Whats wrong with these user login form/user login script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
black85
Forum Newbie
Posts: 16
Joined: Mon Jun 26, 2006 1:36 pm

Whats wrong with these user login form/user login script

Post by black85 »

Hi people,
I'm trying to give users mechanism or means to prove their authenticity using a 2 field form and am supposed to get the following login result:

Congratulations, John Doe, you are authorized!

Authorized Users' Menu:

. secret page



But unfortunately, the above message is not displayed in the browser.

auth_users table
-----------------
create table auth_users
(
id int not null primary key auto_increment,
f_name varchar(50),
l_name varchar(50),
email varchar(150),
username varchar(25),
password varchar(75)
);

insert into auth_users values (null, 'john', 'doe', 'john@doe.com', 'jdoe', password('doepass'));

listing15.7.php - user login form
-------------------------------

Code: Select all

<html>
<head>
<title>Listing 15.7 User Login Form</title>
</head>
<body>
<H1>Login Form</H1>
<FORM METHOD="POST" ACTION="listing15.8.php">
<P><STRONG>Username/STRONG><BR>
<INPUT TYPE="text" NAME="username"></p>
<P><STRONG>Password/STRONG><BR>
<INPUT TYPE="password" NAME="password"></p>
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login"></P>
</FORM>
</body>
</html>
listing15.8.php - user login script
--------------------------------

Code: Select all

<?php
//check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: listing15.7.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "root", "olu1bal")
or die(mysql_error());
mysql_select_db("testDB",$conn) or die(mysql_error());

//create and issue the query
$sql = "select f_name, l_name from auth_users where username = '$_POST[username]' AND password = password('$_POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of f_name l_name
$f_name = mysql_result($result, 0, 'f_name');
$l_name = mysql_result($result, 0, 'l_name');

//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);

//prepare message for printing, and user menu
$msg = "<P>$f_name $l_name is authorized!</p>";
$msg .= "<P>Authorized Users' Menu:";
$msg .= "<ul><li><a href=\"listing15.8.php\">secret page</a></ul>";
} else {
//redirect back to login form if not authorized
header("Location: listing15.7.php");
exit;
}
?>
<HTML>
<HEAD>
<TITLE>Listing 15.8 User Login </TITLE>
</HEAD>
<BODY>
<? print "$msg"; ?>
</BODY>
</HTML>
listing15.9.php - checking for auth cookie
----------------------------------------

Code: Select all

<?php
if ($_COOKIE[auth] == "1") {
$msg = "<p>You are an authorized user.</p>";
} else {
//redirect back to login form if not authorized
header("Location: listing15.7.php");
exit;
}
?>
<html>
<head>
<title>Listing 15.8 Accessing a restricted page </title>
</head>
<body>
<?php print "$msg"; ?>
</body>
</html>
Last edited by black85 on Tue Jul 11, 2006 1:36 pm, edited 1 time in total.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Is there a PHP equivalent function for the MySQL password() function? I don't think there is. This may be causing you problems. The MySQL password() hashes a string. If there is no way to match that string in PHP you will never be able to validate the authenticity of the users supplied pasword.

You may want to look into the PHP functions md5() or sha1(). Better yet, look into the code snippets forum and search for Feyd's sha256 code. It is a sweet thing.

PS Please use the appropriate bbcode tags when posting code or PHP. They are the little buttons above the posting textarea when you post. Highlight the text that needs to be wrapped, then click the Code button or PHP button. Thanks.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

I agree with everything Everah said, except the comments about using password(). The reference to password() is within an unescaped SQL statement, therefore referencing MySQL's PASSWORD() function. But he is right about NOT using MySQL's PASSWORD() but instead using SHA1() or SHA256(), whatever is easiest for you. Both MySQL and PHP have built-in SHA1() hash functions, whereas you can find many PHP implementations of better hash functions, such as feyd's SHA256 that was mentioned, or many of the PHP mhash functions. Several of these are also available in JavaScript.

I'm curious as to why you're using a cookie rather than a session to store user credentials. A cookie is relatively simple to fake or steal, whereas session data is not.

As far as your actual problem is concerned:

Check to see if you haven't accidentally inserted a double record with the same username / password, and the test for ( mysql_num_rows($result) == 1 ) fails for this reason.

The line that displays the $msg variable uses short tags, does your PHP config allow this? Try using the regular style opening PHP tag that you've used in the rest of your script.
Post Reply