Authentication

JoshUK

hey i'm new here 🙂

I wrote this script today, and it works with checking the password and everything, but how do i get it to go to another webpage when the password is right?

<form name="form1" method="post" action="<?php $_SERVER['PHP_SELF']; ?>?action=login">
Username:<input type="text" name="u"><br>
Password:<input type="text" name="p"><br>
<input type="submit" name="Submit" value="Submit">
</form>
<?php
$server = "localhost";
$username = "root";
$password = "";
$datebase = "login";
$a = 0;

$db = mysql_connect($server, $username, $password);

mysql_select_db($datebase, $db);

$result = mysql_query("SELECT * FROM users WHERE username='$u'",$db) or die(mysql_error());



while ( $r = mysql_fetch_array( $result ) ) {
$uu = $r['username'];
$pp = $r['password'];

}

if (isset($action) && $action == 'login') {

if ($uu == $u && $pp == $p){
	echo "Right!";
	$a ++;
}else
	echo "Wrong!";
	$a == 0;

}
print $a;
?>

makingphpwork

In your PHP code you can do

?>
<META HTTP-EQUIV="Refresh" CONTENT="1; URL=http://www.abc.com">
<?
//The CONTENT number is the number of  seconds to pause before jumping to another web site or page.

Roger_Ramjet

1) you should be processing the user input with mysql real escape string to prevent a hacker from using an sql injection attack to byspass your login check. Read the manual to understand what I mean.

2) even whan you've done that, you should also check that the query for the user only returns exactly 1 record - the usual attack will return more than 1 record.

3) you can use an include to output the page you want

if ($uu == $u && $pp == $p){
    include ('whatever.php');
    exit;
}else
    echo 'Your user name or password is incorrect. Click <a href="' . $_SERVER['PHP_SELFf'] . '">here</a> to try again.';
}

4) or redirect with a header

if ($uu == $u && $pp == $p){
    echo 'header("location:http//:www.yourdomain.com/whatever.php")';
    exit;
}else
    echo 'header("location:http//:www.yourdomain.com/login.php")';
}

header only works if you've not sent anything to the client before it.

JoshUK

makingphpwork wrote:

In your PHP code you can do

?>
<META HTTP-EQUIV="Refresh" CONTENT="1; URL=http://www.abc.com">
<?
//The CONTENT number is the number of  seconds to pause before jumping to another web site or page.

Not really sure where i would put that?

Roger Ramjet wrote:
1) you should be processing the user input with mysql real escape string to prevent a hacker from using an sql injection attack to byspass your login check. Read the manual to understand what I mean.

2) even whan you've done that, you should also check that the query for the user only returns exactly 1 record - the usual attack will return more than 1 record.

3) you can use an include to output the page you want
if ($uu == $u && $pp == $p){
    include ('whatever.php');
    exit;
}else
    echo 'Your user name or password is incorrect. Click <a href="' . $_SERVER['PHP_SELFf'] . '">here</a> to try again.';
} 
4) or redirect with a header
if ($uu == $u && $pp == $p){
    echo 'header("location:http//:www.yourdomain.com/whatever.php")';
    exit;
}else
    echo 'header("location:http//:www.yourdomain.com/login.php")';
} 
header only works if you've not sent anything to the client before it.

is there anyway i can make include open it like a link, instead of just displaying it, as this makes the links bad

i couldn't get header to work 🙁
🙂

i tried to put in escape strings, not sure i did it right

here:

<form name="form1" method="post" action="<?php $_SERVER['PHP_SELF']; ?>?action=login">
Username:<input type="text" name="u"><br>
Password:<input type="text" name="p"><br>
<input type="submit" name="Submit" value="Submit">
</form>
<?php
$server = "localhost";
$username = "root";
$password = "";
$datebase = "login";
$a = 0;

$db = mysql_connect($server, $username, $password);

$username = mysql_escape_string($_POST['username']);
$password = mysql_escape_string($_POST['password']);

mysql_select_db($datebase, $db);

$result = mysql_query("SELECT * FROM users WHERE username='$u'",$db) or die(mysql_error());

while ( $r = mysql_fetch_array( $result ) ) {
$uu = $r['username'];
$pp = $r['password'];

