extremerly simple log-in script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nemode
Forum Newbie
Posts: 12
Joined: Sat Nov 01, 2003 11:20 am

extremerly simple log-in script

Post by nemode »

this is my extremerly simple log-in script:

Code: Select all

<?php

$filename = 'txt/'.$username.'.txt';

$file = fopen( $filename, "r" );
explode("~", $file);
if($pass == $file[1])
echo('<META HTTP-EQUIV="Refresh" CONTENT="1;URL=index.php?p=logged">');
else
echo('<META HTTP-EQUIV="Refresh" CONTENT="1;URL=index.php?p=failed">');

?>
there is a text file for every user. it contains something like this:

pass~hello

it doesnt work...anyone have anyideas?
RTT
Forum Commoner
Posts: 38
Joined: Thu Jul 17, 2003 10:22 am
Location: Wolverhampton, UK
Contact:

Post by RTT »

Even if it did work, navigating straight to index.php?p=logged would completely circumnavigate your login system :)
nemode
Forum Newbie
Posts: 12
Joined: Sat Nov 01, 2003 11:20 am

Post by nemode »

huh?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

that's probably right ;)

But to answer your first question:
in your code $file is a file descriptor but explode takes a string as parameter.
Take a look at htpp://php.net/fgets

Also not that explode() returns the exploded array

Code: Select all

<?php
$myString = 'a b c d e';
$arr = explode(' ', $myString);
?>
and now for the index.php?p=(logged/failed) thing:
What does index.php do? Simply test wether p is set to "logged" or "failed". Nothing keeps a client from sending this string "manually".
You need to keep track of client/connection in order to confirm it's still the same, validly logged in.
Take a look at http://php.net/session and maybe http://forums.devshed.com/archive/5/2001/8/3/20718 (just goggled)
Last edited by volka on Sat Nov 01, 2003 4:14 pm, edited 1 time in total.
RTT
Forum Commoner
Posts: 38
Joined: Thu Jul 17, 2003 10:22 am
Location: Wolverhampton, UK
Contact:

Post by RTT »

Check out the fread() and fgets() functions, $file at the moment doesn't hold the content of your text files.

But as I just said, I have a feeling that if someone loaded 'index.php?p=logged' then they would skip straight around your login system and thus making your login system very insecure. Try it ;)
nemode
Forum Newbie
Posts: 12
Joined: Sat Nov 01, 2003 11:20 am

Post by nemode »

yeh i no all about the index.php?p=failed thing. u see im learing php and i was trying out thing to see how it could be done. its not for real, just a test
RTT
Forum Commoner
Posts: 38
Joined: Thu Jul 17, 2003 10:22 am
Location: Wolverhampton, UK
Contact:

Post by RTT »

nemode wrote:yeh i no all about the index.php?p=failed thing. u see im learing php and i was trying out thing to see how it could be done. its not for real, just a test
Yeah, that's fine as long as you knew about the 'exploit' :)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

you might wanna try sessions, it's just as simple, except it's secure :P
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Yeah, set a session or cookie instead of passing a simple variable via GET method.

[php_man]setcookie[/php_man]
[google]php sessions[/google]
Post Reply