Trouble with login script

[WAMFT1]

Hi There

 

I am trying to create a login screen within a framed site that when you log in it takes you to a new page for the portal. When I enter the login credentials the frame I am working in goes blank and does not take me to the portal. Can someone please help me out with the coding I have. 

 

The coding itself has 2 parts... 1) login and 2) if already logged in gives you a button to open to portal.

<?		if(isset($_POST['submit'])){
			//protect the posted value then store them to variables
			$Username = protect($_POST['Username']);
			$Password = protect(sha1($_POST['Password']));
 
			//Check if the username or password boxes were not filled in
			if(!$Username || !$Password){
				//if not display an error message
				echo "<center>Please enter your <b>Username</b> and <b>Password</b>!</center>";
			}else{
				//if the were continue checking
 
				//select all rows from the table where the username matches the one entered by the user
				$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."'");
				$num = mysql_num_rows($res);
 
				//check if there was not a match
				if($num == 0){
					//if not display an error message
					echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
				}else{
					//if there was a match continue checking
 
					//select all rows where the username and password match the ones submitted by the user
					$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."' AND `Password` = '".$Password."'");
					$num = mysql_num_rows($res);
 
					//check if there was not a match
					if($num == 0){
						//if not display error message
						echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
					}else{
						//if there was continue checking
 
						//split all fields fom the correct row into an associative array
						$row = mysql_fetch_assoc($res);
 
						//check to see if the user has not activated their account yet
						if($row['Active'] != 1){
							//if not display error message
							echo "<center>Your login has been <b>deactivated</b>, Please contact Website Administrator for assistance.</center>";
						}else{
							//if they have log them in
 
							//set the login session storing there id - we use this to see if they are logged in or not
							$_SESSION['uid'] = $row['id'];
							//show message
							echo "<center>You have successfully logged in!</center>";
 
							//update the online field to 50 seconds into the future
							$time = date('U')+50;
							mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
 
							//redirect them to the usersonline page
							echo"<a target=\'_blank\" href='portal/index2.php'></a>";?>

<?php		if(isset($_POST['submit2'])){
							//update the online field to 50 seconds into the future
							$time = date('U')+50;
							mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
 
							//redirect them to the usersonline page
							echo"<script type='text/javascript' language='Javascript'>window.open('portal/index2.php');</script>";}}}}}}?>

<?php
 include "portal/edb.php";
		//if the login session does not exist therefore meaning the user is not logged in
		if(strcmp($_SESSION['uid'],"") == 0){
			//display and error message
		echo "<form name='main.php' method='post' action=''>
         <table bgcolor='#FFFFFF' width='320' border='0' align='center' cellpadding='0' cellspacing='0'>
          <tr> <td ><table border='0' align='center' cellpadding='2' cellspacing='0' class='page-border'>
           <tr><td colspan='2' class='text_heading_center'>Portal</td>
          </tr>
             <tr> <td width='100' class='text_standard_right'>Username:</td>
              <td width='150' class='text_standard_right'><input name='Username' type='text' class='text_standard_left' /></td>
             </tr>
            <tr> <td class='text_standard_right'>Password:</td>
               <td class='text_standard_right'><input name='Password' type='password' class='text_standard_left' /></td>
             </tr>
             <tr> <td height='29' colspan='2' align='right'><input type='submit' name='submit' value='Login' /></td>
           </tr>
		   </table>";
		  }else{			
		  $time = date('U')+50;
			$update = mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
			$id =$_REQUEST['id'];
			$result=mysql_query("SELECT * FROM `eusers` WHERE id='".$_SESSION['uid']."'");
		  print"<form name='main.php' method='post' action=''>";
		  print"<br/>";
		  print"You are already logged into the Portal";
		  print"<br/>";
		  print"Click here to return the the Portal";
 		  print"<br/>";
		  print"<input name='submit2' type='button' value='Return to Portal' />";
		  print"</form>";
}?>

[benanamen]

The coding you have is obsolete and will not work at all in the latest version of Php. You need to us PDO or Mysqli.

 

Besides that, your flow is a mess. Why are you checking the login info twice?

Edited October 8, 2015 by benanamen

[seandisanti]

Benanamen beat me to it. I would say to go with pdo http://php.net/pdo https://www.youtube.com/watch?v=dF8hoPj-1bc is a good quick video to help explain it. Once that's done, you should attack your issue in the opposite order. #2 first, and then #1. It will be easiest to code your login bypass if you're able to assume that the user is already logged in, and once that's done and you begin working on the login, you'll know when it's working because it'll send you through via the passthrough  you will already know works.

[QuickOldCar]

I agree with the others, nothing you have there is current or secure.

Time to rewrite this script, a lot of users would be mad if they knew what they were signing into.

 

Look into password_hash and password_verify.

 

Not sure what your protect function does, always escape input for your queries.

Use mysqli_real_escape_string with mysqli or pdo and prepared statements