PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Dec 12, 2017 5:12 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: What have we done wrong?
PostPosted: Sat Dec 09, 2017 1:58 pm 
Offline
Forum Newbie

Joined: Sat Dec 09, 2017 1:54 pm
Posts: 4
Hi,
We have a website with a members section. There is, therefore, a login page which should get the person's details from our PHP database.
I recently paid a 'programmer' to make some changes and to update the site.
It works most the time. BUT when I add a new member directly to the database I often find they can't login.
The only solution I have found it to keep re-adding them until by some magic it works. I then delete the ones that did not work.
Naturally, this is not how it should be done.
The 'programmer' who we paid has now vanished.
The website is for a charity (non-profit) and we do not have any more money to pay someone else so can some kind expert please look at the code on the login page and hopefully tell me what is wrong so I can fix it.
that would such a blessing

Here is what we have at the moment

Syntax: [ Download ] [ Hide ]
session_start();
// include MySQL functions
include('../includes/dbinfo.php');
include('../includes/functions.php');
function preventinjection2( $value )
{
if ($value == "") {
$value = "";
}
else {
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}

if (function_exists("mysql_real_string_escape")) {
$value = mysql_real_escape_string( $value );
}
else {
$value = addslashes($value);
}
}

return $value;
}

$txtusername = preventinjection2($_POST['txtusername']);
$txtpassword = preventinjection2($_POST['txtpassword']);
// If both username & password input check against database for match
if (!empty($txtusername) and !empty($txtpassword))
{
$query = "SELECT Name, Password, Email, Paid FROM users WHERE Email = '$txtusername' AND Password = '$txtpassword'";

$users = mysql_query($query) or die("your Select satement failed!");
$useracct = mysql_fetch_array($users);


if($useracct)
// If match then set uername & password to session variables
// and then redirect user...

{
// Get user information
$sql = "SELECT * FROM users WHERE Email = '$txtusername' AND Password = '$txtpassword'";

$sql_result = mysql_query($sql , $conn) or die ("Couldn't execute query.");
while ($row = mysql_fetch_array($sql_result))

{
$paid = $row['Paid'];
}
if ($paid == "Yes") {
$_SESSION['username2'] =$txtusername;
$_SESSION['password2'] =$txtpassword;
header("Location: index.php");
}
else {
echo "Your account has not yet been activated, please contact us for details";
}
}
}

// If the above redirect fails the HTML and PHP below is output
// displaying the HTML form and any input values.
include ("../styles/$style");
include ("../includes/visual.php");
?>

<html>
<head>

<title><?php title(); ?> </title>
<!-- Meta tags, description, keywords -->


<!-- CSS Stylesheet -->
<?php stylesheet(); ?>

<!-- Link styles, colours, text decoration etc. -->
<?php styles(); ?>

</head>
<!-- Whole page background colour as set in site settings -->
<body bgcolor="<?php echo $Page; ?>">
<div id="container">
<div id="maincontent">

<!-- Company name banner, with colours from site settings -->
<div id="navbanner" style="background-color:<?php echo $Header;?>; color:<?php echo $Headertext;?>">

<h3><?php echo $Name2; ?></h1>
</h3></div>
<!-- Logo banner -->
<div id="navbanner1" style="background-color:<?php echo $Logo2; ?>"><img src="/<?php logo(); ?>" alt="<?php echo $Name2; ?>"></div>
<!-- Code to display top menu -->
<?php topmenu(); ?>
<!-- Menu box with colour from site settings -->
<div id="navside1" style="background-color:<?php echo $Menu;?>; border:Solid <?php echo $Menuborderpx; echo $Menubc; ?>">

<!-- Code to display actual menu -->
<?php menu(); ?>
</div>

<!-- Main content box with colours from site settings -->
<div class="content" style="background-color:<?php echo $Body; ?>; color:<?php echo $Bodytext; ?>; border:Solid <?php echo $Bodyborderpx; echo $Bodybc; ?>">
<form name="loginform" method="post" action="login.php">

<table id="main">
<tr class="evenrow">
<td colspan="2">
<h4>Login for <strong>Sitters </strong> only.</h4><br />

<strong>Home Owners </strong>you need to email us your new dates and we will add it for you.<br /><br />
</td>
</tr>
<tr class="oddrow">
<td colspan="2">
<h2>
<? if (empty($txtusername) and empty($txtpassword))
{ print "Please input your email and password below:"; }

if (empty($txtusername) and !empty($txtpassword))
{ print "Login error - Please input your email address below:"; }
if (!empty($txtusername) and empty($txtpassword))
{ print "Login error - Please input your password below:"; }
if (!empty($txtusername) and !empty($txtpassword))
{ print "Login error - Your email and/or password have not been recognised!<br>Please try again."; }
?>
</h2>
</td>
</tr>
<tr class="evenrow">
<td>Email Address:</td>
<td>
<input type="text" width="150" name="txtusername" class="textfield"
<?php if (!empty($txtusername)) { echo "VALUE=$txtusername";} ?> >
</td>
</tr>
<tr class="oddrow">
<td>Password:</td>
<td>
<input type="password" width="150" name="txtpassword" class="textfield" <? if (!empty($txtpassword)) { echo "VALUE=$txtpassword";} ?>>
</td>
</tr>
<tr>
<td colspan="2"><center><input name="cmdSubmit" id="cmdSubmit" type="submit" class="btn" value="Submit"> </center> </td>
</tr>

