Jump to content

Problem with Log In Authentication


Biff

Recommended Posts

Hi All,

 

I have just set up a ready made league script - WebLeague 2 - and for some reason the log in for the admin section keeps redirecting me to the login failed page. The log in details are correct and there are no spaces either side. The details are also in the MySQL database.

 

I guess this script must work as other people have used it so I thought it might be something to do with my hosting environment? The script is hosted on a Windows server running PHP 4.4.7 and MySQL 5.0.45 - I have also tried it in PHP 5 with no luck. I have checked all the variables and everything appears to be fine. Here is the code:

 

<?
session_start();
$page = "login";
require('./../variables.php');
require('./../variablesdb.php');
require('./../top.php');
?>
<p class="header">Admin section.</p>
<?
$sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'";
$result=mysql_query($sql,$db);
$number = mysql_num_rows($result);
if ($number == "1") {
session_register("password");
session_register("username");
}
if($_SESSION[username]){
?>
<p class='text'>You are logged in as <b><? echo "$_SESSION[username]" ?></b>.</p>
<?
}
else {
if($_POST[submit]) {
?>
<p class='text'>Login failed.</p> 
<?
}
?>
<form method="post">
<table border="0" cellpadding="0">
<tr>
<td><p class='text'>Name:</p></td>
<td><input type="text" name="username" size="20" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td>
</tr>
<tr>
<td><p class='text'>Password:</p></td>
<td><input type="password" name="password" size="20" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td>
</tr>
<tr>
<td><input type="submit" value="Log in." name="submit" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td>
</tr>
</table>
</form>
<?
}
?>
<?
require('./../bottom.php');
?>

 

If anyone can shed any light on why this is happening I would be really grateful.

 

 

Link to comment
https://forums.phpfreaks.com/topic/95221-problem-with-log-in-authentication/
Share on other sites

Another thing you should do is escape user input.  Don't trust anything a user puts in a text field.

 

You are allowing $_POST variables in your sql

 

I would use mysql_real_escape_string on your $_POST varables and then use then clean variables in the sql

 

w3schools has a fuinction you can use to clean user input below

 

function check_input($value)
{
     // Stripslashes
     if (get_magic_quotes_gpc())
     {
$value = stripslashes($value);
     }
     // Quote if not a number
     if (!is_numeric($value))
     {
$value = mysql_real_escape_string($value);
     }
     return $value;
}

Many thanks for your prompt replies. The single period seems to work fine, as soon as another is added the script can't find the includes. The whole app only uses "<?" and everything else works fine.

 

The script is posting the login details to itself - the index.php page. I've tried changing it to <form action="index.php" method="post"> but still get the login failed page. I also tried using <?php echo $_POST["username"]; ?> to see if it is posting the variables and it is.

 

I just can't figure out why it isn't working?

I think it's something to do with creating the session. Can someone profecient in PHP have a look at that part of the code as I am a complete noob when it comes to PHP. Maybe it is something to do with sessions on Windows servers and the code needing to be altered slightly to be compatible?

I'm not sure what you mean? I'm guessing this script works for other people as it is something I downloaded. The thing is it was written a few years ago and the site where it came from is now down. I'm guessing that the reason it doesn't work is to do with the code being a bit old or me hosting it on a Windows server. Something simple like you suggest may do the trick, but I'm not sure how to assign the variables to other variables as I am a complete novice with PHP.

One other thing is I think '$_POST[username]' does exist as if I do <?php echo $_POST["username"]; ?> on the login failed page it shows the username. I think the problem is getting it from the database and creating the session, something here:

 

<?php
$sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'";
$result=mysql_query($sql,$db);
$number = mysql_num_rows($result);
if ($number == "1") {
session_register("password");
session_register("username");
}
if($_SESSION[username]){
?>
<p class='text'>You are logged in as <b><?php echo "$_SESSION[username]" ?></b>.</p>
<?php
}
else {
if($_POST[submit]) {
?>

 

 

1: $_POST[username] does not equal $_POST["username"]. Notice your use of quotes in the second one.

 

2:

$username = $_POST['username'];
$password = $_POST['password'];
$sql="SELECT * FROM $admintable WHERE name = '$username' AND password = '$password'";

 

3: http://www.w3schools.com/php/default.asp

Thanks Haku, adding the following has done the trick. God knows why it wasn't in the original code? Would this have ever worked in the past without it?

 

$username = $_POST['username'];

$password = $_POST['password'];

 

Thanks a lot for your help.  :)

 

I take it the code that Adrock posted earlier is some sort of security to stop people posting anything dodgy in the form, how do I implement it?

 

function check_input($value)
{
     // Stripslashes
     if (get_magic_quotes_gpc())
     {
$value = stripslashes($value);
     }
     // Quote if not a number
     if (!is_numeric($value))
     {
$value = mysql_real_escape_string($value);
     }
     return $value;
}

Most scripts out there on the net are written by people who think they know how to program, but often suck. They also often have huge security holes in them. That's why i pointed you at those tutorials. Its a good place to start at the least. Its better to learn to code than to use other people's code, as you will often run into problems like this. And besides, can you really call yourself a coder/programmer if you are using someone else's code? And what happens when problems creep up in that code - you won't know how to fix them.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.