login security not working

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rnintulsa
Forum Newbie
Posts: 3
Joined: Tue Apr 22, 2008 9:26 am

login security not working

Post by rnintulsa »

Hello, I am new to PHP and don't really know programming except for xhtml and css.
I am having a problem and so I will explain as best I can.
If the code is messed up it is because I really don't know what
I am doing.

There is a client entrance page with a list of the company names.

I set up a mysql schema for each company with individual names,
and different usernames and passwords for each company person to log in as.
This is the table:

Code: Select all

 
create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  password varchar( 100 ) not null,
  authority varchar( 10 ) not null default 'user', 
  primary key(id)
)
 

When they click on their company name they are taken to their login page
which has the form and logs them in, and will not let them log in unless they enter
the correct name and pw for that db. ( they can't log in to anyone elses company)
This is the php for one of the login pages:

Code: Select all

 
<?php
    session_start( );
    
    // if username and password are set and not empty then proceed with the rest of the process
    if( isset( $_POST[ 'username' ] ) && isset( $_POST[ 'password' ] ) && $_POST[ 'username' ] != '' && $_POST[ 'password' ] != '' )
    {
        $username = $_POST['username'];
        $password = $_POST['password']; 
        
        @ $db = new mysqli( 'localhost', 'root', 'rn2846', 'kdesBarrister' );
        if( mysqli_connect_errno( ) )
        {
            echo"Connection to the database failed. Please try again later." ;          
            exit;
        }
        
        //checks for username and password in db table.
        $results = $db->query( "select * from users where username='" . $username . "' and password = '" . $password . "'" );
        
        //greater than zero     
        if( $results->num_rows > 0 )
        {
            $_SESSION['username'] = $username;  
            //redirect
             header('Location:barrister.php');
        }
        else
        {
            echo 'You must be registered before you may log in.';
        }
    }
?>
body:

Code: Select all

 
<?php
                            include( 'sessions.php' );
                            show_statement( );
 
                            if (isset($_SESSION['username'])) 
                            { 
                                echo '<br />';
                                echo 'You are now logged in '.$_SESSION['username'].'';     
                                echo '<br /><br />';
                            }
                            else
                            {
                                echo 'You are not logged in.<br />';
                            }
                        ?>
                        
                        <form action="login_barrister.php" method="post">
                            <p>
                                Name:               
                                    <input type="text" name="username"/>
                            </p>
                            <p>
                                Password:               
                                    <input type="password" name="password"/>
                            </p>
                            <p>
                                <input type="submit" value="Log In"/>
                            </p>
 
 
                    </form>
When they log in they go to a page with company files on it.
Here is the php on that page:

Code: Select all

 
<?php session_start( ); ?>
 
<?php
                        if (isset($_SESSION['username'])) 
                        { 
                        echo '<p>You are logged in as '.$_SESSION['username'].'</p>'; 
                        } 
                        else 
                        { 
                        echo '<p>You are not logged in.</p>'; 
                        echo '<p>Only logged in members may visit these pages.</p>'; 
                        echo '<p><a href="clients.htm">Return to Client Entrance</a><br /><br /></p>';
                        } 
                        
                        ?>
This is the sessions file:

Code: Select all

 
<?php
 
    function set_statement( $statement )
    {
        $_SESSION[ 'show_statement' ] = $statement;
    }
 
    function show_statement( )
    {
        if( isset( $_SESSION[ 'show_statement' ] ) && $_SESSION[ 'show_statement' ] != '' )
        {
            echo '<p id="statement">' . $_SESSION[ 'show_statement' ] . '</p>';
            
            unset( $_SESSION[ 'show_statement' ] );
        }
    }
?>
The problem is when they log in and have not yet logged out, and they go
back to the main page with the list of companies. They can click onto
another company and it says they are logged in as _____, and lets them
go into the other companies files!!!!

What do I need to do? This is really the extent of my php understanding, ( and I don't undertstand it very well at that ) so to do things differently would
require a lot of explaining?

I so much appreciate any advice.

Renee
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: login security not working

Post by Mordred »

1. Read what SQL injection is

Code: Select all

 
        $username = $_POST['username'];
        $password = $_POST['password'];
should be

Code: Select all

       $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['password']);
2. Your current problem is that you check only if the user is logged in, not to which company he belongs, or has rights to see, or whatever. Unless you add this information to the users table and you check it in the login script and in the pages' scripts, there won't be a magical elf that would do it for you. Actually, even if you do what I said, there would still be no magical elf, but that's life :)
rnintulsa
Forum Newbie
Posts: 3
Joined: Tue Apr 22, 2008 9:26 am

Re: login security not working

Post by rnintulsa »

Oh, I appreciate you.

So, If I understand right, I need to add by copy and paste, these 2 lines into my
mysql Query Browser and execute into each companies db:

Code: Select all

 
 $username = mysql_real_escape_string($_POST['username']);
 $password = mysql_real_escape_string($_POST['password']);
 
Then what do I add to the login script and to the pages script?
The same thing where I currently have:

Code: Select all

 
$username = $_POST['username'];
$password = $_POST['password']; 
 
Thank you, and I do believe in fairies.

Renee
rnintulsa
Forum Newbie
Posts: 3
Joined: Tue Apr 22, 2008 9:26 am

Re: login security not working

Post by rnintulsa »

Ok, I replaced those 2 lines in the beginning of the login script.
As I reread what you said I am wondering if I don't have to put
them in the Query Browser and execute. What did you mean by put it
in the users table?

Anyhow now I am getting these errors:

Code: Select all

 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '_mdnsresponder'@'localhost' (using password: NO) in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 7
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 7
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '_mdnsresponder'@'localhost' (using password: NO) in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 8
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 8
You must be registered before you may log in.
Thank you for your help.

Renee
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: login security not working

Post by jayshields »

MAke sure you've established a connection to your database before you execute mysql_real_escape_string(). Look in the manual in future.
Post Reply