...

View Full Version : Problem with login page



okeddy
11-16-2010, 02:29 PM
A lot of people seem to be using this piece of code in their login page, when I use it it outputs " method="POST" on the page
and the url after filling in the form is

http://127.0.0.1/<?username=username&password=pass


if I change the quotes around the question mark after echo to single quotes then the " method="POST" is not in the output.
and the url after filling in the form is

http://127.0.0.1/%3C?=$PHP_SELF?%3E%3C?if%28$QUERY_STRING%29{echo%27?%27%20.$QUERY_STRING;}?%3E



<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo'"?". $QUERY_STRING;}?>" method="POST">


Is this code correct and why is there a < after the IP ??

Lost anyone help?

poyzn
11-16-2010, 03:50 PM
may be your short php tags are off. post here result if you try this


<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?><?php if($QUERY_STRING) { echo "?" . $QUERY_STRING; } ?>" method="POST">

okeddy
11-16-2010, 04:32 PM
By changing this <?if($QUERY_STRING)

to this <?php if($QUERY_STRING)

it no longer outputs " method="POST"

So thanks for your input on that.

But getting http:// undefined variable query string
after login

poyzn
11-16-2010, 04:43 PM
First of all, generate your page and open the page source with your browser, find the form and post the whole form-tag here.

Also make output with


print_r($_REQUEST);

and post it here

okeddy
11-16-2010, 04:58 PM
I hope this what you meant

?>
<form action="<?=$PHP_SELF?><br />
<b>Notice</b>: Undefined variable: QUERY_STRING in <b>C:\Program Files\EasyPHP-5.3.3\www\login.php</b> on line <b>14</b><br />
" method="POST">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>

Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>

<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>

</html>
<?
exit();
}



May as well show you what I am working with


<?
session_start(); // start session.
?>
<!-- header tags, edit to match your own, or include template header file. -->
<html>
<head>
<title>Login</title>
<head>
<body>
<?
if(!isset($username) | !isset($password)) {
// escape from php mode.
?>
<form action="<?=$PHP_SELF?><?php if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>
<?
exit();
}

// If all is well so far.

session_register("username");
session_register("password"); // register username and password as session variables.

// Here you would check the supplied username and password against your database to see if they exist.
// For example, a MySQL Query, your method may differ.

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$sql = mysql_query("SELECT `password` FROM `login` WHERE `username` = '$username'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != "0" & $password == $fetch_em["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

// If the username exists and pass is correct, don't pop up the login code again.
// If info can't be found or verified....

if (!($valid_user))
{
session_unset(); // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?>
<form action="<?=$PHP_SELF?><?php if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
<p align="center">Incorrect login information, please try again. You must login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>
<?
exit();
}
?>

poyzn
11-16-2010, 05:12 PM
you variables $PHP_SELF and $QUERY_STRING are not defined. I can suggest you making your open form tag exactly like this and try.


<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?><?php if($_SERVER['QUERY_STRING']) { echo "?" . $_SERVER['QUERY_STRING']; } ?>" method="POST">


after that post only this part from the page source


<form action="<?=$PHP_SELF?><br />
<b>Notice</b>: Undefined variable: QUERY_STRING in <b>C:\Program Files\EasyPHP-5.3.3\www\login.php</b> on line <b>14</b><br />
" method="POST">

okeddy
11-16-2010, 05:18 PM
That worked I stayed on login.php

<form action="/login.php" method="POST">

poyzn
11-16-2010, 05:38 PM
acually you don't even need QUERY_STRING part if you pass data with get-query
make it

<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="get">

and you'll get /login.php?username=username&password=password after submitting the form

okeddy
11-16-2010, 05:57 PM
http://127.0.0.1/login.php?username=username&password=pass

Yes that worked . I'm a little confused with this login script, if I have a page I want users to login to what would I do?, would I make that the target page instead of login.php or [self] ?.
I have a table with the user and pass fields, but this script allows any user and pass so I must be doing something wrong there.

poyzn
11-16-2010, 06:14 PM
it's very simple. you may have separate login page, for example login.php where you check usernames and passwords. If username and password are matched you may redirect user into his account - to other page account.php. But on every page in the account you should check if user is authorized. If not then redirect him back to the login.php
redirect with


header("Location: /login.php");

okeddy
11-16-2010, 06:47 PM
not sure what to put in place of ($_SERVER['PHP_SELF'])

login:

