Page 1 of 2

PHP Myinvoice Script...

Posted: Fri Sep 29, 2006 1:13 pm
by djreddog
Hello,

I am not the best at PHP yet... But I have done a bunch of things yet this one is driving me crazy. I am wondering if anyone can help me with this. I am looking for a simple invoice script and I found one. I tried to email the owner but I think they packed up shop.

I am using this script called myinvoice. I try to set it up (thinking it is basic which it seems). I changed some fields that I know would form to my site. (Meaning file paths etc) and tried to log into it and I am unable to... It just goes in this loop. Every time I use the login it will just loop back to the login page.

Any help would be great. I have battled this for about 2 weeks now and I have rebuilt it and use the original many times.

Please help me, this is my last outlet.

Thanks
Derek

Posted: Fri Sep 29, 2006 2:47 pm
by Burrito
it's really tough to say without seeing any code what the problem could be. Given that you didn't write it, you'll need to check the license and ensure that you can share it.

if you can, show us some code so we can help you.

Posted: Fri Sep 29, 2006 2:52 pm
by djreddog
Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


It is a free script so I can post the code...


The index.htm is

Code: Select all

<html>
<head>
<title>My Invoice - log in</title>
<link rel="stylesheet" href="inc/style.css" type="text/css">
<script language="">
<!--
function cursor(){document.login.name.focus();}
// -->
</script>
</head>

<body bgcolor="#FFFFFF" text="#000000" onLoad=cursor()>
<img src="inc/title.gif" width="308" height="82">
<blockquote>
  <p><b>please login</b></p>

<table border="0" cellspacing="0" cellpadding="2">
  <form action="login.php" method="post" name=login>
    <tr>
      <td>Username</td>
      <td>
        <input type="Text" name="name" size="15">
      </td>
    </tr>
    <tr>
      <td height="6">Password</td>
      <td height="6">
        <input type="password" name="password" size="15">
      </td>
    </tr>
    <tr>
      <td colspan="2">
        <input type="Submit" name="submit" value="Enter">
      </td>
    </tr>
  </form>
</table>
</blockquote>
</body>
</html>
This is the login.php code...

Code: Select all

<?
include("inc/config.php");
$connection = mysql_connect($hostname, $user, $pass) or die ("Unable to connect!");
$query = "SELECT * FROM clients WHERE name = '$name' AND password = PASSWORD('$password')";
$result = mysql_db_query($database, $query, $connection);
if (mysql_num_rows($result) == 1)
	{
	session_start();

	session_register("client_id");
	session_register("client_name");
	session_register("client_email");
	session_register("client_ref");
	session_register("client_title");
	list($clientid, $name, $pass, $email, $ref, $title) = mysql_fetch_row($result);
	$client_id = $clientid;
	$client_name = $name;
	$client_email = $email;
	$client_ref = $ref;
	$client_title = $title;
	
	header("Location: menu.php");
	mysql_free_result ($result);	

	mysql_close($connection);
	}
else

	{
	mysql_free_result ($result);	
	mysql_close($connection);

	header("Location: index.htm");
	exit;
	}
?>
I have a username and password to login but it is not working... plus I am using MYSQL and PHP...

Thanks for the help and any help you can tell me is great.

Derek




Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Sep 29, 2006 3:00 pm
by Burrito
try echoing your query to make sure it's selecting what you think it should be.

also change your include() to require() to make sure that the inc/config.php file is really being found and included.

Posted: Fri Sep 29, 2006 3:02 pm
by miro_igov
The username and or password is wrong so the query returns 0 rows or maybe there are multiple records with the same username password so the query returns > 1 rows.

Or you have disabled register_globals and you should change to

Code: Select all

$query = "SELECT * FROM clients WHERE name = '{$_POST['name']}' AND password = PASSWORD('{$_POST['password']}')";

Posted: Fri Sep 29, 2006 3:33 pm
by djreddog
I tried them and that did not work either. I have the username and password of admin/ admin and it will not let me login...

I tried those things you post and no go, any other ideas?

Thanks Derek

Posted: Fri Sep 29, 2006 3:36 pm
by Burrito
how is the password saved on the database?

in other words, how did you create the password?

L

Posted: Fri Sep 29, 2006 3:49 pm
by twigletmac
The code looks a little old - mysql_db_query(), for example, has been deprecated for a number of years and session_register() is useless with register_globals off. So - if the code was written for MySQL 3.23 and you are using MySQL 4.x or 5.x then MySQL's PASSWORD() function is returning a different hash than it used to (it's longer for one) and thus an old table definition (based on the expectation of a shorter value) would be truncating the password when it's initially entered so it can't match the result from the function when you try and login.

What all of this means is that you probably need to keep looking for a script (written for PHP 4.2 or up and MySQL 4.1 or up) or give this one a fairly hefty rewrite to bring it up to date.

Mac

Posted: Fri Sep 29, 2006 3:51 pm
by djreddog
I have imported it in there myself with PHPAdmin.

I am calling the row that I want to use to login with.

Posted: Fri Sep 29, 2006 3:54 pm
by Burrito
with phpMyAdmin did you run it through the password() function?

just to narrow down the problem, I would insert it as plain text, then remove the password() function form your select statement. If that lets you through then you know where the issue lies. You can then deal with your password however you want, I'd recommend using sha256 and scrapping the mysql password() function all together.

Posted: Fri Sep 29, 2006 3:55 pm
by djreddog
If these things are no longer used what has replaced them? If all I need to do is go through the script and edit them I will do that. it might be easier to just edit the script and use it that way.

Any thoughts?

Posted: Fri Sep 29, 2006 3:56 pm
by djreddog
What is sha256? Sorry I am a newbie still....

Posted: Fri Sep 29, 2006 3:57 pm
by Luke
Script looks pretty crappy to me... it requires register_globals to be on to even work... and it is asking for sql injection.

Posted: Fri Sep 29, 2006 4:00 pm
by djreddog
I shut off the register_globals what would I replace the code with. i looked on php.net and they have it there. Meaning they're still showing the code I have working... I was kind of thrown for a loop.

Posted: Fri Sep 29, 2006 4:10 pm
by Luke
I wouldn't even use it... how large is the script?