Page 1 of 3

session handling code

Posted: Sat Oct 08, 2005 7:18 pm
by camhabib
I'm trying to create a secure part of a website using cookies. I have created a login page which brings up an html page. At the top of that html page, and ever page that I want secure, there is a link to run this script like

Code: Select all

<?php
include "login.php";
?>
The only problem is that even if you use the wrong username and password the page still comes up as normal. I want to make it so that only people that I manually add through the phpmyadmin can access and view pages with that include statement on it. Any suggestions?

"login.php":

Code: Select all

<?php

session_start();

if (! isset($_session['name'])) {
if (isset ($_post['username']))
{

$username = $_post['username'];
$password = $_post['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT FROM user_handle.user WHERE username='$username' AND password='$password'";
$result = mysql_query($query);

if (mysql_numrows($result) == 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>

Posted: Sat Oct 08, 2005 7:22 pm
by Charles256
ermm..wouldn't the number of results equaling one be a good thing????

Posted: Sat Oct 08, 2005 7:26 pm
by camhabib
Yes, I believe your right on that one, it should be a "!=", however, when I type in the right password using that code it should give me that echo, but it doesn't. I definitely think I'm missing something in that script.

Posted: Sat Oct 08, 2005 7:35 pm
by redmonkey

Code: Select all

$username = $_post['username'];
$password = $_post['password'];

Code: Select all

$username="abc";
$password="abc";
Seems you end up checking to see if anyone is using the database username and password.

Posted: Sat Oct 08, 2005 7:38 pm
by Charles256
no it shouldn't.unless you got someone in the database with username abs and password abc it should go to the else:-D because whatever is written into username and pass from the post is over written by your assignment to abc abc.

Posted: Sat Oct 08, 2005 7:43 pm
by camhabib
Wow, looks like I forgot to change the two variables to something different. here is the updated script, which still will not block anyone out:

Code: Select all

<?php

session_start();

if (! isset($_session['name'])) {
if (isset ($_post['username']))
{

$person = $_post['username'];
$pwd = $_post['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>

Posted: Sat Oct 08, 2005 7:47 pm
by mickd

Code: Select all

"SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
should be

Code: Select all

"SELECT user_handle FROM user WHERE username='$person' AND password='$pwd'";
or something like that

Posted: Sat Oct 08, 2005 7:49 pm
by Charles256
change ..

Code: Select all

if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
to..

Code: Select all

if (mysql_num_rows($result) == 1)
{
include ("admin.html");
}
else
{
echo ("Sorry but you are not authorize to view this page.");
}
you had a typo on mysql_num_rows :-D
edit: and what the guy above me said.

ONE LAST EDIT: $_post DOES NOT EQUAL $_POST. :-D

Posted: Sat Oct 08, 2005 7:57 pm
by camhabib
Alright, so, this is the code as it stands now:

Code: Select all

<?php

session_start();

if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{

$person = $_POST['username'];
$pwd = $_POST['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) 
{ 
include ("admin.html"); 
} 
else 
{ 
echo ("Sorry but you are not authorize to view this page."); 
} 
}
?>
The link to this code on the html page is

Code: Select all

<?php 
require("login.php");
?>
The login screen comes up but now no matter what you type in, the correct password or username, it comes up with a blank screen.

Posted: Sat Oct 08, 2005 7:57 pm
by Charles256
read the last edit on my above post..try changing that first..

Posted: Sat Oct 08, 2005 8:00 pm
by camhabib
Changed it and still nothing. How do I know if its actually creating a cookie or not? I also set the SID myself and didn't let the computer set it. As it stands the password is "test" username is "test" and the SID is "test".

Posted: Sat Oct 08, 2005 8:00 pm
by Charles256
another error..holy hell man....we gotta get you a beginning PHP book:-D I'm just copying my connect and select DB code..compaer to yours..

Code: Select all

$dbhost= 'localhost';
$dbuser= 'user';
$dbpass= 'pass';

$conn= mysql_connect($dbhost,$dbuser,$dbpass) or die ('Error connecting to the database.');

$dbname='database';
mysql_select_db($dbname);
see the errors in yours?

Posted: Sat Oct 08, 2005 8:02 pm
by camhabib
Shoot, sad thing is I already went through the beginners book. Still doesn't want to work though, that white screen is killing me.

Posted: Sat Oct 08, 2005 8:05 pm
by mickd
i think your missing a closing } for the first or second if statement.

Posted: Sat Oct 08, 2005 8:09 pm
by camhabib
mickd wrote:i think your missing a closing } for the first or second if statement.
Yep, once again another error. Code in its current revision:

Code: Select all

<?php

session_start();

if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{

$person = $_POST['username'];
$pwd = $_POST['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_connect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) 
{ 
include ("admin.html"); 
} 
} else 
{ 
echo ("Sorry but you are not authorize to view this page."); 
} 
}

?>
White screen is no more but now it just displays the "Sorry but you are not authorize to view this page." no matter correct or incorrect password.