<?
session_start(); // start session.
?>
<!-- header tags, edit to match your own, or include template header file. -->
<html>
<head>
<title>Login</title>
<head>
<body>

<?
$process = "loginprocess.php";
?>

<form action="<?php echo htmlspecialchars($process); ?>" method="get">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>


loginprocess:

<?php

// Inialize session
session_start();


// Retrieve username and password from database according to user's input
mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$sql = mysql_query("SELECT `password` FROM `login` WHERE `username` = '$username'");

// Check username and password match
if (mysql_num_rows($login) == 1) {
// Set username session variable
$_SESSION['username'] = $_POST['username'];
// Jump to secured page
header('Location: indexfull2.php');
}
else {
// Jump to login page
header('Location: login.php');
}

?>

okeddy
11-16-2010, 07:38 PM
removed


<?
$process = "loginprocess.php";
?>

changed form to


<form action="loginprocess.php" method="get">

does work but brings me back to login.php checked by changing to some other page so user/pass not being verified.

poyzn
11-16-2010, 07:48 PM
firstly, try this login process in loginprocess.php:


if(true) {
header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}

If it works then your have to check your interactions with db.

Secondly, your form method is GET now, where do you get $_POST['username']; from?

okeddy
11-16-2010, 08:26 PM
OK it works now with that thanks poyzn :thumbsup:

Would this be secure enough?


<?php
session_start();
?>
<html>
<head>
<title>Login</title>
<head>
<body>

<form action="loginprocess.php" method="get">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>


<?php

session_start();

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$sql = mysql_query("SELECT `password` FROM `login` WHERE `username` = '$username'");

if(true) {
header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}

?>

okeddy
11-16-2010, 08:29 PM
Hold that result I'm allowed in with any user/pass, cleared cookies.

okeddy
11-16-2010, 08:30 PM
I've replaced the wrong thing in loginprocess.php

okeddy
11-16-2010, 10:07 PM
Anyone tell me where I'm going wrong here, the login sends this:

http://127.0.0.1/loginprocess.php?username=username&password=password

process page-


<?php

session_start();

$var = @$_GET['username'] ;
$username = ($var);

$var = @$_GET['password'] ;
$password = ($var);

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$mysql_query = ("SELECT `password` FROM `login` WHERE `username` = '$username'");

if (mysql_num_rows($mysql_query) == 1) {

header('Location: /indexfull2.php');
}

else {
header('Location: /login.php');
}
?>

There is a table called login with 3 fields id, username & password
I am returned to the login page

okeddy
11-17-2010, 12:07 AM
Probably crude code but it works


<?php

session_start();

$var = @$_GET['username'] ;
$username = ($var);

$var = @$_GET['password'] ;
$password = ($var);

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$query = ("SELECT * FROM `login` WHERE `username` = '$username' AND `password` = '$password'");
$result = mysql_query($query);

if(mysql_num_rows($result) == 1){

header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}
?>

MattF
11-17-2010, 12:18 AM
For starters, stop doing this:



$var = @$_GET['username'] ;
$username = ($var);

$var = @$_GET['password'] ;
$password = ($var);


and do things properly. Error suppression is very rarely needed and shouldn't be used unless absolutely necessary, which it most definitely is not above.

At the absolute minimum the above should be, (apply to the password field too):



$var = ((isset($_GET['username')) ? $_GET['username'] : false);


That's not even going down the route of validation, sanitisation, input escaping before querying the DB etc. Also, which 'tard suggested you send the password via GET? That's like putting a massive neon sign up declaring that you want a good rodgering.

okeddy
11-17-2010, 01:26 AM
Matt, and that will still work with this

http://127.0.0.1/loginprocess.php?username=username&password=password

changed the code to this but no joy


<?php

session_start();

$var = (isset($_GET['username']) ? $_GET['username'] : false);

$var = (isset($_GET['password']) ? $_GET['password'] : false);

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$query = ("SELECT * FROM `login` WHERE `username` = '$username' AND `password` = '$password'");
$result = mysql_query($query);

if(mysql_num_rows($result) == 1){

header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}
?>

MattF
11-17-2010, 01:34 AM
What's not happening? Add error notification to your query, btw.



