...

View Full Version : Help with php login function



RanK2007
03-08-2009, 04:41 PM
Hi,

I actualy got it working now, i will post the code later today when i have access.

I am creating a login script with uses som included script`s one with all the functions and one with global variables. Have some checks before the user get`s logged in and if theese fails it sends the user a customized error code for ex: Internal server error: 0001, please contact administrator(this is working). But now i modifed the code to update a db with the error code and date username... etc this fails. I cant find the error i ran the scripts seperatly and that worked ok. This shoud be pretty secure right??

validate.php
--------------------


<?php
/*
Error ID`s
01= Wrong referer
02= No referer
03= IP address has changed since last login
*/
require("config.inc.php");
require("include/functions.inc");
$con = mysql_connect($DBhost,$DBusername,$DBpassw);
if (!$con)
{
die('Kan ikke koble til mysql: ' . mysql_error());
}
mysql_select_db($db, $con);
/* Get username and password from form */
$username = $_POST['username'];
$password = $_POST['password'];
/* Prevent SQL Injetion */
$username = @stripslashes($username);
$username = @mysql_real_escape_string($username);
$username = @strip_tags($username);
$username = @substr($username, 0, 12);
$password = @stripslashes($password);
$password = @mysql_real_escape_string($password);
$password = @strip_tags($password);
$password = @substr($password, 0, 12);
CheckReferer($username,$DBhost,$DBuser,$DBpassw)
/* SQL Setting */
$sql = 'SELECT username,password,login_count,last_login,this_login,role FROM users,user_roles WHERE username = "' . $username . '" AND password = "'. $password . '" AND user_role = role_id LIMIT 1';
$con = mysql_connect($DBhost,$DBusername,$DBpassw);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($db, $con);
$result = mysql_query($sql);
while($row = mysql_fetch_array($result))
{
$DBusername = $row['username'];
$password = $row['password'];
$user_role = $row['role'];
$login_count = $row['login_count'];
$last_login = $row['last_login'];
$this_login = $row['this_login'];
}
if($passw = $password)
{
session_cache_limiter('private');
init_session();
$_SESSION["loggedin"] = true;
$_SESSION['user_role'] = $user_role;
UpdateSession($username,$password,$login_count,$this_login,$last_login);
header('Location: index.php');
//echo "DEBUG: loggedin=" . $_SESSION['loggedin'] . "</br> login=ok</br>user_role=" . $_SESSION['user_role'];
}
else
{
@session_destroy();
echo "Wrong username or password!";
}
mysql_close($con);
?>
</body>
</html>


functions.inc
---------------


<?php
/* Functions.php - Cointains all functions */
/* Functions - CheckReferer Checks if user came from the correct login form. */
function CheckReferer($username,$DBhost,$DBuser,$DBpassw)
{
if(isset($_SERVER['HTTP_REFERER'])){
if($_SERVER['HTTP_REFERER'] != "http://localhost:8888/pita/index.php?go=login"){
/* Log to db and warn user */
$error_code = "0001";
echo "Internal server error ID:" . $error_code . "</br>" . "The error occured: " . date("d/m/y H:i:s");
/* Update DB */
$con = mysql_connect($DBhost,$DBuser,$DBpassw);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($db, $con);
$sql = "INSERT INTO failed_login (ip, username, session_id, error_code)
VALUES ('" . $username . "', '" .$$_SERVER['REMOTE_ADDR'] . "', '" . session_id() . "', '" . $error_code . "')";
mysql_query($sql);
mysql_close();
}
}
else{
echo "Internal server error ID: 02";
}

}
function init_session() {
session_start();
if (!isset($_SESSION["visited"])) { create_session(); }
else {
if (!validate_session()) {
session_destroy();
create_session();
}
}
}
function create_session() {
$_SESSION["visited"] = "yes";
$_SESSION["UA"] = $_SERVER["HTTP_USER_AGENT"];
$_SESSION["IP"] = $_SERVER["REMOTE_ADDR"];
$_SESSION["loggedin"] = false;
}
function validate_session() {
if (($_SESSION["UA"] == $_SERVER["HTTP_USER_AGENT"]) and ($_SESSION["IP"] == $_SERVER["REMOTE_ADDR"])) {
return true;
}
else { return false; }
}
function IPcheck($ip,$username,$password,$DBusername,$DBpassw)
{
$con = mysql_connect($DBhost,$DBusername,$DBpassw);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($db, $con);
$sql = "SELECT ip FROM users WHERE username='$username' AND password='$password' LIMIT 1";
while($row = mysql_query($sql))
{
$row['ip'] = $ip;
}
if($_SERVER['REMOTE_ADDR'] != $ip)
{
echo "Internal server error ID: 3";
session_destroy();
}

}
/* Updates schemas with new userinfo */
function UpdateSession($username,$password,$login_count,$this_login,$last_login)
{
$login_count++;
$last_login = $this_login;
$this_login = date("Y-m-d H:i:s");
$sql = "UPDATE users SET login_count='$login_count',last_login='$last_login',this_login='$this_login',session='" . session_id() . "',ip='" . $_SERVER['REMOTE_ADDR'] . "' WHERE username='$username' AND password='$password' LIMIT 1";
mysql_query($sql);

}
/* Creates a new exsternal java script usage CreateExternalJavaScript("script") */
function CreateExternalJavaScript($script)
{
echo '<script type="text/javascript" src="' . $script . '">';
}
?>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum