Page 1 of 1

Logging in Problems

Posted: Sun Sep 23, 2007 3:36 am
by kkonline
I am using the following code for authentication.
The signup process is fine, the email containing password is also sent.
However with the login details i am not able to sign in and access the page

Code: Select all

<?php // signup.php

include("common.php");
include("db.php");

if (!isset($_POST['submitok'])):
    // Display the user signup form
    ?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title> New User Registration </title>
  <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1
</head>
<body>

<h3>New User Registration Form</h3>
<p><font color="orangered" size="+1"><tt><b>*</b></tt></font>
   indicates a required field</p>
<form method="post" action="<?=$_SERVER['PHP_SELF']?>">
<table border="0" cellpadding="0" cellspacing="5">
    <tr>
        <td align="right">
            <p>User ID</p>
        </td>
        <td>
            <input name="newid" type="text" maxlength="100" size="25" />
            <font color="orangered" size="+1"><tt><b>*</b></tt></font>
        </td>
    </tr>
    <tr>
        <td align="right">
            <p>Full Name</p>
        </td>
        <td>
            <input name="newname" type="text" maxlength="100" size="25" />
            <font color="orangered" size="+1"><tt><b>*</b></tt></font>
        </td>
    </tr>
    <tr>
        <td align="right">
            <p>E-Mail Address</p>
        </td>
        <td>
            <input name="newemail" type="text" maxlength="100" size="25" />
            <font color="orangered" size="+1"><tt><b>*</b></tt></font>
        </td>
    </tr>
    <tr valign="top">
        <td align="right">
            <p>Other Notes</p>
        </td>
        <td>
            <textarea wrap="soft" name="newnotes" rows="5" cols="30"></textarea>
        </td>
    </tr>
    <tr>
        <td align="right" colspan="2">
            <hr noshade="noshade" />
            <input type="reset" value="Reset Form" />
            <input type="submit" name="submitok" value="   OK   " />
        </td>
    </tr>
</table>
</form>

</body>
</html>

    <?php
else:
    // Process signup submission
    dbConnect('db');

    if ($_POST['newid']=='' or $_POST['newname']==''
      or $_POST['newemail']=='') {
        error('One or more required fields were left blank.\\n'.
              'Please fill them in and try again.');
    }
    
    // Check for existing user with the new id
    $sql = "SELECT COUNT(*) FROM user WHERE userid = '$_POST[newid]'";
    $result = mysql_query($sql);
    if (!$result) {	
        error('A database error occurred in processing your '.
              'submission.\\nIf this error persists, please '.
              'contact admin');
    }
    if (mysql_result($result,0,0)>0) {
        error('A user already exists with your chosen userid.\\n'.
              'Please try another.');
    }
    
    $newpass = substr(md5(time()),0,6);
    
    $sql = "INSERT INTO user SET
              userid = '$_POST[newid]',
              password = PASSWORD('$newpass'),
              fullname = '$_POST[newname]',
              email = '$_POST[newemail]',
              notes = '$_POST[newnotes]'";
    if (!mysql_query($sql))
        error('A database error occurred in processing your '.
              'submission.\\nIf this error persists, please '.
              'contact admin.\\n' . mysql_error());
              
    // Email the new password to the person.
    $message = "G'Day!

Your personal account for the Project Web Site
has been created! To log in, proceed to the
following address:

    http://mysite.com/

Your personal login ID and password are as
follows:

    userid: $_POST[newid]
    password: $newpass

You aren't stuck with this password! Your can
change it at any time after you have logged in.

If you have any problems, feel free to contact me at
<email@email.com>.

