web intersect forum new_topic.php $session issue! PLZ HELP

jfleck25

I am working on the "new_topic.php part of web intersect forum. However It is not showing that I am logged in (Which I am!) What am I doing wrong?

Here is new_topic.php so far

<?php
session_start();
include_once "../connect_to_mysql.php"; // Connect to the database
// Check to see if the user is logged in with session variables
if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") {
	echo "Please log in... (give them links or send them to msgToUser.php with this message)";
	exit();
} else {
	// Assume they are a member because they have a password session variable set
	// Check the database to be sure that their ID, password, and email session variables all match in the database
	$u_id = mysql_real_escape_string($_SESSION['id']);
	$u_name = mysql_real_escape_string($_SESSION['username']);
	$u_email = mysql_real_escape_string($_SESSION['useremail']);
	$u_pass = mysql_real_escape_string($_SESSION['userpass']);
	$sql = mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'");
    $numRows = mysql_num_rows($sql);
    if ($numRows < 1) {
	    echo "ERROR: You do not exist in the system.";
	    exit();
    }
}]

Here is login.php

<?php
include_once("php_includes/check_login_status.php");
if($user_ok == true){
	header("location: user.php?u=".$_SESSION["username"]);
    exit();
}
?><?php
if(isset($_POST["e"])){
		include_once("db_conx.php");
		$e = mysqli_real_escape_string($db_conx, $_POST['e']);
	$p = md5($_POST['p']);
	   $ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
		if($e == "" || $p == ""){
		echo "login_failed";
        exit();
	} else {
		$sql = "SELECT id, username, password FROM users WHERE email='$e' AND activated='1' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
        $row = mysqli_fetch_row($query);
		$db_id = $row[0];
		$db_username = $row[1];
        $db_pass_str = $row[2];
		if($p != $db_pass_str){
			echo "login_failed";
            exit();
		} else {
			$_SESSION['userid'] = $db_id;
			$_SESSION['username'] = $db_username;
			$_SESSION['password'] = $db_pass_str;
					// Create session var for their email
					$useremail = $row["email"];
					$_SESSION['useremail'] = $useremail;
					// Create session var for their password
					$userpass = $row["password"];
					$_SESSION['userpass'] = $userpass;
			setcookie("id", $db_id, strtotime( '+30 days' ), "/", "", "", TRUE);
			setcookie("user", $db_username, strtotime( '+30 days' ), "/", "", "", TRUE);
    		setcookie("pass", $db_pass_str, strtotime( '+30 days' ), "/", "", "", TRUE); 
			$sql = "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
            $query = mysqli_query($db_conx, $sql);
			echo $db_username;
		    exit();
		}
	}
	exit();
}
?>

NogDog

I don't see a session_start() in the login.php file.

jfleck25

yes, because I php_include it into my index.php where the session start is

pbismad

Do you have php's error_reporting set to E_ALL and display_errors set to ON (preferably in the php.ini on your development system), so that php will help you by reporting and displaying all the errors it detects? You will save a ton of time.

Next, this code is all over the place, using both mysql and mysqli statements, two different database tables, cryptic single-character variable names, all kinds of extra variables and unused variables/cookies, an error message that doesn't match what the logic is doing, and several more...

Starting with your login code, get the code to do the following basic tasks, and verify that the code works, before adding any other features to the code -

1) Start the session.

2) If the current visitor is already logged in, prevent the processing of the login form data. You would also not display the login form is the visitor is already logged in.

3) Detect that a form was submitted before referencing the form data.

4) Validate the submitted data before using it and output descriptive validation error messages when you re-display the form. Your current code is validating the hash of the password, which will never be an empty string, so someone could have submitted an empty password and your code won't tell them and it will use the hash of an empty string to try and log the user in.

5) If there are no validation errors, use the submitted email to query for the user's row in the database table.

6) Detect that the user was found in the table/that there was a row to fetch, before using the data from the sql query. Your code isn't even doing this now, just comparing the passwords.

7) Use php's password_hash() and password_verify() functions for you password hashing, rather than the md5() hash.

8) If the password verifies, store the user id in a session variable to identify who the logged in user is. You would use this session variable to determine if the current user is logged in and to query for any user data when needed. All the other values you are storing in session variables and cookies are either not needed, are not secure, and are just cluttering up the code. KISS (Keep It Simple.)

Note: you should use prepared queries to supply data values to the sql query statement. This will actually simplify the code (there's no need to have escape_string() function calls everywhere) and it makes the code more secure (if the character encoding that php is using for the escape_string() function calls is not the same as your database table's character encoding, sql injection is possible, while if you use true prepared queries, sql injection is not possible.) The php PDO extension is more straight forward and more constant to use than the mysqli extension, especially when using prepared queries. If you can, you should switch to the PDO extension.

Edit: you should also have error handling for all database statements. The easiest way of doing this, without adding logic at each statement, is to use exceptions and let php catch the exception and use the php error_reporting/display_errors/log_errors settings to control what happens with the actual error information.

jfleck25

I appreciate your feedback, this all seems so over my head... Im not sure what to do. I do have the login.php script hidden when user is logged in. it redirects to their profile.

NogDog

jfleck25;11060037 wrote:
I appreciate your feedback, this all seems so over my head... Im not sure what to do. I do have the login.php script hidden when user is logged in. it redirects to their profile.

Not sure if this could be the issue, but I have found in the past that if you do a header() redirect, you may need to ensure that session data is stored first:

session_write_close();
header('Location: /whatever/you/want.php');

As far as error reporting, just add this to the top of each script for now:

<?php
ini_set('display_errors', true); // set to false in produciton
error_reporting(E_ALL);

jfleck25

THANK YOU!!!! HUGE HELP

NogDog;11060043 wrote:
Not sure if this could be the issue, but I have found in the past that if you do a header() redirect, you may need to ensure that session data is stored first:
session_write_close();
header('Location: /whatever/you/want.php');
As far as error reporting, just add this to the top of each script for now:
<?php
ini_set('display_errors', true); // set to false in produciton
error_reporting(E_ALL);

jfleck25

What does the error reporting do? where would it post any issues?

NogDog

jfleck25;11060047 wrote:
What does the error reporting do? where would it post any issues?

It would cause any warnings/errors to be output to the browser (instead of to a log file) via the ini_set() command, and the error_reporting() function is saying to pretty much show every sort of warning. You normally don't want the display_errors turned on in production, since you don't want to spew out application/DB details to the world if something fails. 🙂

jfleck25

Thanks, So i added it to the top of login, and once I try to log in all it throws at me in regards to the error reporting is this, "Forbidden

You don't have permission to access /user.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

 <?php
ini_set('display_errors', true); // set to false in produciton
error_reporting(E_ALL); 
include_once("php_includes/check_login_status.php");
if($user_ok == true){
	header("location: user.php?u=".$_SESSION["username"]);
    exit();
}
?>

NogDog

Hmm...I'd try using a full URI, not a relative one. Also, probably doesn't matter, but technically I believe "Location" should be capitalized. Therefore...

if($user_ok == true) {
    sesstion_write_close();
    header("Location: http://yoursite.com/user.php?u=".urlencode($_SESSION["username"]));
    exit();
}

Naturally, adjust the domain/path to the correct one, and use https instead of http if applicable.

jfleck25

Okay cool thanks, I replace the code. I still want to get this form working. when I log in, and try to post a thread to the forum its coming back as ERROR: You do not exist in thestem.

NogDog

You probably need to hash the password. Exactly how will depend on how it was hashed when inserted into the DB. ("I'm not hashing passwords," is not an acceptable answer. 😉 )

 <?php
session_start();
include_once "../connect_to_mysql.php"; // Connect to the database
// Check to see if the user is logged in with session variables
if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") {
    echo "Please log in... (give them links or send them to msgToUser.php with this message)";
    exit();
} else {
    // Assume they are a member because they have a password session variable set
    // Check the database to be sure that their ID, password, and email session variables all match in the database
    $u_id = mysql_real_escape_string($_SESSION['id']);
    $u_name = mysql_real_escape_string($_SESSION['username']);
    $u_email = mysql_real_escape_string($_SESSION['useremail']);
    [COLOR="#B22222"][B]$u_pass = mysql_real_escape_string($_SESSION['userpass']);[/B][/COLOR]
    $sql = mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'");
    $numRows = mysql_num_rows($sql);
    if ($numRows < 1) {
        echo "ERROR: You do not exist in the system.";
        exit();
    }
}

jfleck25

haha It is hashed, how do I find out how?

NogDog

Probably have to look for the code that creates (inserts) a new user (or changes the password on a user account edit?). :bemused: A directory search on "hash" is likely a good start.

jfleck25

Oh that would be the registration form...

This is probebly what you are looking for??

$p_hash = md5 ($p);
			$sql = "INSERT INTO users (username, email, password, firstname, lastname, ip, signup, lastlogin, notescheck)       

		        VALUES('$u','$e','$p_hash','$c','$ip',now(),now(),now())";
		$query = mysqli_query($db_conx, $sql); 
		$uid = mysqli_insert_id($db_conx);
			$sql = "INSERT INTO useroptions (id, username, background) VALUES ('$uid','$u','original')";
		$query = mysqli_query($db_conx, $sql);
			if (!file_exists("user/$u")) {
			mkdir("user/$u", 0755);
		}

jfleck25

Found it! Is this what we are looking for? It was in the registration.php file

 } else {
	   	$p_hash = md5 ($p);
			$sql = "INSERT INTO users (username, email, password, firstname, lastname, ip, signup, lastlogin, notescheck)       

		        VALUES('$u','$e','$p_hash','$c','$ip',now(),now(),now())";
		$query = mysqli_query($db_conx, $sql); 
		$uid = mysqli_insert_id($db_conx);
			$sql = "INSERT INTO useroptions (id, username, background) VALUES ('$uid','$u','original')";
		$query = mysqli_query($db_conx, $sql);
			if (!file_exists("user/$u")) {
			mkdir("user/$u", 0755);
		}

cluelessPHP

Don't use MD5 it's out of date and easy to break now

PHP hashing
http://php.net/manual/en/faq.passwords.php

Also always use prepared statements
http://php.net/manual/en/mysqli.prepare.php

Also when possible use try
http://php.net/manual/en/language.exceptions.php

NogDog

Yep, looks like it's just using md5 with no salt. Better than no hashing, but not much. If this is not yet a live system, I'd definitely recommend migrating to something more up to date and much, much more difficult for crackers to crack. But whatever you end up using is what you'd need both for the initial creation and then any subsequent checks.

Derokorian

Use [man]password_hash[/man]! Its the best 🙂

If the system is live, you can do something like this at the login step to migrate users to password_hash and keep the hash up to date:

$logged_in  = false;
$user = get_user_by_username($username);

if (strpos($user->password, '$') === false) {
    // password is hashed with md5
    if ($user->password == md5($password)) {
        // password is correct, update to new hash
        $logged_in = true;
        $user->password = password_hash($password, PASSWORD_DEFAULT);
        save_user($user);
    }
}
elseif (password_verify($password, $user->password)) {
    // password is correct
    $logged_in = true;
    if (password_needs_rehash($user->password, PASSWORD_DEFAULT)) {
        // Password is hashed with older algorithm, update to current algorithm
        $user->password = password_hash($password, PASSWORD_DEFAULT);
        save_user($user);
    }
}