}

if (isset($action) && $action == 'login') {

if ($uu == $u && $pp == $p){
	echo "Right!";
	echo 'header("location:http//:192.168.11.5/index.php")'; 
	//include ('../o/index.php');
    exit; 
	$a ++;
}else
	echo "Wrong!";
	$a == 0;

}
print $a;
?>

makingphpwork

You can do something like

If( Username & Password match) {
 ?> 
<META HTTP-EQUIV="Refresh" CONTENT="1; URL=http://www.abc.com"> 
<? 
}
else {
---
--
-
}

Weedpacket

As far as using <meta> refreshes goes:
http://www.w3.org/QA/Tips/reback
The smart fix would be to use header().

    echo "Right!";
    echo 'header("location:http//:192.168.11.5/index.php")';

You don't echo it (and you don't echo or otherwise output anything else, either). You just call it.

header("location:http//:192.168.11.5/index.php");

Roger_Ramjet

Whoops, me echo, me bad!

JoshUK

thanks for all the help 🙂, i got it all working, except for one thing, how can i protect webpages being veiwed before the user has logged in?

and also, is this code secure now? i'm not sure whether i did the escape strings right

<?php
$server = "localhost";
$username = "root";
$password = "";
$datebase = "login";
print '<div class="result">';
print "<a href=\"loginframe.php?action=yes\">Login?</a>";
echo '<script>window.open("main.php","main")</script>';
print '</div';

if (isset($action) && $action == 'yes') {
?>
<form action="<?php $_SERVER['PHP_SELF']; ?>?action=login" method="post"><div class="form">
<label for="name">Username : </label></div>
<input name="u" type="text" class="textfield"  id="u" maxlength="8"  />
<div class="form"><label>Password : </label></div>
<input name="p" type="password" class="textfield" id="p"  maxlength="8" /><br/>
<input name="submit" type="image" src="login.png" id="submit" value="submit" />
</form>

<?php
$url2 = "http://localhost/main.php";
$url = "http://localhost/admin.php";
}

$db = mysql_connect($server, $username, $password);

$username = mysql_escape_string($_POST['u']);
$password = mysql_escape_string($_POST['p']);

mysql_select_db($datebase, $db);

$result = mysql_query("SELECT * FROM users WHERE username='$u'",$db) or die(mysql_error());

while ( $r = mysql_fetch_array( $result ) ) {
$uu = $r['username'];
$pp = $r['password'];
$gg = $r['group'];
}

if (isset($action) && $action == 'login') {

if ($u == ""){
	echo "Please Input Your Details!";
	}else 
		if ($uu == $u && $pp == $p && $gg == 'admin'){
			echo '<div class="result">Logged In As: ' . $uu . '</div>';
			echo '<script>window.open("admin.php","main")</script>';
		}else
			if ($uu == $u && $pp == $p && $gg == 'user'){
				echo '<div class="result">Logged In As: ' . $uu . '</div>';
				echo '<script>window.open("main.php","main")</script>';
			}else
				echo '<div class="result"> Wrong<br>Username/Password!</div>';
}

?>

Roger_Ramjet

No, you did not. Infact, I can't see how this could work at all as it is; where does the var $u that you use in your query string come from???

// use mysql_real_escape_string , the old one is no good
$cleanU = mysql_real_escape_string($_POST['u']);
$cleanP = mysql_real_escape_string($_POST['p']); 

// then use the cleaned user input in your query - that's why we cleaned it
// also, validate username AND password with the query
$login_query = "SELECT * FROM users WHERE username='" . $cleanU . "' AND password='" . $cleanP . "'";

$result = mysql_query($login_query);

// check that only one row was returned, 

if ($mysql_num_rows($result) != 1) {
    echo 'invalid login';
}

JoshUK

it comes from the login field
and it all does work perfectly at the moment, i just need to make it protect pages from being veiwed, which i have no idea how to do.

Roger_Ramjet

The simple way to do all this is to have an access control script that you include at the top of every page that you want to protect. It checks for a valid login and either allows the script it is included into to continue processing, or redirects to the login page when no valid login is found.

Best thing to do to get your head around it all, and to get the code that you need is to read Kevin Yank's article.