db_name,$connection)or die(mysql_error());
                
        //build and issue the query
        $sql ="UPDATE $table_name SET verified = '1' WHERE username = '$_POST[username]'";
        $result = @mysql_query($sql,$connection) or die(mysql_error());
}

//sets session variables
sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password);

//check to see if the user has to change their password
if ($_SESSION[pchange] == "1")
{
    $_SESSION[redirect] = "$base_dir/pass_change.html";
}

//check to see if the user has activated the account
if ($_SESSION[verified] == "0")
{
    $_SESSION[redirect] = "$base_dir/not_activated.html";
}

//make the connection to the database
$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());
        
//build and issue the query
$sql ="SELECT * FROM banned";
$result = @mysql_query($sql,$connection) or die(mysql_error());

while ($sql = mysql_fetch_object($result))
    {
    $banned = $sql -> no_access;
    if ($username == $banned || $REMOTE_ADDR == $banned)
        {
            include ('banned.html');
            exit;
        }
    }

$last_log = last_login();

//updates table with last log as now
$sql = "UPDATE $table_name SET last_login = '$last_log' WHERE username = '$_SESSION[user_name]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

if (($_SESSION[redirect] != "$base_dir/errorlogin.html") && ($log_login == "1"))
{
    include('loglogin.php');
}

//redirects the user    
header("Location:$_SESSION[redirect]");

?>

<head><title>Redirect</title></head>

in the redirect file, the following two files are required

note: I have replaced any personal info with ***** (5 asterisk)

 

 

config.php

<?php

//set up the names of the database and table
$db_name ="*****_UsersLogin";
$table_name ="authorize";

//connect to the server and select the database
$server = "localhost";
$dbusername = "*****";
$dbpassword = "*****";

//domain information
$domain = ".*****.ca";

//Change to "0" to turn off the login log
$log_login = "1";

//base_dir is the location of the files, ie http://www.yourdomain/login
$base_dir = "http://www.*****.ca/Client";

//length of time the cookie is good for - 7 is the days and 24 is the hours
//if you would like the time to be short, say 1 hour, change to 60*60*1
$duration = time()+(60*60*24*30);

//the site administrator\'s email address
$adminemail = "*****@gmail.com";

//sets the time to EST
$zone=3600*-5;

//do you want the verify the new user through email if the user registers themselves?
//yes = "0" :  no = "1"
$verify = "0";

//default redirect, this is the URL that all self-registered users will be redirected to
$default_url = "http://www.*****.ca";

//minimum and maximum password lengths
$min_pass = 4;
$max_pass = 20;


$num_groups = 0+2;
$group_array = array("Users","Administrators");

?>

functions.php

<?php

//function to get the date
function last_login()
{
    $date = gmdate("Y-m-d");
    return $date;
}

//function that sets the session variable
function sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $user, $pass)
{


    //make connection to dbase
    $connection = @mysql_connect($server, $dbusername, $dbpassword)
                or die(mysql_error());
                
    $db = @mysql_select_db($db_name,$connection)
                or die(mysql_error());
                
    $sql = "SELECT * FROM $table_name WHERE username = '$user' and password = password('$pass')";

    $result = @mysql_query($sql, $connection) or die(mysql_error());


    //get the number of rows in the result set
    $num = mysql_num_rows($result);

    //set session variables if there is a match
    if ($num != 0)
    {
        while ($sql = mysql_fetch_object($result))
        {
            $_SESSION[first_name]     = $sql -> firstname;
            $_SESSION[last_name]     = $sql -> lastname;
            $_SESSION[user_name]     = $sql -> username;       
            $_SESSION[password]     = $sql -> password;
            $_SESSION[group1]         = $sql -> group1;
            $_SESSION[group2]         = $sql -> group2;
            $_SESSION[group3]         = $sql -> group3;
            $_SESSION[pchange]        = $sql -> pchange;  
            $_SESSION[email]         = $sql -> email;
            $_SESSION[redirect]        = $sql -> redirect;
            $_SESSION[verified]        = $sql -> verified;
            $_SESSION[last_login]    = $sql -> last_login;
        }
    }else{
        $_SESSION[redirect] = "$base_dir/errorlogin.html";
    }
}

//functions that will determine if access is allowed
function allow_access($group)
{
    if ($_SESSION[group1] == "$group" || $_SESSION[group2] == "$group" || $_SESSION[group3] == "$group" ||
        $_SESSION[group1] == "Administrators" || $_SESSION[group2] == "Administrators" || $_SESSION[group3] == "Administrators" ||
        $_SESSION[user_name] == "$group")
        {
            $allowed = "yes";
        }else{
            $allowed = "no";
        }
    return $allowed;
}

//function to check the length of the requested password
function password_check($min_pass, $max_pass, $pass)
{

    $valid = "yes";
    if ($min_pass > strlen($pass) || $max_pass < strlen($pass))
    {
        $valid = "no";
    }

    return $valid;
}

?>

For the redirected link to be secure and only someone who has logged in with the proper credentials can see it, I am required to put the following php code on the redirected page

