Log In Problems to an Admin Page

[AndrewJ1313]

Hello to everyone! I am new to this site and hope that someone can help me.

 

I have developed a web site for a friend who is the pastor of a church. There are sections of this site that will need to be updated on a regular basis, so I used PHP and MySQL to create a site that he could update using forms in an Admin section. The site is live and everything works great, all of the dynamic content from the database displays properly. The problem I am having is logging in to the Admin section. When I try, I am redirected to the error message I created incase an unauthorized user tries to access a restricted page. If I disable the page restrictions on the admin page, then I can log in just fine, but this is not a long term option. I have uploaded the same site to another server and replecated the database as a MySQL 4.1 database. The log in function works fine, but on my friends server, it will not work no matter what I do (the database is MySQL 5). It appears that the log in as far as username and password works fine, it's the level's on the admin page itself that is causing the problems. I am clearly able to connect to the database and retrieve information from it, but I am not able to log in to the Admin section.

 

The server my friends site is hosted on is 3Essentials and the MySQL 5 database is driven by Plesk if that helps.

 

Any and all feedback is most appreciated.

 

Thank you,

Andrew

 

[trq]

We are going to need to see the relevent code.

 

My guess would be that your using mysql's PASSWORD() function to encrypt the passwords. Mysql's PASSWORD() function may (as it states in the manual) use a different algorythm between mysql versions, hence should not be used within client code.

[AndrewJ1313]

We are going to need to see the relevent code.

 

From the Log In page or the Initial Admin Page?

 

I should have specified too, there are two error messages on my Log In page: one is generated when someone enters the wrong username/password, the other is generated when someone tries to directly access a page with restrictions. When I use my log in information, I receive the latter error which tells me that Log In is working but something in the page restrictions on the Admin Page is incorrect.

[trq]

From the Log In page or the Initial Admin Page?

 

Whatever is relevent. we don't need pages of code, just the relevent snippets. can we see the query that validates a username/passowrd combination for login?

[AndrewJ1313]

From the Log In page or the Initial Admin Page?

 

Whatever is relevent. we don't need pages of code, just the relevent snippets. can we see the query that validates a username/passowrd combination for login?

 

This is the code from the Log In page. I used the "Log In User" server behavior in Dreamweaver, so I'm not sure how much of this is relevant.

<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['user'])) {
  $loginUsername=$_POST['user'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "type";
  $MM_redirectLoginSuccess = "admin.php";
  $MM_redirectLoginFailed = "loggin.php?error=Log In Failed";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_conn_jnaz, $conn_jnaz);
  	
  $LoginRS__query=sprintf("SELECT User, Password, type FROM tbl_admin WHERE User='%s' AND Password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $conn_jnaz) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'type');
    
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");

    if (isset($_SESSION['PrevUrl']) && true) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

 

===============================

This is the code from the Admin page restricting access, again using a built in server behavior from Dreamweaver.

 

<?php
session_start();
$MM_authorizedUsers = "Admin,Worker";
$MM_donotCheckaccess = "false";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && false) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "loggin.php?error=access denied";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>

[trq]

Sorry, but dreamweaver code is an absolute nightmare. I really don't want to even look at that, especially while its not between

[/code tags.

[AndrewJ1313]

Sorry, but dreamweaver code is an absolute nightmare. I really don't want to even look at that, especially while its not between

[/code tags.

 

Sorry, I didn't realize I could put tags around the code. I corrected it above.

Is there anywhere I can get/learn a log in and validation script I can write myself?

[trq]

Should be plenty if you google php login tutorial.

[AndrewJ1313]

I have been trying to work through this and discovered a few things:

1) I was developing with DW MX2004 and my testing servers is using MySQL 4.1 & PHP 4.x

2) The live server uses MySQL 5.x and PHP 5

 

I see that DW MX2004 generates some code in the Log In server behavior that breaks up in PHP5. I made changes to the code such as replacing

  $GLOBALS['MM_Username'] = $loginUsername;
  $GLOBALS['MM_UserGroup'] = $loginStrGroup;

with

  $_SESSION['MM_Username'] = $loginUsername;
  $_SESSION['MM_UserGroup'] = $loginStrGroup;

and others.

Here is the new code I have on my Log In page:

<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['user'])) {
  $loginUsername=$_POST['user'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "type";
  $MM_redirectLoginSuccess = "admin.php";
  $MM_redirectLoginFailed = "login.php?error=Log In Failed";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_conn_jnaz, $conn_jnaz);
  	
  $LoginRS__query=sprintf("SELECT * FROM tbl_admin WHERE `User`=%s AND Password=%s",
  GetSQLValueString($loginUsername, "-1"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $conn_jnaz) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'type');
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

Now when I try to log in, I go to a blank page with the following text, "Unknown column 'username_from_form' in 'where clause' "

 

I also had to adjust some $GLOBALS in the admin page. I cannot find anything in the above code that would cause this error message. Can anyone offer me an idea, or point me in the right direction?

 

Many thanks,

Andrew