homepage Welcome to WebmasterWorld Guest from 54.196.73.218
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
User login process
Gilead




msg:4393522
 6:36 pm on Dec 2, 2011 (gmt 0)

I'm doing my login processing script.

There are three possibilities with several things in between, but for the life of me, I can't make it work all together.

1. Check admin table: if found delete any previous attempts, add session vars, and put in the time and date of login, then send them right into the admin screen.

1a. If in admin table, but wrong password, add to attempts and send back to login again or if number of attempts >9 send them to the ban page.

2. If not in admin table, check user table: if found, add session vars and send right into user screen.

3. Not in either, potential hacker: check if attempt session var exists; if not, create it. Now equals 1. Send them back to login screen.

3a. If var exists add one to it and see if it's >9. If so send to ban page otherwise, back to login.

I have tried if elseif else, but apparently, you have to have else be the last option and it get stuck parsing. I'm not sure I can do a case/switch here. Anyone know the best way to do this? I have to get this completed.

Thanks!

 

Gilead




msg:4393589
 9:33 pm on Dec 2, 2011 (gmt 0)

I tried to make a switch case: still not working
session_start();

include('dbconfig.php');
$user_table="users";
$admin_table="authorize";


// username and password sent from form
$myusername=mysql_real_escape_string((addcslashes($_POST['username'], "%_")));
$mypassword=mysql_real_escape_string((addcslashes($_POST['password'], "%_")));




switch ($usertype){

case admin:
$sql= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($sql)or die("Cannot find your login credentials " . mysql_error());
$row = mysql_fetch_array($result);
$admcount=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($admcount==1){
// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
header("location:/admin/index.php");
break
case member:
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

// Mysql_num_row is counting table row
$mcount=mysql_num_rows($result);
if($mcount==1){
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';

header("location:members/index.php");
break
case adminwrongpass:
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged! ';
echo $ip;
$result=mysql_query($sql);
//if found how many attempts do they have?
$row = mysql_fetch_array($result);
$attempts=$row['attempts'];
echo '<br />';
echo $attempts;
echo '&nbsp; attempts';
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";
mysql_query($addattempt);

// if they have more than 9 send them to the banned page
if ($attempts>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
}
else {
//send them back to the login page
echo '<meta http-equiv="refresh" content="2;url=index.php">';
}
}
break
default:
echo "Wrong Username or Password";
echo '<br />';
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged!&nbsp;';
echo $ip;
if (isset($_SESSION['attempts']))
$_SESSION['attempts'] = $_SESSION['attempts']+1;
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
else
$_SESSION['attempts'] = 1;
// echo '<meta http-equiv="refresh" content="2;url=index.php">'
}
}
echo $usertype;
Am I even in the ballpark?

eelixduppy




msg:4393611
 10:42 pm on Dec 2, 2011 (gmt 0)

Here is my quick on-the-fly attempt at refactoring your code to look and work a little better for you. It is probably not all there but this should get you started:


require_once('dbconfig.php');

//use constants instead of variables, ideally should be defined in config file
define("USER_TABLE", "users");
define("ADMIN_TABLE", "authorize");
define("DOMAIN", "www.example.com");

// don't forget to start the session
session_start();

// escape the username/password only ONCE
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);

// first you would want to know if they attempted 10 times
if(isset($_SESSION['attempts']) && $_SESSION['attempts'] >= 10) {
header(sprintf("Location: https://%s/banned.html", DOMAIN));
exit;
}

// then we need to see if they logged in successfully
$q = sprintf("SELECT * FROM `%s` WHERE `member_login` = '%s' AND `member_password` = '%s'", USER_TABLE, $myusername, $mypassword);
$result = mysql_query($q) or die(mysql_error());

// if user is in table (with password)
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
$_SESSION['username'] = $row['username'];
$_SESSION['useraccess'] = $row['acces_level'];

$q = sprintf("DELETE FROM `%s` WHERE `username` = '%s'", ADMIN_TABLE, $myusername);
mysql_query($q);

header(sprintf("Location: https://%s/members/index.php", DOMAIN));
exit;
} else {
// wrong credntials
$q = sprintf("INSERT INTO `%s` (attempts, last_login, username) VALUES (0, NOW(), %s) ON DUPLICATE KEY UPDATE `attempts` = `attempts`+1", ADMIN_TABLE, $myusername);
mysql_query($q) or die(mysql_error());
if(!isset($_SESSION['attempts'])
$_SESSION['attempts'] = 0;
$_SESSION['attempts']++;
// it would be worth thinking about using the IP address as the identifier here
// for the person making the login attemps, because currently they could brute force picking different usernames
// each time and not be detected
}

Gilead




msg:4394439
 4:20 pm on Dec 5, 2011 (gmt 0)

Thank you so much!
What is the %s?

Spit up an error unexpected T_variable on line 41.

We are checking for members; what about admins? Where do I check for them? Start another block of code?

eelixduppy




msg:4394752
 2:16 pm on Dec 6, 2011 (gmt 0)

The %s is a placeholder for where a string is going to be inserted into. Look at the documentation for sprintf [php.net] for more information regarding this.

>> line 41
There is probably something missing (e.g. quote, parenthesis, etc). Look at line 41 and then backtrack up the code to find it (I can't see it at a quick glance).

>>what about admins?
Typically there would be some sort of access control identifier in the users table that references a different table of privileges for your site. That way you would be able to have many different user types, all with potentially different access. What I gave you was a quick hint at how it may be accomplished, but obviously you are going to have to code it further to suit your needs.

Gilead




msg:4394771
 3:01 pm on Dec 6, 2011 (gmt 0)

Thanks!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved