Jump to content

Trouble with login script


WAMFT1

Recommended Posts

Hi There

 

I am trying to create a login screen within a framed site that when you log in it takes you to a new page for the portal. When I enter the login credentials the frame I am working in goes blank and does not take me to the portal. Can someone please help me out with the coding I have. 

 

The coding itself has 2 parts... 1) login and 2) if already logged in gives you a button to open to portal.

<?		if(isset($_POST['submit'])){
			//protect the posted value then store them to variables
			$Username = protect($_POST['Username']);
			$Password = protect(sha1($_POST['Password']));
 
			//Check if the username or password boxes were not filled in
			if(!$Username || !$Password){
				//if not display an error message
				echo "<center>Please enter your <b>Username</b> and <b>Password</b>!</center>";
			}else{
				//if the were continue checking
 
				//select all rows from the table where the username matches the one entered by the user
				$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."'");
				$num = mysql_num_rows($res);
 
				//check if there was not a match
				if($num == 0){
					//if not display an error message
					echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
				}else{
					//if there was a match continue checking
 
					//select all rows where the username and password match the ones submitted by the user
					$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."' AND `Password` = '".$Password."'");
					$num = mysql_num_rows($res);
 
					//check if there was not a match
					if($num == 0){
						//if not display error message
						echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
					}else{
						//if there was continue checking
 
						//split all fields fom the correct row into an associative array
						$row = mysql_fetch_assoc($res);
 
						//check to see if the user has not activated their account yet
						if($row['Active'] != 1){
							//if not display error message
							echo "<center>Your login has been <b>deactivated</b>, Please contact Website Administrator for assistance.</center>";
						}else{
							//if they have log them in
 
							//set the login session storing there id - we use this to see if they are logged in or not
							$_SESSION['uid'] = $row['id'];
							//show message
							echo "<center>You have successfully logged in!</center>";
 
							//update the online field to 50 seconds into the future
							$time = date('U')+50;
							mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
 
							//redirect them to the usersonline page
							echo"<a target=\'_blank\" href='portal/index2.php'></a>";?>

<?php		if(isset($_POST['submit2'])){
							//update the online field to 50 seconds into the future
							$time = date('U')+50;
							mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
 
							//redirect them to the usersonline page
							echo"<script type='text/javascript' language='Javascript'>window.open('portal/index2.php');</script>";}}}}}}?>
<?php
 include "portal/edb.php";
		//if the login session does not exist therefore meaning the user is not logged in
		if(strcmp($_SESSION['uid'],"") == 0){
			//display and error message
		echo "<form name='main.php' method='post' action=''>
         <table bgcolor='#FFFFFF' width='320' border='0' align='center' cellpadding='0' cellspacing='0'>
          <tr> <td ><table border='0' align='center' cellpadding='2' cellspacing='0' class='page-border'>
           <tr><td colspan='2' class='text_heading_center'>Portal</td>
          </tr>
             <tr> <td width='100' class='text_standard_right'>Username:</td>
              <td width='150' class='text_standard_right'><input name='Username' type='text' class='text_standard_left' /></td>
             </tr>
            <tr> <td class='text_standard_right'>Password:</td>
               <td class='text_standard_right'><input name='Password' type='password' class='text_standard_left' /></td>
             </tr>
             <tr> <td height='29' colspan='2' align='right'><input type='submit' name='submit' value='Login' /></td>
           </tr>
		   </table>";
		  }else{			
		  $time = date('U')+50;
			$update = mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
			$id =$_REQUEST['id'];
			$result=mysql_query("SELECT * FROM `eusers` WHERE id='".$_SESSION['uid']."'");
		  print"<form name='main.php' method='post' action=''>";
		  print"<br/>";
		  print"You are already logged into the Portal";
		  print"<br/>";
		  print"Click here to return the the Portal";
 		  print"<br/>";
		  print"<input name='submit2' type='button' value='Return to Portal' />";
		  print"</form>";
}?>
Link to comment
Share on other sites

Benanamen beat me to it. I would say to go with pdo http://php.net/pdo https://www.youtube.com/watch?v=dF8hoPj-1bc is a good quick video to help explain it. Once that's done, you should attack your issue in the opposite order. #2 first, and then #1. It will be easiest to code your login bypass if you're able to assume that the user is already logged in, and once that's done and you begin working on the login, you'll know when it's working because it'll send you through via the passthrough  you will already know works.

Link to comment
Share on other sites

I agree with the others, nothing you have there is current or secure.

Time to rewrite this script, a lot of users would be mad if they knew what they were signing into.

 

Look into password_hash and password_verify.

 

Not sure what your protect function does, always escape input for your queries.

Use mysqli_real_escape_string with mysqli or pdo and prepared statements

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.