some kind of log in error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

some kind of log in error

Post by ekosoftco »

ok, this is weird, because it works on one page and not on another, maybe there's something wrong.
i have this login script

Code: Select all

<?php
ob_start();
require('config.php');
echo "<center>";
//Write the login form out
echo "<form method=post action=login.php?action=check><table><tr><td><font size=2>Username:</font></td><td><input type=text name=username></td></tr><tr><td><font size=2>Password:</font></td><td><input type=password name=password></td></tr><tr><td></td><td><input type=submit value=Login></td></tr></table></form>";
//check the input
if($_GET['action'] == 'check')
{
//find the user
$result = mysql_query("SELECT * FROM user WHERE username='{$_POST['username']}'") or die(mysql_error()); 
$row = mysql_fetch_array( $result ); //set $row to result
   if($row['username'] == "")
   {
      echo error();
   }
   else
   {
      //$enc = md5($_POST['Pword']);
      $enc = $_POST['password'];
      if($row['password'] == $enc)
	  {
          $_SESSION['username'] = $_POST['username'];
          $_SESSION['lp'] = 'pl'; 
		  $_SESSION['password'] = $enc;
          $_SESSION['id'] = $row['id'];
		  echo "<center><font color=CCCCCC><b>Welcome " . $_SESSION['username'] . " ID# " . $_SESSION['id'] . " Password " . $_SESSION['password'] . "!</b></font>";
	  header( "Location: staff.php" );
          exit;
	  }
	  else
	  {
	     echo error();
	  }
   }
}
function error()
{
echo "<b>The username/password is incorrect</b>";
}
?>
but when it gets to the header it doesnt go. it shows up all the sessions, i wanted to make sure the query was good, and it is, it correctly shows all the sessions up, but wont go to the header, anyone see why?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

1. Enable error reporting, and you'll see what's the problem yourself
2. You can't have header() after echo-ing something
3. echo error(), where error() itself echoes is a bit of a nonsense
4. Awkward: if($row['username'] == "") -- you ask the database if the user entered an empty string in the form?

0. (most important) SQL injection in $_POST['username']
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

Post by ekosoftco »

i dont have access to my php.ini so i put on in the folder im using with
ini_set("display_errors", "on");
error_reporting(E_ALL);
output_buffering = 4096;

doesnt report anything.
the other parts are old code, the error works fine, im not worried about that right this moment. like i said, it works completely fine on another page, but not on this one for some reason.
took out the echo before the header and it still does the same exact thing.
what do you mean by "SQL injection in $_POST['username']"
i honestly have no clue. :/
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

Post by ekosoftco »

nevermind i got it.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Oops, sorry, you have an ob_start() I didn't see (it is soo hidden, on the top of the box and everything ;))

Do read on SQL injection, your login system can be bypassed as it is now. Check mysql_real_escape_string().
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

Post by ekosoftco »

so after reading up on sql injection, it looks like my problem is if people see how i coded the stuff, they could put a username in that could effect my databases or site, pretty severely. correct?
if so, i was reading, and it look like this is a safer way to do it

Code: Select all

$query_result = mysql_query
  (
        "select * from users where name = '"
    .
        mysql_real_escape_string($user_name)
    .
        "'"
   );
is that true?
and whoever replies, please, if you wouldnt mind, giving a little explanation of all this too, so i can make sure i understand. appreciate it. :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Yes, your code is correct now (provided that $user_name = $_POST['username'])
it looks like my problem is if people see how i coded the stuff, they could put a username in that could effect my databases or site, pretty severely. correct?
Even if they can't see your exact code, with some attempts they can discover what's going on in your query and manipulate it. The topic is quite advanced and long to explain and it is somewhat against the rules of this board. There are a few good whitepapers on sql injection and blind sql injection, google will assist you in finding them if you're still interested. From a coder's point of view, mysql_real_escape_string() is mostly enough.
ekosoftco
Forum Contributor
Posts: 108
Joined: Fri Aug 04, 2006 8:21 pm

Post by ekosoftco »

ok, cool. i read a bit on it on google already, so i think i understand, and i know a fix, and understand it, so thats even better. :)
thanks a bundle for making my newer site safer!
:D
Post Reply