Login

Chris_Evans

Hi I've downloaded the following script from phpfreaks.com:

http://www.phpfreaks.com/tutorials.php?cmd=sourcefile&tut_id=40

It's only 7kb and it's just php files and a mysql file, but I wondered if anyone could download it and test it quickly on their machine? You see it works fine getting the information from the address bar, sending emails, registering users etc but when it comes to the logon, I type the correct username and password and it rejects me. Now I'm not doing anything wrong but either the script is doing something wrong or IIS is doing something wrong.

Any ideas?

Thanks,

Chris

dalecosp

Hey, I don't want to rain on the parade 🙁 , but I think you'd have better luck if you took a look at the code and posted the appropriate sections to the board, rather than asking for someone to download a zip file.

True, it's from a (relatively) known source, but it's not likely to get a good response here, because people seem to want to guide you to becoming a better coder in the first place (rather than just doing the work for you), and in the second place they would rather just see the content here than go to so much trouble...

delfa

session_start();
if (!isset($PHP_AUTH_USER))
{ 
Header("WWW-Authenticate: Basic realm=\"$PROG_NAME\""); 
Header("HTTP/1.0 401 Unauthorized"); 

} 


else{

mysql_select_db($database_obs, $obs);
$query_user = "SELECT * FROM maacdb.users where pass = '$PHP_AUTH_PW' and nome = '$PHP_AUTH_USER'";
$user = mysql_query($query_user, $obs);
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);
if ($totalRows_user = 1){
if ($row_user['nome'] = 'carlex'){
session_register("administrador");
$nome = 'Leonardo Xerinda';
}else {
$nome = $row_user['nome'];
session_register("adminpequeno");
}
}
}

It doesn´t authenticate my login information!

Chris_Evans

dalecosp - I hadn't thought of that, although please don't get me wrong, I wasn't trying to get you to do the work for me, I was simply trying to find an error, and I wasn't sure whether it would be in the same file, there are many so I've posted them below.... and yes, I would like to be a better coder. 😉

This should be the only one needed:

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	echo "Please enter ALL of the information! <br />";
	include 'login_form.html';
	exit();
}

// Convert password to md5 hash
$password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('username');
		$_SESSION['username'] = $username;
		session_register('userid');
		$_SESSION['userid'] = $userid;

	mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");

	header("Location: login_success.php");
}
} else {
	echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
	Please try again!<br />";
	include 'login_form.html';
}
?>

Now to reexplain what's happening, it simply does not allow me to login which is a bit of a pain, 😃 so unless IIS doesn't support sessions it's a problem with the code, and I've re-read it for the past few hours and found nothing obvious that's wrong with it.

Thanks,

Chris

delfa

Hummmm.......i´m using apache.

I decided to use a peace of your code for my problem. but i´m not very happy because i couldn´t use http authentication method.

🙁

Let´s see you code....

try this, i´ve made some useful changes

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
    echo "Please enter ALL of the information! <br />";
    include 'login_form.html';
    exit();
}
else {
// Convert password to md5 hash
$password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM DATABASE_NAME.users WHERE username = '$username' AND password = '$password' AND activated = '1'");
$login_check = mysql_num_rows($sql);
//$login_check = @mysql_num_rows($sql); --> use this to silence when everthing works fine
//to print any error from the db
echo mysql_errno() . ": " . mysql_error(). "\n";

if($login_check > 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val ){
        $$key = stripslashes( $val );
    }
        // Register some session variables!
        session_register('username');
        $_SESSION['username'] = $username;
        session_register('userid');
        $_SESSION['userid'] = $userid;

    mysql_query("UPDATE DATABASE_NAME.users SET last_login=now() WHERE userid='$userid'");
    echo mysql_errno() . ": " . mysql_error(). "\n";
   // header("Location: login_success.php"); //if everthing it´s working uncomment this redirect
   echo 'Logged in!';
}
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
    include 'login_form.html';
}
mysql_free_result($sql);
}
?>

Chris_Evans

Nice coding you have there 🙂, but unfortunately, it still does not work. I've decided that it's definately a problem with either the code or the server, but I don't see how it's either really, since one person has used it (delfa) and it works, yet it doesn't work on mine, yet at the same time, IIS works with other login scripts.

I just get this everytime.

0: You could not be logged in! Either the username and password do not match or you have not validated your membership!
Please try again!

I've even tried changing the database from using enum for activated to text but it still doesn't work. :S

delfa

Try this:

<?
/* Check User Script */
session_start();  // Start Session

// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
    echo "Please enter ALL of the information! <br />";
    include 'login_form.html';
    exit();
}
else {

if ($password == 'pass' and $username == 'username'){
session_register('session');
}
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
    include 'login_form.html';
}
mysql_free_result($sql);
}
if (session_is_registered(session)) echo 'sessions r working!';
?>

Oh.... if forgot....... go to php.ini and change error_reporting to

PHP]
error_reporting = E_ALL;
[[/code]

maybe u can get that error u r looking for!

If it still doesn´t work there must be a problem with php.ini configuration otherwise the problem is with the database query (that part i replaced)

🆒

Chris_Evans

I think it's my php.ini file, and I don't know what to change but I noticed that there are quite a few settings for php.ini about sessions. Any ideas?

delfa

try my file

Chris_Evans

Hmmm 🙁 - it doesn't work either, first it loaded a file, some dll file then I realised that you were missing a colon on it, unless you wanted it, but either way, I don't have that file on my computer... and then I changed the extensions folder to where it was on my machine since it doesn't load correctly otherwise.... actually I don't have a folder called extensions which maybe what contained that dll...

Anyway, once I'd finished getting everything to the correct directory, nothing was different anyway, but I tried running it and I got a cgi security alert? :S So I don't know what happened there. hmm. It's quite a pain, works for everyone else but me.:p

dalecosp

Hmm, well, it's good to see that your request is finally getting some attention.

I'm awfully busy at the moment, but a couple of things come to mind:

A minor point --- You say "I've found nothing wrong" but the original script is using session_register() in combination with $_SESSION['foo']= ... that's unusual, to say the least. On or the other should do the trick.
Since the script is continually performing the "else", it means that your $login_check var is continually being evaluated to a number less than (or in some way not equal to) one. Have your tested your query in the MySQL monitor program to see if such a query actually returns a result? Are you connecting properly to the db? (I assume that's in 'db.php' ??) Is the stored password actually an md5 hash of the password you're inputting? (MySQL uses a different algorithm, doesn't it?) Does your script actually have access rights to the db (I notice there's no else for a "fail to connect" situation...)

HTH, sorry I've not been keeping up with the discourse....

Chris_Evans

Hi there, yes I thought of running it just before I signed off from the internet in MySQL. It works perfectly in there, so that's why I wondered if it was sessions. However, the register.php script creates an md5 hash password before the user can reset it. Would it be that MySQL runs the query picking up the md5 hash but when php runs it, it looks for a different type of password within the hash? I can't see that to be honnest but it was just a thought.

Thanks