</table>
</form>
<p> <strong>If you have lost your password please use the Contact form to let us know and we will send you a reminder</strong></p><br /><br />
<a href="https://www.christian-housesitters.com"><img src="return.jpg" alt="Return to Home Page" /></a>
<br/><br /><br />
</div>



</div>

</div>
<div id="copy">
<!-- Code to display footer, required -->
<?php footer(); ?>
</div>
</body>

</html>


Top
 Profile  
 
PostPosted: Sat Dec 09, 2017 3:01 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6602
Location: WA, USA
There's actually quite a lot wrong with it...

When the login fails, which error message does the user get? How are users added to the database? What's the code for that?


Top
 Profile  
 
PostPosted: Sun Dec 10, 2017 4:03 am 
Offline
Forum Newbie

Joined: Sat Dec 09, 2017 1:54 pm
Posts: 4
Hi,

Thank you for your reply. I appreciate you taking the time.

Users are added to the database by me going into PhPMyAdmin and adding their details manually.
The error message is
Login for Sitters only.
Home Owners you need to email us your new dates and we will add it for you.

Sorry to hear that there is a lot wrong with it. I was afraid that might be the case. Is there any simple way I can change that code to make it better? As I mentioned it is for a charity (non-profit) and there are simply no funds at the moment to hire another professional. All the income has gone to a Children's home in Kenya to provide for the 58 children there.

Again many thanks for taking the time to look and to reply.


Top
 Profile  
 
PostPosted: Sun Dec 10, 2017 10:54 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6602
Location: WA, USA
RAYGDW wrote:
Login for Sitters only.
Home Owners you need to email us your new dates and we will add it for you.

That's not an error message - that's what it always says. For everyone trying to log in. The error would be the "Your account has not yet been activated" or one of the "Login error..." or maybe, hopefully not, something else.

Anything else you can figure out about how or when it doesn't work would be great. It's probably not something random causing this, which means there is a particular reason it doesn't work. No doubt something to do with the user information. So you need to think about what's different between the users you add that don't work and the one you add that does work. Something about the password? Email address? Any unusual characters involved, like accents or symbols?

As for the code, there are some ways to improve it but it depends on how the rest of the system works. What I mean is, I could propose (or more likely just write) some changes but I can't really know how it will impact the rest of the site. For example, right now all the passwords are stored as-is in the database. That's a Very Bad Thing. Unfortunately you have to add users manually which limits the options available to basically one where you still enter passwords literally when you create users but the login page is capable of "fixing" the data to be safer. Problem is I don't know if those passwords are used on other pages, so simply fixing it on the login page wouldn't be enough - and could even break the rest of the site. (It also means forgetting a password is a matter of you sending them a new one - not telling them what it was originally, which would be impossible to know but is, in fact, a good thing.)


Top
 Profile  
 
PostPosted: Sun Dec 10, 2017 12:30 pm 
Offline
Forum Newbie

Joined: Sat Dec 09, 2017 1:54 pm
Posts: 4
Once again heartfelt thanks for taking the time to try and help.

I decided to create a new (fake) member so that I could post a screenshot of the error message. Sod's law it worked perfectly. No error. I tried 3 times with different fake email and passwords and they all worked.

I have no idea why when it has been giving me so many problems recently.

Each user only has 1 password and they are identified by their email and their password. When they forget it they email me, I look it up and tell them.Be lovely if it was automatic but I can manage as we only get about 1 or 2 forgotten passwords a week so not really a big burden.

I would love to upgrade everything so that we have a better safer and more efficient system and when we get some money I will really have to do that but until then I am just having to patch and keep things running.

From a security point of view, we do not hold any bank or financial details. All we have is their name, email, chosen password and a short profile telling a little about themselves, their interests etc.

With your permission may I post again when the next new member fails. I can then post a screenshot of the fail message?

Ray


Top
 Profile  
 
PostPosted: Sun Dec 10, 2017 2:52 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6602
Location: WA, USA
Of course.


Top
 Profile  
 
PostPosted: Sun Dec 10, 2017 3:03 pm 
Offline
Forum Newbie

Joined: Sat Dec 09, 2017 1:54 pm
Posts: 4
Thank you


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Yahoo [Bot] and 21 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group