Page 2 of 2

Posted: Thu Dec 29, 2005 11:46 am
by nawhaley

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>User Login</TITLE>
   <SCRIPT type="text/javascript" src="md5.js">

   function password()
    {
     hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       alert("Please enter your password.");
       document.write('<?UserLogin();?>');
      }
    else 
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'<? echo $_SESSION['challange']?>';
      }
     if(hashedpassword ==<? echo $_SESSION['password']?>)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        document.write('<?UserLogin();?>');
       }
    }
    </SCRIPT>
</HEAD>
<BODY>
<?
session_start();
include 'maintfunctions.php';
if($_POST['username']=="")
  {
   ?>
  
  <SCRIPT LANGUAGE ="javascript" TYPE ="text/javascript">
    alert("Sorry the Username is incorrect please try again.");
           document.write('<? UserLogin(); ?>');
  </SCRIPT>
   <?
  }
else
 {
 
$username = $_POST['username'];
$link = odbc_connect("ImmagetechQuiz","Trainee","tra1ning");
$passwordquery = "SELECT Password FROM tblStudents WHERE Username ='$username'";
$presult = odbc_exec($link,$passwordquery);


if(odbc_fetch_row($presult))
  {
  
  $_SESSION['password'] = md5(odbc_result($presult,"Password")+$_SESSION['challange']);
  
   
  
  }

else
  {
   ?>
    <SCRIPT LANGUAGE = "javascript" TYPE ="text/javascript">
     alert("Username does not exist in Database please try again.");
     document.write('<?UserLogin();?>');
    </SCRIPT>
   <?
  }

}
?>
</BODY>
</HTML>
above is my freshly validated code per your weblink.

to answer the above questions I'm doing a random number generation that can go anywhere from 1 to 10000 as a challange value of sorts thats then sent to be hashed along with the actual password then compared to the one on the server who does the hash in the same manner. I see what your saying about storing the number in a database so its not used again I had not thought of that previously I guess I thought the chances of getting the same seed out of 10000 possible numbers was so low it wouldnt realistically matter. As far as SSL is conserned how is that commonly enabled and isnt that something that you have to pay so much for validation certificates to have functioning?

Posted: Thu Dec 29, 2005 1:47 pm
by nawhaley
ok question now that I reconfigured my file and got it validated by W3C it no longer works as a PHP file but it does work as an HTML file. The issue is it completely ignores my PHP in the file entirely so....whats going on with it now?

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>User Login</TITLE>
   <SCRIPT type="text/javascript" src="md5.js">

   function password()
    {
     hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       alert("Please enter your password.");
       document.write('<?UserLogin();?>');
      }
    else 
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'<? echo $_SESSION['challange']?>';
      }
     if(hashedpassword ==<? echo $_SESSION['password']?>)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        document.write('<?UserLogin();?>');
       }
    }
    </SCRIPT>
</HEAD>
<BODY>
<?php
session_start();
include 'maintfunctions.php';
$_SESSION['challange'] = md5(rand(1,10000));
UserLogin();
verifylogin();
?>
</BODY>
</HTML>

Posted: Thu Dec 29, 2005 8:25 pm
by Roja

Code: Select all

<?php
session_start();
include 'maintfunctions.php';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>User Login</TITLE>
   <SCRIPT type="text/javascript" src="md5.js">

   function password()
    {
     hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       alert("Please enter your password.");
       document.write('<?UserLogin();?>');
      }
    else
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'<? echo $_SESSION['challange']?>';
      }
     if(hashedpassword ==<? echo $_SESSION['password']?>)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        document.write('<?UserLogin();?>');
       }
    }
    </SCRIPT>
</HEAD>
<BODY>
<?php
$_SESSION['challange'] = md5(rand(1,10000));
UserLogin();
verifylogin();
?>
</BODY>
</HTML>
Try it that way. Session start needed to be first, and you should start the file as a php file, THEN drop out to do html output.