-Name
 http://mysite.com
";

    mail($_POST['newemail'],"Your Password for the Project Website",
         $message, "From:Your Name <admin>");
         
    ?>
    <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
      <title> Registration Complete </title>
      <meta http-equiv="Content-Type"
        content="text/html; charset=iso-8859-1" />
    </head>
    <body>
    <p><strong>User registration successful!</strong></p>
    <p>Your userid and password have been emailed to
       <strong><?=$_POST['newemail']?></strong>, the email address
       you just provided in your registration form. To log in,
       click <a href="index.php">here</a> to return to the login
       page, and enter your new personal userid and password.</p>
    </body>
    </html>
    <?php
endif;
?>
accesscontrol.php

Code: Select all

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';

session_start();

$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

if(!isset($uid)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="uid" size="8" /><br />
    Password: <input type="password" name="pwd" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

dbConnect("bodheorg_sqldb");
$sql = "SELECT * FROM user WHERE
        userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact admin');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,'fullname');
?>

Posted: Sun Sep 23, 2007 4:25 am
by s.dot
Are you getting any errors generated?
What do you see when you try to access the page, and what are you expecting to see?

Posted: Sun Sep 23, 2007 4:40 am
by kkonline
scottayy wrote:Are you getting any errors generated?
What do you see when you try to access the page, and what are you expecting to see?
I am extremely sorry for sending a duplicate content, it wasn't intentional. The connection got disconnected and i wasn't sure it the posting has been processed.

Regarding the topic, i removed the PASSWORD() and it worked correctly, but still don't know why it doesn't work with password() in mysql

Posted: Sun Sep 23, 2007 5:46 am
by s.dot
kkonline wrote:I am extremely sorry for sending a duplicate content, it wasn't intentional. The connection got disconnected and i wasn't sure it the posting has been processed.
It's no problem. ;) Don't take it personally.. just have to keep the boards clean.
kkonline wrote:Regarding the topic, i removed the PASSWORD() and it worked correctly, but still don't know why it doesn't work with password() in mysql
I've never used PASSWORD() in MySQL. Perhaps I should read up on it.
Don't know if this will help you: http://dev.mysql.com/doc/refman/5.1/en/ ... shing.html
But I plan on reading it myself just to get a gist of the function.

Perhaps someone smarter will come along in here. :-P

Posted: Sun Sep 23, 2007 6:25 am
by superdezign
kkonline wrote:Regarding the topic, i removed the PASSWORD() and it worked correctly, but still don't know why it doesn't work with password() in mysql
PASSWORD() is a built-in encryption. If you don't use it to encrypt your passwords when you first create them, then you can't use it to match against afterwards.

Posted: Sun Sep 23, 2007 6:35 am
by s.dot
He is using it to register with.

Code: Select all

$sql = "INSERT INTO user SET 
              userid = '$_POST[newid]', 
              password = PASSWORD('$newpass'), 
              fullname = '$_POST[newname]', 
              email = '$_POST[newemail]', 
              notes = '$_POST[newnotes]'";
Which may be a part of your problem. Your insert syntax is wrong.

Code: Select all

INSERT INTO `table` (`field`, `field2`, `field3`) VALUES('value1', 'value2', 'value3')

Posted: Sun Sep 23, 2007 8:42 am
by feyd
PASSWORD() is not intended for use in your own tables, ever. The underlying algorithm used to encrypt it can and will be changed by MySQL at any time. You cannot rely on it. Use a hash.

Also, ~scottayy, the INSERT syntax is actually correct. It can, in fact, look like an UPDATE query.

Posted: Sun Sep 23, 2007 12:06 pm
by Zoxive
Just for a heads up, your missing a " and closing braket on your signup.php

Code: Select all

  <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1 

Posted: Mon Sep 24, 2007 3:40 am
by Mordred
SQL injection in both scripts, always escape your variables.

This:

Code: Select all

$sql = "INSERT INTO user SET 
              userid = '$_POST[newid]', 
              password = PASSWORD('$newpass'), 
              fullname = '$_POST[newname]', 
              email = '$_POST[newemail]', 
              notes = '$_POST[newnotes]'";
Should be this:

Code: Select all

$sql = "INSERT INTO user SET 
              userid = '{$_POST['newid']}', 
.....";