Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 1 of 1
  1. #1
    New to the CF scene
    Join Date
    Mar 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Help with php login function

    Hi,

    I actualy got it working now, i will post the code later today when i have access.

    I am creating a login script with uses som included script`s one with all the functions and one with global variables. Have some checks before the user get`s logged in and if theese fails it sends the user a customized error code for ex: Internal server error: 0001, please contact administrator(this is working). But now i modifed the code to update a db with the error code and date username... etc this fails. I cant find the error i ran the scripts seperatly and that worked ok. This shoud be pretty secure right??

    validate.php
    --------------------
    PHP Code:
    <?php
    /*
    Error ID`s
    01= Wrong referer
    02= No referer
    03= IP address has changed since last login
    */
    require("config.inc.php");
    require(
    "include/functions.inc");
    $con mysql_connect($DBhost,$DBusername,$DBpassw);
    if (!
    $con)
      {
      die(
    'Kan ikke koble til mysql: ' mysql_error());
      }
    mysql_select_db($db$con);
    /* Get username and password from form */
    $username $_POST['username'];
    $password $_POST['password'];
    /* Prevent SQL Injetion */
    $username = @stripslashes($username);
    $username = @mysql_real_escape_string($username);
    $username = @strip_tags($username);
    $username = @substr($username012); 
    $password = @stripslashes($password); 
    $password = @mysql_real_escape_string($password);
    $password = @strip_tags($password);
    $password = @substr($password012);
    CheckReferer($username,$DBhost,$DBuser,$DBpassw)
    /* SQL Setting */
    $sql 'SELECT username,password,login_count,last_login,this_login,role FROM users,user_roles WHERE username = "' $username '" AND password = "'$password '" AND user_role = role_id LIMIT 1';
    $con mysql_connect($DBhost,$DBusername,$DBpassw);
    if (!
    $con)
      {
      die(
    'Could not connect: ' mysql_error());
      }
    mysql_select_db($db$con);
    $result mysql_query($sql);
    while(
    $row mysql_fetch_array($result))
      {
        
    $DBusername $row['username'];
        
    $password $row['password'];
        
    $user_role $row['role'];
        
    $login_count $row['login_count'];
        
    $last_login $row['last_login'];
        
    $this_login $row['this_login'];
      }
    if(
    $passw $password)
        {
        
    session_cache_limiter('private');
        
    init_session();
        
    $_SESSION["loggedin"] = true;
        
    $_SESSION['user_role'] = $user_role;
        
    UpdateSession($username,$password,$login_count,$this_login,$last_login);
        
    header('Location: index.php');
        
    //echo "DEBUG: loggedin=" . $_SESSION['loggedin'] . "</br> login=ok</br>user_role=" . $_SESSION['user_role']; 
        
    }
        else
        {
        @
    session_destroy();
        echo 
    "Wrong username or password!";        
        }
    mysql_close($con);
    ?>
    </body>
    </html>
    functions.inc
    ---------------
    PHP Code:
    <?php
    /* Functions.php - Cointains all functions */
    /* Functions - CheckReferer Checks if user came from the correct login form. */
    function CheckReferer($username,$DBhost,$DBuser,$DBpassw)
        {
        if(isset(
    $_SERVER['HTTP_REFERER'])){
        if(
    $_SERVER['HTTP_REFERER'] != "http://localhost:8888/pita/index.php?go=login"){
            
    /* Log to db and warn user */
            
    $error_code "0001";
            echo 
    "Internal server error ID:" $error_code "</br>" "The error occured: " date("d/m/y H:i:s");
            
    /* Update DB */
            
    $con mysql_connect($DBhost,$DBuser,$DBpassw);
            if (!
    $con)
              {
              die(
    'Could not connect: ' mysql_error());
              }
            
    mysql_select_db($db$con);
            
    $sql "INSERT INTO failed_login (ip, username, session_id, error_code) 
            VALUES ('" 
    $username "', '" .$$_SERVER['REMOTE_ADDR'] . "', '" session_id() . "', '" $error_code "')";
            
    mysql_query($sql);
            
    mysql_close();
        }

    else{
        echo 
    "Internal server error ID: 02";
    }

        }
    function 
    init_session() {
        
    session_start();
        if (!isset(
    $_SESSION["visited"])) { create_session(); }
        else {
            if (!
    validate_session()) {
                
    session_destroy();
                
    create_session();
            }
        }
    }
    function 
    create_session() {
        
    $_SESSION["visited"] = "yes";
        
    $_SESSION["UA"] = $_SERVER["HTTP_USER_AGENT"];
        
    $_SESSION["IP"] = $_SERVER["REMOTE_ADDR"];
        
    $_SESSION["loggedin"] = false;
    }
    function 
    validate_session() {
        if ((
    $_SESSION["UA"] == $_SERVER["HTTP_USER_AGENT"]) and ($_SESSION["IP"] == $_SERVER["REMOTE_ADDR"])) {
            return 
    true;
        }
        else { return 
    false; }
    }
    function 
    IPcheck($ip,$username,$password,$DBusername,$DBpassw)
        {
        
    $con mysql_connect($DBhost,$DBusername,$DBpassw);
        if (!
    $con)
          {
          die(
    'Could not connect: ' mysql_error());
          }
        
    mysql_select_db($db$con);
        
    $sql "SELECT ip FROM users WHERE username='$username' AND password='$password' LIMIT 1";
        while(
    $row mysql_query($sql))
        {
        
    $row['ip'] = $ip;
        }
        if(
    $_SERVER['REMOTE_ADDR'] != $ip)
        {
        echo 
    "Internal server error ID: 3";
        
    session_destroy();
        }
        
        }
    /* Updates schemas with new userinfo */
    function UpdateSession($username,$password,$login_count,$this_login,$last_login)
        {
        
    $login_count++;
        
    $last_login $this_login;
        
    $this_login date("Y-m-d H:i:s");
        
    $sql "UPDATE users SET login_count='$login_count',last_login='$last_login',this_login='$this_login',session='" session_id() . "',ip='" .     $_SERVER['REMOTE_ADDR'] . "' WHERE username='$username' AND password='$password' LIMIT 1";
        
    mysql_query($sql);
        
        }
    /* Creates a new exsternal java script usage CreateExternalJavaScript("script") */
    function CreateExternalJavaScript($script)
        {
        echo 
    '<script type="text/javascript" src="' $script '">';
        }
    ?>
    Last edited by RanK2007; 03-09-2009 at 04:50 PM. Reason: UPDATE: Got it working


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •