Page 1 of 1

some kind of log in error

Posted: Wed May 16, 2007 2:09 pm
by ekosoftco
ok, this is weird, because it works on one page and not on another, maybe there's something wrong.
i have this login script

Code: Select all

<?php
ob_start();
require('config.php');
echo "<center>";
//Write the login form out
echo "<form method=post action=login.php?action=check><table><tr><td><font size=2>Username:</font></td><td><input type=text name=username></td></tr><tr><td><font size=2>Password:</font></td><td><input type=password name=password></td></tr><tr><td></td><td><input type=submit value=Login></td></tr></table></form>";
//check the input
if($_GET['action'] == 'check')
{
//find the user
$result = mysql_query("SELECT * FROM user WHERE username='{$_POST['username']}'") or die(mysql_error()); 
$row = mysql_fetch_array( $result ); //set $row to result
   if($row['username'] == "")
   {
      echo error();
   }
   else
   {
      //$enc = md5($_POST['Pword']);
      $enc = $_POST['password'];
      if($row['password'] == $enc)
	  {
          $_SESSION['username'] = $_POST['username'];
          $_SESSION['lp'] = 'pl'; 
		  $_SESSION['password'] = $enc;
          $_SESSION['id'] = $row['id'];
		  echo "<center><font color=CCCCCC><b>Welcome " . $_SESSION['username'] . " ID# " . $_SESSION['id'] . " Password " . $_SESSION['password'] . "!</b></font>";
	  header( "Location: staff.php" );
          exit;
	  }
	  else
	  {
	     echo error();
	  }
   }
}
function error()
{
echo "<b>The username/password is incorrect</b>";
}
?>
but when it gets to the header it doesnt go. it shows up all the sessions, i wanted to make sure the query was good, and it is, it correctly shows all the sessions up, but wont go to the header, anyone see why?

Posted: Wed May 16, 2007 2:23 pm
by Mordred
1. Enable error reporting, and you'll see what's the problem yourself
2. You can't have header() after echo-ing something
3. echo error(), where error() itself echoes is a bit of a nonsense
4. Awkward: if($row['username'] == "") -- you ask the database if the user entered an empty string in the form?

0. (most important) SQL injection in $_POST['username']

Posted: Wed May 16, 2007 2:30 pm
by ekosoftco
i dont have access to my php.ini so i put on in the folder im using with
ini_set("display_errors", "on");
error_reporting(E_ALL);
output_buffering = 4096;

doesnt report anything.
the other parts are old code, the error works fine, im not worried about that right this moment. like i said, it works completely fine on another page, but not on this one for some reason.
took out the echo before the header and it still does the same exact thing.
what do you mean by "SQL injection in $_POST['username']"
i honestly have no clue. :/

Posted: Wed May 16, 2007 2:51 pm
by ekosoftco
nevermind i got it.

Posted: Wed May 16, 2007 3:23 pm
by Mordred
Oops, sorry, you have an ob_start() I didn't see (it is soo hidden, on the top of the box and everything ;))

Do read on SQL injection, your login system can be bypassed as it is now. Check mysql_real_escape_string().

Posted: Wed May 16, 2007 11:20 pm
by ekosoftco
so after reading up on sql injection, it looks like my problem is if people see how i coded the stuff, they could put a username in that could effect my databases or site, pretty severely. correct?
if so, i was reading, and it look like this is a safer way to do it

Code: Select all

$query_result = mysql_query
  (
        "select * from users where name = '"
    .
        mysql_real_escape_string($user_name)
    .
        "'"
   );
is that true?
and whoever replies, please, if you wouldnt mind, giving a little explanation of all this too, so i can make sure i understand. appreciate it. :)

Posted: Thu May 17, 2007 3:27 am
by Mordred
Yes, your code is correct now (provided that $user_name = $_POST['username'])
it looks like my problem is if people see how i coded the stuff, they could put a username in that could effect my databases or site, pretty severely. correct?
Even if they can't see your exact code, with some attempts they can discover what's going on in your query and manipulate it. The topic is quite advanced and long to explain and it is somewhat against the rules of this board. There are a few good whitepapers on sql injection and blind sql injection, google will assist you in finding them if you're still interested. From a coder's point of view, mysql_real_escape_string() is mostly enough.

Posted: Thu May 17, 2007 8:27 am
by ekosoftco
ok, cool. i read a bit on it on google already, so i think i understand, and i know a fix, and understand it, so thats even better. :)
thanks a bundle for making my newer site safer!
:D