| braces in the wrong places
|
Gilead
msg:4392649 | 8:11 pm on Nov 30, 2011 (gmt 0) |
This is my good ol' login page. I must either have too many braces in the wrong places or I'm just getting confused and could use another pair of eyes.
Essentially, there are three main options:
1. you are an admin.
2. a user
3. a hacker
I included documentation to help. Thanks guys!
<?php
error_reporting(E_ALL);
session_start();
include('config.php');
$user_table="users";
$admin_table="authorize";
If there a better way to do all this, do let me know.
// username and password sent from form
$myusername=mysql_real_escape_string((addcslashes($_POST['username'], "%_")));
$mypassword=mysql_real_escape_string((addcslashes($_POST['password'], "%_")));
$sql= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($sql)or die("Cannot find your login credentials " . mysql_error());
$row = mysql_fetch_array($result);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
header("location:/admin/index.php");
}
else {
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1){
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';
header("location:/main/index.php");
}
}
// If user is not found in either place, it is wrong.
else{
echo "Wrong Username or Password";
echo '<br />';
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged! ';
echo $ip;
// check admins table
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
//if found how many attempts do they have?
if ($count==1){
$row = mysql_fetch_array($result);
$attempts=$row['attempts'];
// if they have more than 9 send them to the banned page
if ($attempts>9){
header("location:banned.html");
}
}
}
//otherwise update the attempt count
else {
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";
mysql_query($addattempt);
//send them back to the login page
header("location:index.php");
}
// If they are not found in the admin table, then check for session variable; if not set, set one and increase it by 1
else{
(!$_SESSION['attempts']){
$_SESSION['attempts'];
$_SESSION['attempts']++;
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
header("location:banned.html");
}
}
}
else{
$_SESSION['attempts']++;
header("location:index.php");
}
?>
It's not parsing out right now- T_Else on 54.
Thanks for the help.
|
londrum
msg:4392656 | 8:18 pm on Nov 30, 2011 (gmt 0) |
i think you need another closing bracket before this bit
// If user is not found in either place, it is wrong.
else{
echo "Wrong Username or Password";
it should be...
}
// If user is not found in either place, it is wrong.
else{
echo "Wrong Username or Password";
|
Gilead
msg:4392659 | 8:25 pm on Nov 30, 2011 (gmt 0) |
Unfortunately that did not work. :-(
So rule of thumb: if statement { code }
else { more code}
Each section is self contained?
|
londrum
msg:4392661 | 8:29 pm on Nov 30, 2011 (gmt 0) |
easiest way to track it down is to delete everything inside each bracket -- but leave the brackets. eventually you will find the one that's missing.
i think that error can also be caused if you forget to include a semi-colon at the end of a statement. so i would check for those as well.
|
Gilead
msg:4392671 | 8:55 pm on Nov 30, 2011 (gmt 0) |
Thanks! That was a big help.
I ended up making more if statements. PHP was getting confused as was I.
if($count==1){
// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
header("location:index.php");
}
else {
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1){
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';
header("location:index.php");
}
}
// If user is not found in either place, it is wrong.
if ($count!=1) {
echo "Wrong Username or Password";
echo '<br />';
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged! ';
echo $ip;
// check admins table
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
$result=mysql_query($sql);
$number=mysql_num_rows($result);
//if found how many attempts do they have?
if ($number==1){
$row = mysql_fetch_array($result);
$attempts=$row['attempts'];
// if they have more than 9 send them to the banned page
if ($attempts>9){
header("location:banned.html");
}
//otherwise update the attempt count
else {
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";
mysql_query($addattempt);
//send them back to the login page
header("location:index.php");
}
}
}
// If they are not found in the admin table, then check for session variable; if not set,set one and increase it by 1
if (!$_SESSION['attempts']){
$_SESSION['attempts'];
$_SESSION['attempts']++;
}
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
header("location:banned.html");
}
else {
$_SESSION['attempts']++;
// header("location:index.php)";
}
Now it's balking at the session variables.
|
|
|
