willc Posted March 13, 2008 Share Posted March 13, 2008 Hello, I am trying to create simple log in script using sessions. The browser is not cooperating so I'm clearly doing something wrong. I keep getting kicked back to the log-in page. Thanks for your help! Will Here is my code for the main login page: <? session_start(); if ($_SESSION['access'] == true) { header("location:URL to members only page"); } ?> HTML for log-in form.... <form name="form1" method="post" action="checklogin2.php"> Here is the code for the checking of the log-in (checklogin2.php): <?php session_start(); $host=xxxxx"; $username="xxxxx"; $password="xxxxx"; $db_name="xxxxx"; $tbl_name="xxxxx"; mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $myusername=strtoupper($_POST['myusername']); $mypassword=$_POST['mypassword']; $sql="SELECT * FROM $tbl_name WHERE UPPER(lastname) LIKE '%$myusername%' and membernum='$mypassword'"; $count=mysql_num_rows($result); if($count==1){ $_SESSION['access'] == true; header("Location: url to members only page"); } else { echo "Wrong Username or Password"; } ?> Finally, here is the code for the members only page: <?php session_start(); if ($_SESSION['access'] !== true) { header("location:back to main login page"); } ?> HTML of members only page Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 "The browser is not cooperating" what do you mean???????????? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 the problem is probably this: $_SESSION['access'] == true; Quote Link to comment Share on other sites More sharing options...
willc Posted March 13, 2008 Author Share Posted March 13, 2008 Sorry yes, the browser keeps kicking me back to the log-in page so there is something going on with $_Session. But I'm unsure of how to fix it. Any ideas? Quote Link to comment Share on other sites More sharing options...
discomatt Posted March 13, 2008 Share Posted March 13, 2008 Echo your query and post please.. Also, do not rely on session data alone. Session data is normally stored in cookies, and the end user can modify those as he/she pleases. Also also.... the LIKE '%$myusername%' is not the best way of a secondary verification. Imagine 2 people use the same password? Unless you're using hashing with a random salt, (it doesn't seem like it) you can wind up with multiple results returned, which would cause your num_rows==1 to return false. Also, you scripts are wide open to injection. I could enter this into the 'mypassword' field: somestring' OR 1=1 LIMIT '1 So your query would be like this: SELECT * FROM `table` WHERE `something`='something' AND `password`='somestring' OR 1=1 LIMIT '1' This would always return 1 row, and thus the attacker has logged in. check out mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 the problem is probably this: $_SESSION['access'] == true; by which I mean you attempt to assign the value of true to $_SESSION['access'], but instead you use the comparison operator. should be: $_SESSION['access'] = true; Quote Link to comment Share on other sites More sharing options...
willc Posted March 13, 2008 Author Share Posted March 13, 2008 Echo your query and post please.. I'm such a noob and am afraid I don't know how to do that. Also, do not rely on session data alone. Session data is normally stored in cookies, and the end user can modify those as he/she pleases. What do you recommend? Any links to tutorials that you know are good? Again, I'm pretty new at this and really don't know the best way to make this secure. Also also.... the LIKE '%$myusername%' is not the best way of a secondary verification. Imagine 2 people use the same password? Unless you're using hashing with a random salt, (it doesn't seem like it) you can wind up with multiple results returned, which would cause your num_rows==1 to return false. I'm just trying to get the username to match what's in the database. Also, you scripts are wide open to injection. I could enter this into the 'mypassword' field: somestring' OR 1=1 LIMIT '1 So your query would be like this: SELECT * FROM `table` WHERE `something`='something' AND `password`='somestring' OR 1=1 LIMIT '1' This would always return 1 row, and thus the attacker has logged in. check out mysql_real_escape_string() I will check that out. Thanks and sorry for the questions. Quote Link to comment Share on other sites More sharing options...
willc Posted March 13, 2008 Author Share Posted March 13, 2008 the problem is probably this: $_SESSION['access'] == true; by which I mean you attempt to assign the value of true to $_SESSION['access'], but instead you use the comparison operator. should be: $_SESSION['access'] = true; Thank you, I will try that. Actually, shouldn't I assign true using "==" if the username and password are correct? And then I use "=" on the other pages? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 == is never assignment. it is always comparison. = is an assignment. $a = "hello world"; if ($a == "hello world") { echo $a; } else { echo "$a is not hello world."; } output: hello world your use of !== true is correct. it appears it's just the assignment that is wrong. Quote Link to comment Share on other sites More sharing options...
willc Posted March 13, 2008 Author Share Posted March 13, 2008 Blue, Thank you, that worked! Any suggestions on how I can tighten up the security and other issues re: discomatt's points above? Much obliged. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 Well, first, session data is not typically stored in cookies. it is always stored on the server. only the session identifier is stored in a cookie, passed within the url if cookies are turned off. I rely on sessions for everything. the only danger may be if someone has access to /tmp or wherever the session data is kept. if that's a problem stealing sessions is the last of your worries. the second point, check out mysql_real_escape_string() is a good idea. you should look into using that function on all user-entered data. Quote Link to comment Share on other sites More sharing options...
willc Posted March 13, 2008 Author Share Posted March 13, 2008 Thank you my friend. I will look into that. Really appreciate the help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.