Welcome to WebmasterWorld Guest from 18.206.194.83

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Problems with my log-in script

Code within!

     
9:57 am on Aug 23, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 15, 2004
posts:192
votes: 0


Hi all,

I've been learning php for a while now and thought I was making progress until I hit a dead-end.

I'm trying to create a system so that the user signs in with their username/password and then has a set of options they can take from a menu.

The problem I have is that after they have signed in and see their menu, as soon as they take an option from the menu...they're sent back to the login screen.

It's almost as if the $logged_in variable is being lost?

I hope it's ok to post my code (I stripped it down as much as I can). If anyone can help, it would be really appreciated as I've spent ages trying to figure out the problem.

index.php
---------


<?php
// If "logged in" has been set...
if (isset($_POST['logged_in']))
{
$logged_in = $_POST['logged_in'];
if ($logged_in === 0)
{
require 'login.php';
}
else
{
require 'redirect.php';
}
}

// If "logged in" has NOT been set
else
{
if (isset($_POST['submit']))
{
require "db_connect.php";
$query = "select * from users where username='$_POST[userid]' and password='$_POST[pass]' ";
$result = mysql_query($query, $db_conn);
$row = mysql_fetch_assoc($result);

if (mysql_num_rows($result) >0)
{
$logged_in = 1;
$_SESSION['valid_user'] = $userid;
require 'redirect.php';
}
else
{
$logged_in = 0; require 'login.php';}
}
else
{
require 'login.php';
}
}
?>

login.php
---------


Please enter your username and password...
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post" enctype="multipart/form-data">
<input name="userid" type="text"><br>
<input name="pass" value="" type="password"><br>
<input name="submit" value="Login" type="submit">
<?php
if (isset($_POST['submit']))
{
if ($logged_in === 0)
{
echo "<br>Invalid username/password";
}
}
?>
</form>

redirect.php
------------


<?php
if (isset($page))
{
if ($page=="") {include("menu.php"); };
if ($page=="secret_link") {include("secret_page.php"); };
}
else
{
include("menu.php");
}
?>

menu.php
--------


You are logged in!
<br>
<a href="?page=secret_link">First secret link</a>

secret_page.php
---------------


<h1>Secret Page</h1>
11:26 am on Aug 23, 2005 (gmt 0)

New User

joined:Feb 2, 2005
posts:24
votes: 0


You should understand that the variables are not saved between the scripts.

For exmple you have script.php that sets $logged_in to "true" after some correct user input. Now next time the script is being runned the variable $logged_in is gone. So you cannot play this way.

In order to save variable between script executins you should try using sessions, cookies or something like that.

More info in the manual [session_start(), setcookie()]

11:37 am on Aug 23, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 2, 2004
posts:56
votes: 0



// If "logged in" has been set...
if (isset($_POST['logged_in']))
{
$logged_in = $_POST['logged_in'];
if ($logged_in === 0)
{
require 'login.php';
}
else
{
require 'redirect.php';
}
}

What will trigger this?
How will $_POST['logged_in'] be set?
I see no references to it in the code.

eg. that chunk will never run


$query = "select * from users where username='$_POST[userid]' and password='$_POST[pass]' ";

This is very insecure, as it may lead to SQL Injection
ref.: [no.php.net...]


if (mysql_num_rows($result) >0) {
$logged_in = 1;
$_SESSION['valid_user'] = $userid;
require 'redirect.php';
}
else {
$logged_in = 0; require 'login.php';}
}
else {
require 'login.php';
}

okay, what do we have here?
You set the variable logged_in to 1, but why?
It does not affect anything.

The session valid_user gets set to user_id, ok..


redirect.php
------------

<?php
if (isset($page)) {
if ($page=="") {
include("menu.php");
}
if ($page=="secret_link") {
include("secret_page.php");
}
}
else {
include("menu.php");
}
?>

Again, this is very insecure.
Anyone can "fiddle" with those variables.

I would recommend another approach to the system.
1: check for auth (check session for user_id maybe?)
2: if not authed, show login and use exit();

eg:


if (!$_SESSION['user_id']) {
showLogin();
exit();
}

or, you might simply use something as easy as:

<?php

function auth_user() {
$realm = mt_rand( 1, 1000000000 );
header('WWW-Authenticate: Basic realm="Realm ID='.$realm.']"');
header('HTTP/1.0 401 Unauthorized');
die("Unauthorized access forbidden!");
}

if (!isset($_SERVER['PHP_AUTH_USER'])) {
auth_user();
} else if (!isset($_SERVER['PHP_AUTH_PW'])) {
auth_user();
} else if ($_SERVER['PHP_AUTH_USER']!= $auser ¦¦ $_SERVER['PHP_AUTH_PW']!= $apass) {
auth_user();
} else if (isset($_GET['action']) && $_GET['action'] == "logout") {
auth_user();
}

// Normal Page Code Here
?>

you can require that login system on the very top of the pages you wish to secure.

you will have to modify it, so it queries the db.
but, look into the php.net/mysql_real_escape_string, as I posted url to above.. it's very important!

11:47 am on Aug 23, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 2, 2004
posts:56
votes: 0


btw. I forgot pointing one thing out to you..

Look in the login file:


if ($page=="") {include("menu.php"); };
if ($page=="secret_link") {include("secret_page.php"); };
}

the ; should only be at the end of an function, not after the } bracket.

good luck!

9:21 am on Aug 24, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 15, 2004
posts:192
votes: 0


Many thanks for the replies, with your help I managed to get it working. I now also have a better understanding of sessions and...functions! \o/

I'm now trying to implement the security changes you mentioned but I'm having problems with selecting records from the database.

Here the (updated) code I'm using at the moment...


function check_database()
{

require "db_connect.php";
$query = sprintf("SELECT * FROM users WHERE username=%s AND password=%s",
mysql_real_escape_string($_POST['var_userid']),
mysql_real_escape_string($_POST['var_pass']));
$result = mysql_query($query) or die (mysql_error());

if (mysql_num_rows($result) > 0)
{
$_SESSION['logged_in'] = 'Y';
redirect();
}
else
{
$_SESSION['logged_in'] = 'N';
display_login();
echo "INVALID USERNAME/PASSWORD";
}
}

For testing, my username is 'test' and password is 'wow'. For some reason, when this code executes I get the following error:

Unknown column 'test' in 'where clause'

Any ideas? Am I doing something stupid?!

10:02 am on Aug 24, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 15, 2004
posts:192
votes: 0


Fixed it...


$query = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'",
mysql_real_escape_string($_POST['var_userid']),
mysql_real_escape_string($_POST['var_pass']));

(I had no ' around the %s)

doh!

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members