<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();
session_start();

//this should the the absolute path to the config.php file
//(ie /home/website/yourdomain/login/config.php or
//the location in relationship to the page being protected - ie ../login/config.php )
require('/home/*****/public_html/Client/config.php');

//this should the the absolute path to the functions.php file - see the instrcutions for config.php above
require('/home/*****/public_html/Client/functions.php');

//this is group name or username of the group or person that you wish to allow access to
// - please be advise that the Administrators Groups has access to all pages.
if (allow_access(Users) != "yes")
{                       

//this should the the absolute path to the no_access.html file - see above                                     
include ('/home/*****/public_html/Client/no_access.html');
exit;
}
?>

So.. before the update to php 5.3 this code worked flawlessly.  Clients would login with their username and password on my site, and it would redirect them to the php page with their content that included the code above.  Now after the update what happens is, even after using a correct username/password combination the no_access.html (see below) page is displayed instead, but the link displayed in the browser IS the correct redirected link!

What's also strange is, if you then try to login again since this page has the form to do so, you get a 404 error because it is trying to find the redirect.php file in the redirected link instead of the website.ca/Client/ dir it is actually in.

So, I tried to put a copy of the redirect.php, config.php, functions.php and a few others in the redirected link directory just for kicks, and tried again and it works!  The problem is, the client basically has to login twice.. the first time always fails, but sends them to the redirected link, then when they try again IF I also put those files into their directory then it will work on this second try.

 

So, I am at a loss as to what is going on here, and would appreciate any help on getting this up and running properly again on php 5.3

 

Many thanks!

 

 

no_access.html

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>NO ACCESS ALLOWED</title>
</head>

<body>

<b><font size="6">Access Denied!!!</font></b><p>Please login with proper
credentials:</p>
<FORM METHOD="POST" ACTION="redirect.php">
<P><font face="Verdana" size="2" color="#2852A8"><STRONG>Username:</STRONG><BR>
</font><font color="#2852A8" face="Verdana">
<INPUT TYPE="text" NAME="username" SIZE=25 MAXLENGTH=25></font></p>
<P><font face="Verdana" size="2" color="#2852A8"><STRONG>Password:</STRONG><BR>
</font><font color="#2852A8" face="Verdana">
<INPUT TYPE="password" NAME="password" SIZE=25 MAXLENGTH=25></font></p>
<P><font face="Verdana"><font color="#2852A8">
<input type="checkbox" name="remember" value="Yes"></font><font size="2" color="#2852A8">Remember
me from this computer</font></font></p>
<P><font color="#2852A8">
<INPUT TYPE="submit" NAME="submit" VALUE="Login" style="font-family: Verdana"></font></P>
</FORM>
<p> </p>

</body>

</html>

[Jacques1]

Hi,

 

I'm sorry to tell you, but this code is just awful from top to bottom. It's a walking security vulnerability and pretty much a collection of every mistake you can make in PHP.

 

There's zero protection against SQL injections. Anybody can manipulate your queries and fetch any data they want, including all passwords. Even worse, the script stores the passwords as plaintext. Not only in the database, but also in the session files and a cookie. What – the – f*ck? Seriously, who would do this? Every schoolkid understands that passwords must be protected.

 

I'm sure you could find plenty of other vulnerabilities if you look closer. The code is generally very, very poor with tons of obsolete stuff and bad practices.

 

If you're serious about your server and your users, you must take this down now. I know, this sucks. But getting your server hacked and all passwords stolen sucks even more. And now that your code is public, I wouldn't be surprised if people actively start looking for your website as an easy target.

 

Seriously, take this offline. I'm sure we can help you find a secure alternative.

[dorkus99]

There's zero protection against SQL injections. Anybody can manipulate your queries and fetch any data they want, including all passwords. Even worse, the script stores the passwords as plaintext. Not only in the database, but also in the session files and a cookie. What – the – f*ck? Seriously, who would do this? Every schoolkid understands that passwords must be protected.

 

I'm sure you could find plenty of other vulnerabilities if you look closer. The code is generally very, very poor with tons of obsolete stuff and bad practices.

 

If you're serious about your server and your users, you must take this down now. I know, this sucks. But getting your server hacked and all passwords stolen sucks even more. And now that your code is public, I wouldn't be surprised if people actively start looking for your website as an easy target.

 

Seriously, take this offline. I'm sure we can help you find a secure alternative.

 

Hi Jacques1

 

Thank you for your info.  If there was anything important on my site, i'd be worried.. but really there isent anything of any use to anyone else.  But yes, I agree.. if it is as bad as you say then I would love some input on a better alternative and the few redirects I have, have been taken down.  I need something that will allow a client to login with a username/password which will then redirect them to a page of my choosing that contains their data.  I'd also like the page that is being redirected to only be accessible by someone who has first logged in.   Do you know of any other free code out there that is secure that I could use to do this? I'm a noob so I have no idea how to code any of this myself.  Many thanks again for your help!

[dorkus99]

Sooo.. can anyone help me find an alternative?