Posted: Fri Dec 30, 2005 8:23 am
by nawhaley
*nod* I suspected that. I have a lot of odd errors cropping up now in my code. I don't know how much you guys know about javascript but here goes.

Page sourcecode

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE> TESTING</TITLE>
<SCRIPT LANGUAGE ="javascript" >
function <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>()
{
hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       document.write("Password value is blank");
       alert("Please enter your password.");
       <P ALIGN ="center"><IMG SRC ="ITIlogo1.jpg"></P><FORM METHOD ="POST" ACTION ="userlogintest.php" NAME ="loginform"><P ALIGN ="CENTER"><B><U> User Login</U><BR><BR>UserName:<INPUT TYPE ="text" NAME = "username" SIZE = 15><BR>Password:&nbsp&nbsp<INPUT TYPE ="password" NAME = "password" SIZE =15><BR><BR><INPUT TYPE ="submit" NAME = "submit" VALUE ="Login" onClick ="<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>()"></B></P></FORM> 
      }
    else 
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'e0e6518d2cac6a5b1fa6b05498a5e7be';
      }
     if(hashedpassword ==cfcd208495d565ef66e7dff9f98764da)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        
       }
}


</SCRIPT>
</HEAD>
<BODY>
<P ALIGN ="center"><IMG SRC ="ITIlogo1.jpg"></P><FORM METHOD ="POST" ACTION ="userlogintest.php" NAME ="loginform"><P ALIGN ="CENTER"><B><U> User Login</U><BR><BR>UserName:<INPUT TYPE ="text" NAME =" username" SIZE = 15><BR>Password:&nbsp&nbsp<INPUT TYPE ="password" NAME =" password" SIZE =15><BR><BR><INPUT TYPE ="submit" NAME =" submit" VALUE ="Login" onClick ="<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>()"></B></P></FORM></BODY>
</HTML>
and its giving me the following errors

Code: Select all

Error: <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> is not defined

along with a syntax error about my HTML thats popping up in my javascript. I had it do that on a failed condition to rewrite the orginal login after alerting the user to the entry error. The interesting thing about the funciton not being defined is its defined correctly as a function and called on an onclick action on the login button yet its saying its not defined at all. It use to only do this if I put the following starting script line in.

Code: Select all

<SCRIPT LANGUAGE ="Javascript" TYPE ="text/javascript" SRC ="md5.js>
now it wont define the function either way I've never had this happen with a javascript function before I have no idea whats causing it.

Posted: Fri Dec 30, 2005 9:03 am
by Roja
Lets start with this cleaned up version:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>TESTING</title>
<script type="text/javascript">
function smurf()
{
    hashedpassword ="";
     
    if (document.getElementById('password').value=="")
    {
        document.write("Password value is blank");
        alert("Please enter your password.");
    }
    else
    {
        hashedpassword = hex_md5(document.getElementById('password').value);
        hasheedpassword = hashedpassword+'e0e6518d2cac6a5b1fa6b05498a5e7be';
    }
    if (hashedpassword=="cfcd208495d565ef66e7dff9f98764da")
    {
        window.location('http://localhost/MainMenu.php');
    }
    else
    {
        alert("Your username or password was incorrect please try again.");
    }
}
</script>
</head>
<body>
    <p align="center"><img src="ITIlogo1.jpg"></p>
    <form method="POST" action="userlogintest.php" name="loginform">
    <p align="center">
        <b>
            <u> User Login</u><br><br>
            UserName:<input type="text" name=" username" size="15"><br>
            Password:&nbsp;&nbsp;<input type="password" id="password" name="password" size="15"><br><br>
            <input type="submit" name=" submit" value="Login" onClick="smurf()">
        </b>
    </p>
    </form>
</body>
</html>

Posted: Fri Dec 30, 2005 10:31 am
by nawhaley
Roja, I'm sorry man but theres no way to clean the code up anymore than what I posted. Whats happening is where that jumped mess of html is being printed is where I've broken into PhP to print the form let me show you what I'm talking about.

