Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9

Thread: login problems

  1. #1
    Regular Coder
    Join Date
    Mar 2005
    Posts
    735
    Thanks
    4
    Thanked 1 Time in 1 Post

    login problems

    I ran into some problems in the login.
    The index page shows this:
    PHP Code:
    <form action="login/login.php" method="post"
      <
    label for="login-username" style="float: left; margin: 0px 0px 0px 5px;">Username:</label><br /> 
      <
    input type="text" name="username" id="login-username" value="" style="float: left; margin: 0px 0px 0px 5px; border: 1px solid #7A1010; color: #7A1010;" />
      <
    label for="login-password" style="float: left; margin: 0px 0px 0px 5px;" >Password:</label><br /> 
      <
    input type="password" name="password" id="login-password" value="" style="float: left; margin: 0px 0px 0px 5px; border: 1px solid #7A1010; color: #7A1010;" /><br /> 
      <
    br />
      <
    label for="login-remember" style="float: left; margin: 0px 0px 0px 5px;">Remember me?</label>
      <
    input type="checkbox" name="remember" id="login-remember" style="float: left; margin: 5px 0px 0px 5px;" /><br />
      <
    input type="submit" value="Login" style="float: left; margin: 0px 0px 0px 5px; background-color: #7A1010; color: #EAE8C8;" />
    </
    form
    The form leads to here:
    PHP Code:
    <?php
    // Database connection file
    require_once("includefiles/dbconnection.php");
    $un=isset($_POST['username']) ? $_POST['username'] : "";
    $pw=isset($_POST['password']) ? $_POST['password'] : "";
    echo 
    "Hellooooooo!!!!!!!!!!!!".$un." ".$pw;
    // Form submitted?
    if($_SERVER['REQUEST_METHOD'] == "POST"){
        
    $errors = array();
        
    // Validate form
        
    foreach($_POST as $key => $value){
            if(empty(
    $value)){
                
    $errors[$key] = $key " was empty";
            }
        }
        
    // If no errors, continue
        
    if(count($errors) == 0){
            
    $sql sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"$un$pwextract(mysql_fetch_assoc(mysql_query($sql)));
            
    //echo $sql;
            // If this is not set, there was an error
            
    if(!isset($success)){
                
    $errors[] = "that username and password combination are incorrect";
            }else{
                
    // Remember me?
                
    if(isset($_POST['remember'])){
                    
    setcookie("login"$_POST['username'] . ":" $successtime() + (3600 24 30)); // store for 30 days
                
    }
                
    // Log the user in
                
    $_SESSION['login'] = true;
                
    $_SESSION['username'] = $_POST['username'];
                
    $_SESSION['group'] = $success;
                
    $_SESSION['just_logged_in'] = true// to display a message
                // Redirect back to the main page
                
    $redirect true;
                unset(
    $errors);
            }
        }
    }else{
        
    // The form was not submitted, so they shouldn't be here
        
    $redirect true;
    }
    // Redirect if needed
    if(isset($redirect)){
        
    header("Location: " $baseURL);
        exit;
    }
    include(
    "login-form.php");
    ?>
    But this page shows blank.
    Compare bible texts (and other tools):
    TheWheelofGod

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    First of all, any script that uses SESSION, but start like this:

    <?php
    session_start();

    Your blank page indicates you have a PHP script error, but your error
    reporting is turned off, so it won't tell you what is wrong.

    I would change the top part of your script to this ....

    <?php
    session_start();
    error_reporting(E_ALL);





    .

  • #3
    Regular Coder
    Join Date
    Mar 2005
    Posts
    735
    Thanks
    4
    Thanked 1 Time in 1 Post
    Quote Originally Posted by mlseim View Post
    First of all, any script that uses SESSION, but start like this:

    <?php
    session_start();

    Your blank page indicates you have a PHP script error, but your error
    reporting is turned off, so it won't tell you what is wrong.

    I would change the top part of your script to this ....

    <?php
    session_start();
    error_reporting(E_ALL);
    .
    Should be
    PHP Code:
          $sql sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
                       
    mysql_real_escape_string($_POST['username']), $_POST['password']);
          
    extract(mysql_fetch_assoc(mysql_query($sql)));
          echo 
    $sql
    Compare bible texts (and other tools):
    TheWheelofGod

  • #4
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    What does your last post mean?
    That you found the problem, or you are asking about it?

  • #5
    Regular Coder
    Join Date
    Mar 2005
    Posts
    735
    Thanks
    4
    Thanked 1 Time in 1 Post
    Quote Originally Posted by mlseim View Post
    What does your last post mean?
    That you found the problem, or you are asking about it?
    It doesn't solve the problem but the original code was:
    PHP Code:
          $sql sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
                       
    mysql_real_escape_string($_POST['username']), $_POST['password']);
          
    extract(mysql_fetch_assoc(mysql_query($sql)));
          echo 
    $sql
    instead of
    PHP Code:
    $sql sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"$un$pwextract(mysql_fetch_assoc(mysql_query($sql))); 
    I thought that was the error because it was in a bracket so I removed the ; and skipped a line. But that made it worse. I declared the $un and $pw to the $_POST above as well.
    Last edited by gilgalbiblewhee; 05-26-2011 at 08:02 PM.
    Compare bible texts (and other tools):
    TheWheelofGod

  • #6
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    I've never seen a query request using sprintf ... that's a new one for me.

    Maybe you can try the query in a way like this:
    http://www.tizag.com/mysqlTutorial/mysqltables.php


    .

  • #7
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    gilgalbiblewhee, turn on error reporting or check the error log so you can see the what is causing the problem. You should also be hashing the password using PHP's md5() instead of passing the raw string to MySQL. You are open to SQL injection with the way you have it now.

    Quote Originally Posted by mlseim View Post
    I've never seen a query request using sprintf ... that's a new one for me.
    sprintf() just formats the string. It's similar to do prepared statements in that you use placeholders and can limit the input to types, but you still have to execute the query.

  • #8
    Regular Coder
    Join Date
    Mar 2005
    Posts
    735
    Thanks
    4
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Inigoesdr View Post
    gilgalbiblewhee, turn on error reporting or check the error log so you can see the what is causing the problem. You should also be hashing the password using PHP's md5() instead of passing the raw string to MySQL. You are open to SQL injection with the way you have it now.



    sprintf() just formats the string. It's similar to do prepared statements in that you use placeholders and can limit the input to types, but you still have to execute the query.
    Ok. Turning on the errors shows the following:
    Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in ...\login.php on line 22

    Warning: extract() expects parameter 1 to be array, null given in ... \login.php on line 22
    Line 22 is:
    PHP Code:
          $sql sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
                       
    mysql_real_escape_string($_POST['username']), $_POST['password']);
          
    extract(mysql_fetch_assoc(mysql_query($sql)));//line 22
          
    echo $sql
    ...and the password is md5ed:
    $sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
    , mysql_real_escape_string($_POST['username']), $_POST['password']);
    extract(mysql_fetch_assoc(mysql_query($sql)));//line 22
    echo $sql;
    Last edited by gilgalbiblewhee; 05-27-2011 at 01:53 AM.
    Compare bible texts (and other tools):
    TheWheelofGod

  • #9
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Quote Originally Posted by gilgalbiblewhee View Post
    Ok. Turning on the errors shows the following:
    Your query failed, find out why. What is the value of $sql after the sprintf line?

    Quote Originally Posted by gilgalbiblewhee View Post
    ...and the password is md5ed:
    Yeah, but if you read my message I state that you should do it in PHP instead of MySQL because you are passing the raw string to MySQL to be hashed, which leaves you open to SQL injection.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •