i created a login around everything and it should be working fine
but it seems that the javascript isnt running and sending the right values to my login script...
here are each of my programs.
when i run my login, it works fine but it doesnt use the javascript... why is it skipping my javascript?
index.php - my template file
Code: Select all
<?php
session_start();
session_register('auth');
session_register('logname');
session_register('loghost');
session_register('access');
session_register('pageviews');
session_register('challenge');
define("x",null);
include('batch_action.php');
require_once('sha256.inc.php');
$challenge = SHA256::hash(uniqid(mt_rand,true));
setChallenge($challenge);
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Home</title>
<!--
Include a javascript implementation of the SHA256 algorithim
Download from: http://www.mad-teaparty.com/Chrstph/sha256.html
-->
<script language="javascript" src="sha256.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript">
<!--
function doChallengeResponse() {
str = document.login_form.eusername.value.toLowerCase() + ":" +
sha256_digest(document.login_form.epassword.value) + ":" +
document.login_form.echallenge.value;
document.login_form.epassword.value = "";
document.login_form.echallenge.value = "";
document.login_form.response.value = sha256_digest(str);
return false;
}
// -->
</script><?php
session_start();
session_register('auth');
session_register('logname');
session_register('loghost');
session_register('access');
session_register('pageviews');
session_register('challenge');
define("x",null);
include('batch_action.php');
require_once('sha256.inc.php');
$challenge = SHA256::hash(uniqid(mt_rand,true));
setChallenge($challenge);
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Home</title>
<!--
Include a javascript implementation of the SHA256 algorithim
Download from: http://www.mad-teaparty.com/Chrstph/sha256.html
-->
<script language="javascript" src="sha256.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript">
<!--
function doChallengeResponse() {
str = document.login_form.eusername.value.toLowerCase() + ":" +
sha256_digest(document.login_form.epassword.value) + ":" +
document.login_form.echallenge.value;
document.login_form.epassword.value = "";
document.login_form.echallenge.value = "";
document.login_form.response.value = sha256_digest(str);
return false;
}
// -->
</script>
//// just tables and stufff, my template for the site
//login area of the table.
<th height="23" colspan="2" scope="col">
<?php
if($auth != "yes"){
$pageviews=0;
include('login.php');
}
elseif($auth == "yes"){
if($pageviews<1){
//sets up the session variables.
}else{
echo "Welcome $logname!";
}
$pageviews++;
}
?></th>
</tr>
<tr>
<th width="684" height="41" colspan="2" align="left" valign="top" scope="col">
<?php
//displays the contents of a main page... home.php for example.
?></th>Code: Select all
<?php
if(!defined("x")){
die("Hacking attempt...");
}
//set forwarding array and database info
function setChallenge($challenge){
mysql_connect(localhost,"username","pass");
@mysql_select_db("database") or die("Unable to connect to database");
$query="DELETE FROM challenge_record WHERE
sess_id='".session_id()."' OR
timestamp < ". time();
$result=mysql_query($query);
if(!$result){queryError($query);}
mysql_close();
mysql_connect(localhost,"username","pass");
@mysql_select_db("database") or die("Unable to connect to database");
$query2="INSERT INTO challenge_record (sess_id, challenge, timestamp)
VALUES ('".session_id()."','".$challenge."',".(time()+360).")";
$result2=mysql_query($query2);
if(!$result2){queryError($query2);}
mysql_close();
}
function selectPageInfo($pagename, $location, $i){
//displays the actual page (I.E home.php)
}
function queryError($query){
echo "Unable to process query<br>";
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}
function loginForm(){
$message="<form action='index.php?action=login' method='post' name='login_form' id='login_form onSubmit='doChallengeResponse()'>
Username:<input name='eusername' id='eusername' size='16' type='text'>
Password:<input name='epassword' id='epassword' size='16' type='password'>
<input name='submit' id='submit' type='submit' value='Login'>
<input name='echallenge' id='echallenge' type='hidden' value='$challenge'>
<input name='response' id='response' type='hidden' value=''>
</form>";
echo $message;
}
?>Code: Select all
if(!defined("x")){
die("Hacking attempt...");
}
switch($action){
case "login":
if(isset($_POST['response']) && !empty($_POST['response']) &&
(!ctype_alnum($_POST['eusername']) || !ctype_alnum($_POST['response']))){
die("Bad Input: response or username are not alphanumeric!");}
if(isset($_POST['epassword']) && !empty($_POST['epassword']) &&
(!ctype_alnum($_POST['eusername']) || !ctype_alnum($_POST['epassword']))){
die("Bad Input: Password or username are not alphanumeric!");}
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die("Unable to connect to database");
$result = mysql_query("SELECT challenge FROM challenge_record WHERE sess_id='".session_id()."' AND timestamp > ". time())
or die("Invalid query: " . mysql_error());
if(mysql_num_rows($result)==0){
//unset($action);
$message="Your login has timedout.<br>";
echo $message;
loginForm();
break;
//echo "<META HTTP-EQUIV='refresh' CONTENT='0; URL=index.php'>";
}
$cArray = mysql_fetch_assoc($result);
$result = mysql_query("SELECT loginName, password FROM godschildren WHERE loginName='".$_POST['eusername']."'")
or die("Invalid query: ".mysql_error());
if(mysql_num_rows($result)==0){
$message="Your login is incorrect.<br>";
echo $message;
loginForm();
}
$user = mysql_fetch_assoc($result);
$response_string = strtolower($user['loginName']).':'.$user['password'].':'.$c_array['challenge'];
$expected_response = SHA256::hash($response_string);
if($_POST['response'] == $expected_response){
$auth="yes";
$logname=$_POST['eusername'];
echo "<META HTTP-EQUIV='refresh' CONTENT='0; URL=index.php'>";
}elseif(isset($_POST['epassword']) && !empty($_POST['epassword'])){
if(SHA256::hash($_POST['epassword']) == $user['password']){
$auth="yes";
$logname=$_POST['eusername'];
echo "<META HTTP-EQUIV='refresh' CONTENT='0; URL=index.php'>";
}else{
$message="Your password is incorrect.<br>";
echo $message."<br>Recieved: ".$_POST['response']."<br>Expected: ".$expected_response."<br>Password: ".
$_POST['epassword'];
loginForm();
}
}else{
$message="Your response is incorrect.<br>";
echo $message."<br>Recieved: ".$_POST['response']."<br>Expected: ".$expected_response."<br>Password: ".
$_POST['epassword'];
loginForm();
}
mysql_close();