Page 1 of 1

login security not working

Posted: Fri Jul 11, 2008 3:41 pm
by rnintulsa
Hello, I am new to PHP and don't really know programming except for xhtml and css.
I am having a problem and so I will explain as best I can.
If the code is messed up it is because I really don't know what
I am doing.

There is a client entrance page with a list of the company names.

I set up a mysql schema for each company with individual names,
and different usernames and passwords for each company person to log in as.
This is the table:

Code: Select all

 
create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  password varchar( 100 ) not null,
  authority varchar( 10 ) not null default 'user', 
  primary key(id)
)
 

When they click on their company name they are taken to their login page
which has the form and logs them in, and will not let them log in unless they enter
the correct name and pw for that db. ( they can't log in to anyone elses company)
This is the php for one of the login pages:

Code: Select all

 
<?php
    session_start( );
    
    // if username and password are set and not empty then proceed with the rest of the process
    if( isset( $_POST[ 'username' ] ) && isset( $_POST[ 'password' ] ) && $_POST[ 'username' ] != '' && $_POST[ 'password' ] != '' )
    {
        $username = $_POST['username'];
        $password = $_POST['password']; 
        
        @ $db = new mysqli( 'localhost', 'root', 'rn2846', 'kdesBarrister' );
        if( mysqli_connect_errno( ) )
        {
            echo"Connection to the database failed. Please try again later." ;          
            exit;
        }
        
        //checks for username and password in db table.
        $results = $db->query( "select * from users where username='" . $username . "' and password = '" . $password . "'" );
        
        //greater than zero     
        if( $results->num_rows > 0 )
        {
            $_SESSION['username'] = $username;  
            //redirect
             header('Location:barrister.php');
        }
        else
        {
            echo 'You must be registered before you may log in.';
        }
    }
?>
body:

Code: Select all

 
<?php
                            include( 'sessions.php' );
                            show_statement( );
 
                            if (isset($_SESSION['username'])) 
                            { 
                                echo '<br />';
                                echo 'You are now logged in '.$_SESSION['username'].'';     
                                echo '<br /><br />';
                            }
                            else
                            {
                                echo 'You are not logged in.<br />';
                            }
                        ?>
                        
                        <form action="login_barrister.php" method="post">
                            <p>
                                Name:               
                                    <input type="text" name="username"/>
                            </p>
                            <p>
                                Password:               
                                    <input type="password" name="password"/>
                            </p>
                            <p>
                                <input type="submit" value="Log In"/>
                            </p>
 
 
                    </form>
When they log in they go to a page with company files on it.
Here is the php on that page:

Code: Select all

 
<?php session_start( ); ?>
 
<?php
                        if (isset($_SESSION['username'])) 
                        { 
                        echo '<p>You are logged in as '.$_SESSION['username'].'</p>'; 
                        } 
                        else 
                        { 
                        echo '<p>You are not logged in.</p>'; 
                        echo '<p>Only logged in members may visit these pages.</p>'; 
                        echo '<p><a href="clients.htm">Return to Client Entrance</a><br /><br /></p>';
                        } 
                        
                        ?>
This is the sessions file:

Code: Select all

 
<?php
 
    function set_statement( $statement )
    {
        $_SESSION[ 'show_statement' ] = $statement;
    }
 
    function show_statement( )
    {
        if( isset( $_SESSION[ 'show_statement' ] ) && $_SESSION[ 'show_statement' ] != '' )
        {
            echo '<p id="statement">' . $_SESSION[ 'show_statement' ] . '</p>';
            
            unset( $_SESSION[ 'show_statement' ] );
        }
    }
?>
The problem is when they log in and have not yet logged out, and they go
back to the main page with the list of companies. They can click onto
another company and it says they are logged in as _____, and lets them
go into the other companies files!!!!

What do I need to do? This is really the extent of my php understanding, ( and I don't undertstand it very well at that ) so to do things differently would
require a lot of explaining?

I so much appreciate any advice.

Renee

Re: login security not working

Posted: Fri Jul 11, 2008 4:04 pm
by Mordred
1. Read what SQL injection is

Code: Select all

 
        $username = $_POST['username'];
        $password = $_POST['password'];
should be

Code: Select all

       $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['password']);
2. Your current problem is that you check only if the user is logged in, not to which company he belongs, or has rights to see, or whatever. Unless you add this information to the users table and you check it in the login script and in the pages' scripts, there won't be a magical elf that would do it for you. Actually, even if you do what I said, there would still be no magical elf, but that's life :)

Re: login security not working

Posted: Fri Jul 11, 2008 6:45 pm
by rnintulsa
Oh, I appreciate you.

So, If I understand right, I need to add by copy and paste, these 2 lines into my
mysql Query Browser and execute into each companies db:

Code: Select all

 
 $username = mysql_real_escape_string($_POST['username']);
 $password = mysql_real_escape_string($_POST['password']);
 
Then what do I add to the login script and to the pages script?
The same thing where I currently have:

Code: Select all

 
$username = $_POST['username'];
$password = $_POST['password']; 
 
Thank you, and I do believe in fairies.

Renee

Re: login security not working

Posted: Sat Jul 12, 2008 7:01 am
by rnintulsa
Ok, I replaced those 2 lines in the beginning of the login script.
As I reread what you said I am wondering if I don't have to put
them in the Query Browser and execute. What did you mean by put it
in the users table?

Anyhow now I am getting these errors:

Code: Select all

 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '_mdnsresponder'@'localhost' (using password: NO) in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 7
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 7
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '_mdnsresponder'@'localhost' (using password: NO) in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 8
 
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /Users/reneenelson/Sites/Pezson Web/kdesigns/New_kdesign/login_orion.php on line 8
You must be registered before you may log in.
Thank you for your help.

Renee

Re: login security not working

Posted: Sat Jul 12, 2008 9:14 am
by jayshields
MAke sure you've established a connection to your database before you execute mysql_real_escape_string(). Look in the manual in future.