Page 1 of 3
session handling code
Posted: Sat Oct 08, 2005 7:18 pm
by camhabib
I'm trying to create a secure part of a website using cookies. I have created a login page which brings up an html page. At the top of that html page, and ever page that I want secure, there is a link to run this script like
The only problem is that even if you use the wrong username and password the page still comes up as normal. I want to make it so that only people that I manually add through the phpmyadmin can access and view pages with that include statement on it. Any suggestions?
"login.php":
Code: Select all
<?php
session_start();
if (! isset($_session['name'])) {
if (isset ($_post['username']))
{
$username = $_post['username'];
$password = $_post['password'];
$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");
$query = "SELECT FROM user_handle.user WHERE username='$username' AND password='$password'";
$result = mysql_query($query);
if (mysql_numrows($result) == 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>
Posted: Sat Oct 08, 2005 7:22 pm
by Charles256
ermm..wouldn't the number of results equaling one be a good thing????
Posted: Sat Oct 08, 2005 7:26 pm
by camhabib
Yes, I believe your right on that one, it should be a "!=", however, when I type in the right password using that code it should give me that echo, but it doesn't. I definitely think I'm missing something in that script.
Posted: Sat Oct 08, 2005 7:35 pm
by redmonkey
Code: Select all
$username = $_post['username'];
$password = $_post['password'];
Seems you end up checking to see if anyone is using the database username and password.
Posted: Sat Oct 08, 2005 7:38 pm
by Charles256
no it shouldn't.unless you got someone in the database with username abs and password abc it should go to the else:-D because whatever is written into username and pass from the post is over written by your assignment to abc abc.
Posted: Sat Oct 08, 2005 7:43 pm
by camhabib
Wow, looks like I forgot to change the two variables to something different. here is the updated script, which still will not block anyone out:
Code: Select all
<?php
session_start();
if (! isset($_session['name'])) {
if (isset ($_post['username']))
{
$person = $_post['username'];
$pwd = $_post['password'];
$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");
$query = "SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);
if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>
Posted: Sat Oct 08, 2005 7:47 pm
by mickd
Code: Select all
"SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
should be
Code: Select all
"SELECT user_handle FROM user WHERE username='$person' AND password='$pwd'";
or something like that
Posted: Sat Oct 08, 2005 7:49 pm
by Charles256
change ..
Code: Select all
if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
to..
Code: Select all
if (mysql_num_rows($result) == 1)
{
include ("admin.html");
}
else
{
echo ("Sorry but you are not authorize to view this page.");
}
you had a typo on mysql_num_rows

edit: and what the guy above me said.
ONE LAST EDIT: $_post DOES NOT EQUAL $_POST.

Posted: Sat Oct 08, 2005 7:57 pm
by camhabib
Alright, so, this is the code as it stands now:
Code: Select all
<?php
session_start();
if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{
$person = $_POST['username'];
$pwd = $_POST['password'];
$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");
$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 1)
{
include ("admin.html");
}
else
{
echo ("Sorry but you are not authorize to view this page.");
}
}
?>
The link to this code on the html page is
The login screen comes up but now no matter what you type in, the correct password or username, it comes up with a blank screen.
Posted: Sat Oct 08, 2005 7:57 pm
by Charles256
read the last edit on my above post..try changing that first..
Posted: Sat Oct 08, 2005 8:00 pm
by camhabib
Changed it and still nothing. How do I know if its actually creating a cookie or not? I also set the SID myself and didn't let the computer set it. As it stands the password is "test" username is "test" and the SID is "test".
Posted: Sat Oct 08, 2005 8:00 pm
by Charles256
another error..holy hell man....we gotta get you a beginning PHP book:-D I'm just copying my connect and select DB code..compaer to yours..
Code: Select all
$dbhost= 'localhost';
$dbuser= 'user';
$dbpass= 'pass';
$conn= mysql_connect($dbhost,$dbuser,$dbpass) or die ('Error connecting to the database.');
$dbname='database';
mysql_select_db($dbname);
see the errors in yours?
Posted: Sat Oct 08, 2005 8:02 pm
by camhabib
Shoot, sad thing is I already went through the beginners book. Still doesn't want to work though, that white screen is killing me.
Posted: Sat Oct 08, 2005 8:05 pm
by mickd
i think your missing a closing } for the first or second if statement.
Posted: Sat Oct 08, 2005 8:09 pm
by camhabib
mickd wrote:i think your missing a closing } for the first or second if statement.
Yep, once again another error. Code in its current revision:
Code: Select all
<?php
session_start();
if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{
$person = $_POST['username'];
$pwd = $_POST['password'];
$username="abc";
$password="abc";
$database="mysql";
mysql_connect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");
$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 1)
{
include ("admin.html");
}
} else
{
echo ("Sorry but you are not authorize to view this page.");
}
}
?>
White screen is no more but now it just displays the "Sorry but you are not authorize to view this page." no matter correct or incorrect password.