$query = ("SELECT * FROM login WHERE username='$username' AND password='$password'") or exit(mysql_error());


Also, change this:



if(mysql_num_rows($result) == 1){


to:



if(mysql_num_rows($result)){


Plus, use POST, *not* GET, and validate, sanitise and escape your input.

okeddy
11-17-2010, 01:46 AM
I'm coming back to the login.php

this is the login page

<?php
session_start();
?>
<html>
<head>
<title>Login</title>
<head>
<body>

<form action="loginprocess.php" method="post">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="username">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="password">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>

MattF
11-17-2010, 02:04 AM
You're using POST in your form, not GET. Change the vars accordingly. (You had also set them both as $var).



$username = (isset($_POST['username']) ? $_POST['username'] : false);
$password = (isset($_POST['password']) ? $_POST['password'] : false);

okeddy
11-17-2010, 11:10 PM
login


<?php
$username = (isset($_POST['username']) ? $_POST['username'] : false);
$password = (isset($_POST['password']) ? $_POST['password'] : false);
?>
<form action="loginprocess.php" method="post">

process


<?php

session_start();

$var = (isset($_GET['username']) ? $_GET['username'] : false);

$var = (isset($_GET['password']) ? $_GET['password'] : false);

$username = $var['username'];
$password = $var['password'];

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$query = ("SELECT * FROM `login` WHERE username='$username' AND password='$password'") or exit(mysql_error());
$result = mysql_query($query);

if(mysql_num_rows($result)){

header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}
?>

still keep coming back to the login page, have checked by pointing to another page ... table login fields id, username, password

okeddy
11-18-2010, 12:11 AM
Had it mixed up working now thanks for the input Matt:thumbsup:




session_start();

$username = (isset($_POST['username']) ? $_POST['username'] : false);
$password = (isset($_POST['password']) ? $_POST['password'] : false);

mysql_connect("localhost","root","");
mysql_select_db("a2149809_MV") or die("Unable to select database");

$query = ("SELECT * FROM `login` WHERE username='$username' AND password='$password'") or exit(mysql_error());
$result = mysql_query($query);

if(mysql_num_rows($result) == 1){
header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}

okeddy
11-18-2010, 12:13 AM
Just one more thing, this lets a user access your page, but what is to stop them bookmarking the page?

MattF
11-18-2010, 12:20 AM
Just one more thing, this lets a user access your page, but what is to stop them bookmarking the page?

Nothing can stop them bookmarking the page. However, now that you have switched to using POST instead of GET, there's no way they can find a cached copy of the login URI with parameters hence they'll need to log in before they can access user only content.

Btw, you really should be doing a minimum of hashing at least on the password. Salt and hash would be better, rather than storing an unencrypted, clear text password.

okeddy
11-18-2010, 12:29 AM
Sorry but I don't understand that, if you bookmark the page you have just accessed you wouldn't need to log in again.

MattF
11-18-2010, 12:33 AM
Sorry but I don't understand that, if you bookmark the page you have just accessed you wouldn't need to log in again.

Bookmark the page, close your browser and try accessing the bookmarked page when you start the browser back up. If you can still access the logged in user only page, your access restrictions are nonexistent.

okeddy
11-18-2010, 12:39 AM
I can access it so effectively all my login is doing is transferring the user to another page, I may as well have given the user the URL. So I' m missing something, 'access restrictions' have to look that up.

MattF
11-18-2010, 12:45 AM
This block:



if(mysql_num_rows($result) == 1){
header('Location: /indexfull2.php');
} else {
header('Location: /login.php');
}


Change to:



if (mysql_num_rows($result))
{
$_SESSION['authorised'] = true;
header('Location: /indexfull2.php');
}
else
{
header('Location: /login.php');
}


Then, on every page where you want only logged in users to access the content:



<?php

session_start();

if (!isset($_SESSION['authorised']))
{
exit('Not logged in.');
}

okeddy
11-18-2010, 01:07 AM
Worked a treat Matt, thanks you have been a great help on this project ..

MattF
11-18-2010, 02:29 AM
You're welcome. Now that you have the basics inplace, you might want to start expanding the scope and also clamping down on security. Not that I'm one to harp on, :D but sanitise, validate and either prepare or escape DB queries and their input.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum