[RESOLVED] Login via MySQL denies access

lewiss

The login script below appears to connect successfully with the database, but produces the "Access Denied: Are you really you?" message, even though I have put the user details in the relevant table.

I would really appreciate suggestions about where this is going wrong. (None of the site pages have coding that restricts access yet. Could this be the problem?)

<?php

include ('../config.php');
/* get the incoming ID and password hash */
$user = $_POST["yourusername"];
$pass = sha1($_POST["youruserpass"]);

/* establish a connection with the database */
$server = mysql_connect("$dBaseServer", "$dBaseUser",
          "$dBasePass");
if (!$server) die(mysql_error());
mysql_select_db("$dBaseName");

/* SQL statement to query the database */
$query = "SELECT * FROM tablename WHERE username = '$user' AND userpass = '$pass'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $user!";
else
  echo "Access Denied: Are you really you?";

mysql_close($server);  

?>

paulnaj

Just a guess ...

$query = "SELECT * FROM tablename WHERE username = '$user' AND userpass = '$pass'";

Is tablename really the name of the table?

lewiss

tablename is "webadmin" and that is what I put in the code above. I was trying to avoid names that might have other meanings in php or mySQL.

paulnaj

Ok,

Try just echo-ing out the $query to the browser before trying to execute it - just to check the format looks correct.

If you have access to phpMyAdmin use it to test the string.

Paul.

lewiss

Interesting result! The source code looks like:

$query = "SELECT * FROM webadmin WHERE username = '$user' AND userpass = '$pass'";

but the echo reads;

SELECT * FROM webadmin WHERE username = '' AND userpass = 'da39a3ee5e6b4b0d3255bfef95601890afd80709'

The password echos out, but not the username. I'm not sure what to make of it!

Lewis

paulnaj

Aha,

Well at least we've found where the problem lies. Now we have to find what's happened to the $_POST variable.

I assume a form is being used to post the vars to this script, so first check that the HTML input tag has the correct attributes - it should look something like ...

<input type="text" name="yourusername" value="" />

Make sure it lives inside the form and that the form is correctly formatted etc.

It's going to be a typo somewhere, I guess.

lewiss

The username field did not include

value=""

I amended this but access still denied. Form code is as follows (I know I'll have to validate fields before going "live").

<form action="incs/authentuser.php" method="post" name="login_attempt" enctype="text/plain" id="login_attempt">
    <table border="0" width="100%" bgcolor="#FFFFCC" summary="login form">
      <tr valign="top">
        <td width="120">
          <b>Username:</b><br /><br /><br />
        </td>

    <td><input type="text" name="yourusername" size="20" value="" maxlength="40" tabindex="1" id="yourusername" /></td>
  </tr>

  <tr valign="top">
    <td>
      <b>User Password<br /><br /><br /></b>
    </td>

    <td><input type="password" name="youruserpass" size="20" value="" maxlength="20" tabindex="2" id="youruserpass"></td>
  </tr>

  <tr valign="top">
    <td><input type="reset" name="reset" value="Clear Form" id="reset" tabindex="3" /></td>

    <td><input type="submit" name="submit" value="Login" id="submit" tabindex="4" /></td>
  </tr>
</table>
  </form>

I've rechecked the database to make sure that the username is the same, and using the same case.

Lewis

paulnaj

Is there anything else going on - like javascript checking (I know you mentioned validation already), because the form looks OK to me.

Try creating a new PHP page form_vars.php say.

In it just dump the $POST variable ...

echo '<pre>'; var_dump($_POST); echo '</pre>';

Then (just for now) change the action in the form to action="form_vars.php" and see if the variables are posted correctly.

If they are we have to assume that code elsewhere is having an effect.

Paul.

lewiss

The "form" and the "authentuser.php" are both "includes" in the same second level directory. "login.php" in the root directory includes the "form".

I removed a javascript menu from the page header of "login.php", but still get the following output from the "form_vars.php" page.

array(0) {
}

paulnaj

Hmm,

Now we're losing the password too. That makes me think that originally the password wasn't getting passed either.

Another (desperate) guess - get rid of the enctype attribute in the form - I never use it myself (except for file uploading forms), so not 100% about it.

bradgrafelman

paulnaj;10920345 wrote:
That makes me think that originally the password wasn't getting passed either.

Nope; da39a3ee5e6b4b0d3255bfef95601890afd80709 is the sha1 hash of an empty string (NULL).

I would also echo paulnaj's suggestion, however; get rid of the enctype on the form tag (why is it there in the first place?).

Also note that your code is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man.

lewiss

Many thanks to you paulnaj for your patience and persistance. Thanks too, to bradgrafelman.

You were both right! The form encryption type seems to be the culprit. I removed this and "hey presto!" successful login!

I don't fully understand the rationale for this, but no doubt this will become clear as I learn more.

bradgrafelman, thanks for your warning about cleansing user input. I will do this before making the site active to others.

I'm learning one step at a time, but I've read and bookmarked a bunch of sites about security. One of my favourites is http://www.sitepoint.com/article/php-security-blunders/