Trying to break my authentication... and its working

TruckStuff

I am trying to break my current authentication system, and it seems to be working. I have it setup to where only authorized users can view this or that page, access rights are granted properly, it handles incorrect passwords properly, etc. The problem I am having is when I enter an invalid user name. I am getting the following error:

Cannot connect to db!
Reason: Access denied for user: 'asdf@x-x-x-x.grandecom.net' (Using password: YES) (1045)

"asdf" is not a valid user, so it should display a message saying so. I don't have any idea where this error message is coming from since it isn't in my code anywhere. I can only assume it is being generated by PHP automatically. Can anyone help me get this working properly? Thanks.

function OpenDB ($user, $pw)
{
 if (!$db = @ mysql_connect ("localhost", "$user", "$pw"))
    { return false; }
    elseif (! mysql_select_db ("db"))
       { return false; }
 return $db;
}

function login ($name, $pw)
{
 if ($db = @ OpenDB ("$name", "$pw"))
    return true;
    else return false;
}

function CheckValidUser ($realm)
{
 if (!isset ($_SESSION["user_name"]) || !isset ($_SESSION["passwd"]))
   {
    if (@ login ($_POST["user_name"], $_POST["passwd"]))
      {
       $_SESSION["valid_user"] = $_POST["user_name"];
       $_SESSION["passwd"] = $_POST["passwd"];
       $_SESSION["access"] = GetLinks ($_SESSION["valid_user"]);
      }
     else
       {
        DisplayHeader ("Login Failed!");
        echo "<p>Attempt to login failed.</p>";
        echo "<p>Please <a href=\"index.php\">try again</a>.</p>";
        DisplayFooter ();
       }
   }
 elseif ($realm != "HOME")
 {
 if (!isset($_SESSION["valid_user"]) || !isset ($_SESSION["passwd"]) && ! login ($_SESSION["valid_user"], $_SESSION ["passwd"]))
    {
     DisplayHeader ("Cannot View Page");
     echo "<p>You must be logged in to view this page.</p>";
     echo "<p><a href=\"index.php\">Click here</a> to login.</p>";
     DisplayFooter ();
     exit;
    }
    else
       {
        if (! isset($_SESSION["access"]["$realm"]))
           {
            DisplayHeader ("Authorization Failed");
            echo "<p>You are not authorized to view this page.</p>";
            DisplayFooter ();
            exit;
           }
       }
 }
 if (! login ($_SESSION["valid_user"], $_SESSION ["passwd"]))
    {
     DisplayHeader ("Authorization Failed");
     echo "<p>You are not authorized to view this page.</p>";
     DisplayFooter ();
     exit;
    }
}

require_once ("load-libs.php");
session_start ();
$realm = "HOME";
CheckValidUser ($realm);

DisplayHeader ("Welcome!");
DisplayHomeBody ();
DisplayFooter ();

devinemke

if the name of your database actually "db"? or did you mean:
mysql_select_db ("$db") instead of
mysql_select_db ("db")

rinjani

The error message comes from MySQL and basically says that the user login to the database is incorrect.

It looks like you are using the same login for your database connection and to get into your system. I may be wrong there.

The way I set up a database and authentication system is:

i. have a database login and connection string in the code

ii access the database and check the user login against the folks who are in the database.

It looks to me from your code that you are making the database connection with the same login as the users you are trying to authenticate. If the login is bad then mysql spits out an error.

HTH

TruckStuff

It looks to me from your code that you are making the database connection with the same login as the users you are trying to authenticate. If the login is bad then mysql spits out an error.

This is correct. I am attempting to build a restricted access system. User name and password are stored on the MySQL end and users are only granted access to the system if the MySQL authentication is successful.

What I am considering is the situation where the user mis-types their username. I would like to spit out a custom error message (as you can see in the code), but it isn't getting that far, even with @ error surpression operator. Problem is that the db is hosted by a company that doesn't give us access to the mysql table for the db (understandably). Thoughts on how to get around this?