Page 1 of 1

PHP help

Posted: Mon May 05, 2008 10:48 am
by DeFacto
Hello all,

i made a code that checks if user name and user password matches what i have in databases table then it moves user name into another file

Code: Select all

 
<?php header("Content-Type: text/html; charset=utf-8");
session_start();
$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
$dbhost = 'localhost';
$dbuser = ' ';
$dbpass = ' ';
$dbname = 'loginai';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die
('Error connecting to mysql');
mysql_select_db($dbname);
   $userId = mysql_real_escape_string($_POST['txtUserId'];);
   $password = mysql_real_escape_string($_POST['txtPassword'];);
 
   $sql = "SELECT uname
           FROM vartotojai
           WHERE uname = '$userId'
                 AND upass = '$password'";
 
   $result = mysql_query($sql)
             or die('Query failed. ' . mysql_error());
 
   if (mysql_num_rows($result) == 1) {
echo '<form method="post" action="2.php">';
echo '<input name="user" type="hidden" value="'; echo "$userId";'">';
 
echo '</form>';
   } else {
      $errorMessage = 'Neteisingas vartotojo vardas arba slaptažodis';
   }
  mysql_close($conn);
}
?>
 
but i am missing something as if user name and user password matches one in database table it does nothing.

Re: PHP help

Posted: Mon May 05, 2008 1:03 pm
by Apollo
1. Storing actual passwords in a database is a very bad idea. Store and compare a hash instead, for example sha1($password). Works the same, and it's much safer.

2. If you find a user, you only create a form with 1 hidden field. What did you expect to happen? :)

Re: PHP help

Posted: Mon May 05, 2008 1:07 pm
by DeFacto
i expect to move content of that hidden field into another file, just can not figure out how could i do it :)

Re: PHP help

Posted: Tue May 06, 2008 4:35 am
by Apollo
With "move into another file", do you mean
1. write the username to some file on your server?
Or
2. let the browser browse to another script, with the found username as parameter?

For 1, you need something with fopen and fwrite.
For 2, there are different approaches, for example you could use a location header (but in that case don't write html headers or content first). Make sure to add a non-guessable checksum which you verify in the 2nd script, and not just the username. Otherwise someone could directly call the 2nd php with ?username=anything.

Re: PHP help

Posted: Tue May 06, 2008 5:53 am
by DeFacto
I need to post that user in 2.php, so for that reason i made that hidden field

Code: Select all

 
if (mysql_num_rows($result) == 1) {
echo '<form method="post" action="2.php">';
echo '<input name="user" type="hidden" value="'; echo "$userId";'">';
echo '</form>';
 
i've tried to do something like this

Code: Select all

 
if (mysql_num_rows($result) == 1) {
echo '<form method="post" action=" ">';
echo '<input name="user" type="hidden" value="'; echo "$userId";'">';
echo '</form>';
echo ('Location: 2.php');
 
but its wrongs, as header is already sent.
Make sure to add a non-guessable checksum which you verify in the 2nd script, and not just the username. Otherwise someone could directly call the 2nd php with ?username=anything.
could you give some example or link about it?

Re: PHP help

Posted: Tue May 06, 2008 7:49 am
by Apollo
DeFacto wrote:I need to post that user in 2.php, so for that reason i made that hidden field
In that case you can auto-submit the form with JavaScript:

Code: Select all

if (mysql_num_rows($result) == 1) {
echo "<form name='MyForm' method='post' action='2.php'>"; // note I added a name tag here
echo "<input name='user' type='hidden' value='$userId'>";
echo "</form>";
echo "<script language='JavaScript'> document.MyForm.submit(); </script>";
That last line will submit your form automatically.

DeFacto wrote:could you give some example or link about it?
Here's an example. After the hidden username field, add a checksum field into your form like this:

Code: Select all

define (CRC_SALT,'mP9bZ4aYd6Vk'); // some random string
$crc = sha1($userId.CRC_SALT);
echo "<input name='checksum' type='hidden' value='$crc'>";
Now in the 2nd php, check the crc like this:

Code: Select all

$userId = $_POST['user']; // get variables from form
$crc = $_POST['checksum'];
 
define (CRC_SALT,'mP9bZ4aYd6Vk'); // same as in first php!
if ($checksum != sha1($username.CRC_SALT)) die("Checksum mismatch");
This way, people can't call your 2.php file with a spoofed username, because then the crc won't match.
The CRC_SALT thing makes it impossible to spoof the crc (without it, people might guess that your crc is just a sha1-hash of the username).

Re: PHP help

Posted: Tue May 06, 2008 7:53 am
by DeFacto
thanks a lot Apollo :drunk:
one more thing, is there possibility to avoid js?

Re: PHP help

Posted: Tue May 06, 2008 8:49 am
by Apollo
Well, you can also do it with a location header:

Code: Select all

if (mysql_num_rows($result) == 1) {
define ( CRC_SALT, 'mP9bZ4aYd6Vk' ); // some random string
$crc = sha1($userId.CRC_SALT);
header("location: page2.php?username=$userId&checksum=$crc");

and then in 2.php, use $_GET instead of $_POST to obtain the username and checksum data.

This works as long as you don't output any regular html before the location header.

Re: PHP help

Posted: Tue May 06, 2008 10:32 am
by DeFacto
ok, thanks again.

Re: PHP help

Posted: Tue May 06, 2008 11:31 am
by DeFacto
small notice. i think

Code: Select all

 
define ( CRC_SALT, 'mP9bZ4aYd6Vk' ); 
 
should be

Code: Select all

 
define ( "CRC_SALT", 'mP9bZ4aYd6Vk' ); 
 
am i right?

Re: PHP help

Posted: Tue May 06, 2008 11:53 am
by Apollo
Correct! Well, it also works without, but it's better with quotes :)

Actually since this situation is so simple, you could drop the define and just use a hardcoded string in place. I just used a define here to distinguish from regular variables.

Re: PHP help

Posted: Tue May 06, 2008 12:07 pm
by DeFacto
well, it did not work me without quoties :) i got error "undefined bla bla bla" :)

Re: PHP help

Posted: Tue May 06, 2008 12:14 pm
by Apollo
DeFacto wrote:well, it did not work me without quoties :) i got error "undefined bla bla bla" :)
Oh hehe, worked OK here, probably depends on php server settings.
But indeed it's better to use quotes anyway.

Re: PHP help

Posted: Tue May 06, 2008 12:18 pm
by DeFacto
yeah, as php.net suggest to do that with quoties as well.
thanks a lot for all Apollo.