Page source

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE> TESTING</TITLE>
<SCRIPT LANGUAGE ="javascript" >
function password()
{
hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       document.write("Password value is blank");
       alert("Please enter your password.");
       <P ALIGN ="center"><IMG SRC ="ITIlogo1.jpg"></P><FORM METHOD ="POST" ACTION ="userlogintest.php" NAME ="loginform"><P ALIGN ="CENTER"><B><U>User Login</U><BR><BR>UserName:<INPUT TYPE ="text" NAME = "username" SIZE = 15><BR>Password:&nbsp&nbsp<INPUT TYPE ="password" NAME = "password" SIZE =15><BR><BR><INPUT TYPE ="submit" NAME = "submit" VALUE ="Login" onClick ="<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>()"></B></P></FORM> 
      }
    else 
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'e0e6518d2cac6a5b1fa6b05498a5e7be';
      }
     if(hashedpassword ==cfcd208495d565ef66e7dff9f98764da)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        
       }
}


</SCRIPT>
</HEAD>
<BODY>
<P ALIGN ="center"><IMG SRC ="ITIlogo1.jpg"></P><FORM METHOD ="POST" ACTION ="userlogintest.php" NAME ="loginform"><P ALIGN ="CENTER"><B><U>User Login</U><BR><BR>UserName:<INPUT TYPE ="text" NAME =" username" SIZE = 15><BR>Password:&nbsp&nbsp<INPUT TYPE ="password" NAME =" password" SIZE =15><BR><BR><INPUT TYPE ="submit" NAME =" submit" VALUE ="Login" onClick ="<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>()"></B></P></FORM></BODY>
</HTML>
thats from doing a view source on the page ok. Here is the actual php page

php page

Code: Select all

<?PHP 
session_start();
include 'maintfunctions.php';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE> TESTING</TITLE>
<SCRIPT LANGUAGE ="javascript" >
function password()
{
hashedpassword ="";
     
    if(document.getElementById('password').value =="")
      {
       document.write("Password value is blank");
       alert("Please enter your password.");
      <?php
        UserLogin();
       ?>
 
      }
    else 
      {
       hashedpassword = hex_md5(document.getElementById('password').value);
       hasheedpassword = hashedpassword+'<? echo $_SESSION['challange']?>';
      }
     if(hashedpassword ==<? echo $_SESSION['password']?>)
       {
        window.location('http://localhost/MainMenu.php');
       }
     else
       {
        alert("Your username or password was incorrect please try again.");
        
       }
}


</SCRIPT>
</HEAD>
<BODY>
<?
UserLogin();
?>
</BODY>
</HTML>
this portion here

Code: Select all

<?php
        UserLogin();
       ?>
is whats causing the mess. It a function I wrote to print the form via PhP because I may need to reprint it multiple times and I didnt want to do inline HTML everytime. So I had PhP output it using print() functions. I don't know any way to make it look clean when it does that I tried adding breaks etc to try to line thigs up nicer but it ignores pretty much everything. Does it necessarily "have" to look that way for you to take a stab at whats causing the error? Because honstly I'm doing my best to clean this up to make it easier for you to read but its just not working and its taking an aweful lot of development time.

Posted: Fri Dec 30, 2005 10:38 am
by Roja
nawhaley wrote:Roja, I'm sorry man but theres no way to clean the code up anymore than what I posted. Whats happening is where that jumped mess of html is being printed is where I've broken into PhP to print the form let me show you what I'm talking about.
The problem is that in that mess is several errors, which I fixed. :)
nawhaley wrote:Does it necessarily "have" to look that way for you to take a stab at whats causing the error? Because honstly I'm doing my best to clean this up to make it easier for you to read but its just not working and its taking an aweful lot of development time.
Clean code makes it easier to spot the errors. I spotted several in your code once I cleaned it up, and simplified it. Thats what I posted - the cleaned, simplified, and fixed version of your code.

I'm sorry if your code structure makes it hard to go back through and clean up specific sections of code, but thats why templating is valuable. By seperating presentation from processing, you can fix the output easily. :)

Posted: Fri Dec 30, 2005 11:18 am
by nawhaley
oh......yeah....>_> :oops: I knew that ...honest! Yeah I know clean code is easier to debug just at times PhP and Javascript dont really feel like cooperating with me in making it clean and organized thats kinda what I was driving at no offense intended. I think I found some things on the link you sent me to that tutorial that may work better and be more secure than what I'm doing currently anyway(browsed the tutorial forum to find it). Thanks for being patient and all the help so far.

Posted: Fri Dec 30, 2005 2:52 pm
by nawhaley
uuuuuuggggggggggggghhhhhhhhh!!!!!


Ok...at this point I"m regretting ever touching javascript it keeps telling me that password() is not a function if this isnt how you declare a function then how on earth DO YOU?!

Code: Select all

<?php 
session_start();
include 'maintfunctions.php';
$challange = md5(mt_rand(1,10000));

if($_POST['submit']=="Login")
 {
  verifylogin();
 }
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0.1 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE> TESTING</TITLE>
<SCRIPT LANGUAGE ="javascript" SRC ="md5.js" TYPE="text/javascript"></SCRIPT>
<SCRIPT LANGUAGE ="javascript" TYPE="text/javascript" >
 
function password()
{
alert("entered script");
username =document.loginform.username.value.toLowerCase();
userpassword = hex_md5(document.loginform.password.value + document.loginform.challange.value);
document.loginform.password.value ="";
document.loginform.challange.value ="";
document.loginform.response.value =userpassword;
return false;
}
</SCRIPT>
</HEAD>
<BODY>
<?php
UserLogin();
?>
</BODY>
</HTML>

Posted: Fri Dec 30, 2005 4:29 pm
by Roja
nawhaley wrote: Ok...at this point I"m regretting ever touching javascript it keeps telling me that password() is not a function if this isnt how you declare a function then how on earth DO YOU?!
There really isn't enough here to test.. that is how you define a function.

The rewritten version I posted, of your code, in my last post, used that same style for declaring a function, and it did not generate that error.

If you keep sharing only bits and pieces of the code, and looking at different parts of it, we're going to be here forever.

Put up a link to the complete code, all the includes, and we can work through this. As it is, I've fixed the error for you, and now you are complaining that you are getting the same error, with different code.

How many times do you expect me to debug your code piecemeal? :)

Posted: Fri Dec 30, 2005 6:27 pm
by josh
nawhaley wrote:I see what your saying about storing the number in a database so its not used again I had not thought of that previously I guess I thought the chances of getting the same seed out of 10000 possible numbers was so low it wouldnt realistically matter.
actually the whole point of the random number is to prevent replay attacks (even if you could sniff the packets at login time, you would get only the hash of the password with that random number appended to it, the point is now that random number is *invalid* so the attacker can't use that number, he has to generate a new number, the new number must also have a hash accompanied with it, and the only way to generate that hash to to have the original password. If you allow numbers to be used more then once you have defeated the purpose. Now using this method you still have the chance of that number being generated twice, and when the legit user logs in he will be detected as a replay, that is why instead of generating the number randomly from javascript you generate it randomly from PHP, except PHP will check to make sure it's a fresh number before sending it.

As far as SSL is conserned how is that commonly enabled and isnt that something that you have to pay so much for validation certificates to have functioning?
You can set up your own SSL certificate, which will encrypt the connections for free.. the point of the pay certificates (verisign, thawt, and the likes) is they are reputable, your users will get a prompt when using a free SSL certificate you generated yourself saying the identity of the remote host could not be verified, and will have 3 options

accept certificate this session
accept certificate
do not continue

or something like that. This shouldn't matter though because the connection is still encrypted, however for things like credit cards and stuff it's always better to buy one so your users know it's safe. I had no idea how to set up SSL a week or two ago but I found some good tutorials on google, and it was actually pretty straightfoward, and easier then I thought it would be