User auth and ID questions

[vedran]

Guys, I'm really getting angry with this stupid login box. Could you help me??
Problems are:
1) Whatever I input into form fields, It'll log in no matter does username or password exist in DB.
2) Once logged in, I can't log out. Why can't the session be destroyed?
Also I'd appreciate if you could point to any other flawes in the script. Tnx

index.php

PHP Code:

<?php
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', True);

session_start();
?>

<html>
<head>
    <title>My login</title>
</head>
<body>
    <div></div>
    <?php if (isset($_SESSION['username'])) { ?>
    You are now logged in <br />
    <a href="logout.php">Logout</a>
    <?php } else { ?>
    <form action="login.php" method="post">
        username: <input name="username" type="text" />
        password: <input name="password" type="password" />
        <input type="submit" />
    </form>
    <?php } ?>
    <!-- Output Error -->
    <?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>
</body>
</html>

login.php

PHP Code:

<?php
session_start();

$db_host = 'localhost';
$db_user = 'omeragic_rebus';
$db_pass = '******************';
$db_db = 'omeragic_rebus';



if (isset($_POST['username']))
{
    // MySQL Connection
    $db_link = mysql_connect($db_host, $db_user, $db_pass)
        or die('MySQL Connection Error:'.mysql_error());
    mysql_select_db($db_db)
        or die('MySQL Error: Cannot select table');
    
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    
    // MySQL Query
    $result = mysql_query("SELECT * FROM rebus_users 
        WHERE username = '$username' AND password = md5('$password') ");
        
    if(!$result) {
        $_SESSION['error'] = '<span style="color: red">Login Failed</span>';
    } else {
        // Mysql fetch row results
        $row = mysql_fetch_assoc($result);
        
        $_SESSION['userid'] = $row['id'];
        $_SESSION['username'] = $username;
        $_SESSION['error'] = 'Login successful<br> Welcome, '.$username;
    }
    mysql_close($db_link);
}

header('Location: ./')
?>

logout.php

PHP Code:

<?php
session_start();

if (isset($_GET['logout']))
{
    $_SESSION = array();
    if ($_COOKIE[session_name()])
    {
        setcookie(session_name(), '', time()-42000, '/');
    }
    session_destroy();
    header('Location: ./');
} else {
echo 'Session could not be destroy';
}
?>

[morefood2001]

Look at your login.php file, particularly the mysql query. I'm not sure if this is it, but I never call php functions inside queries. I doubt this is it, but it could be the problem. Also try explicitly defining * in the query to return only row_id since you only require that value.

As for logging out, I don't think you want $_SESSION = array(); in your code, I've never used that and don't know why its there.

If you are still having problems, I will attempt to run it and look more closely at it.

[vedran]

Quote:

Originally Posted by morefood2001

Look at your login.php file, particularly the mysql query. I'm not sure if this is it, but I never call php functions inside queries. I doubt this is it, but it could be the problem. Also try explicitly defining * in the query to return only row_id since you only require that value.

As for logging out, I don't think you want $_SESSION = array(); in your code, I've never used that and don't know why its there.

If you are still having problems, I will attempt to run it and look more closely at it.

I've tried removing $_SESSION, but somehow scr*wed it even more...
What do you mean by php functions inside queries? Do u mean md5 hash?

I'd really appreceate if you could run it, and really sorry for noobish questions and problems

Also the DB is

Code:

CREATE TABLE `omeragic_rebus`.`rebus_users` (
`id` MEDIUMINT( 8 ) UNSIGNED NOT NULL ,
`username` VARCHAR( 255 ) NOT NULL ,
`password` VARCHAR( 40 ) NOT NULL ,
`email` VARCHAR( 100 ) NOT NULL ,
`group_id` MEDIUMINT( 8 ) UNSIGNED NOT NULL
)

[morefood2001]

The reason why your login doesn't work is because you are never submitting a variable by the name of login for $_GET to actually get. Removing that line worked fine. If you want to keep this, perhaps add ?logout=true to the end of logout.php.

The reason why your login doesn't work is because there is ALWAYS a result unless the database doesn't exist. Therefore you needed an additional if/else clause inside the main else. I also changed the md5 to be up in the real escape.

So here is my code, customized to fit my live testing database (you will need to change tables back). Also I did not fix the error outputting system, but it doesn't work correctly.

index.php

PHP Code:

<?php
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', True);

session_start();
?>

<html>
<head>
    <title>My login</title>
</head>
<body>
    <div></div>
    <?php if (isset($_SESSION['username'])) { ?>
    You are now logged in <br />
    <a href="logout.php">Logout</a>
    <?php } else { ?>
    <form action="login.php" method="post">
        username: <input name="username" type="text" />
        password: <input name="password" type="password" />
        <input type="submit" />
    </form>
    <?php } ?>
    <!-- Output Error -->
    <?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>
</body>
</html>

login.php

PHP Code:

<?php
session_start();

$db_host = 'localhost';
$db_user = 'matthous_test';
$db_pass = '*********';
$db_db = 'matthous_test';



if (isset($_POST['username']))
{
    // MySQL Connection
    $db_link = mysql_connect($db_host, $db_user, $db_pass)
        or die('MySQL Connection Error:'.mysql_error());
    mysql_select_db($db_db)
        or die('MySQL Error: Cannot select table');
    
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string(md5($_POST['password']));
    
    // MySQL Query
    $result = mysql_query("SELECT * FROM matthous_users 
        WHERE username = '$username' AND password = '$password' ");
        
    if(!$result) {
        $_SESSION['error'] = '<span style="color: red">Database not found.</span>';
    } else {
        // Mysql fetch row results
        $row = mysql_fetch_assoc($result);
        
        if ($row['username'] == $username){
            $_SESSION['userid'] = $row['id'];
              $_SESSION['username'] = $username;
             $_SESSION['error'] = 'Login successful<br> Welcome, '.$username;
        }else{
            $_SESSION['error'] = '<span style="color: red">Login Failed</span>';
        }
        
    }
    mysql_close($db_link);
}

header('Location: ./')
?>

logout.php

PHP Code:

<?php
session_start();

   $_SESSION = array();
    if ($_COOKIE[session_name()])
    {
        setcookie(session_name(), '', time()-42000, '/');
    }
    session_destroy();
    header('Location: ./');

?>

[John]

Quote:

Originally Posted by morefood2001

Look at your login.php file, particularly the mysql query. I'm not sure if this is it, but I never call php functions inside queries.

The md5 function he is calling inside his query is actually a MySQL not php. However is logic is still skewed. He is calling the mysql_real_escape_string on a password prior to creating the md5 hash. That said, if the password contains special characters, they will be escaped and render the password incorrect. However, by removing that line, the query is vulnerable to an sql injection. I would chage the code to:

PHP Code:

    $username = mysql_real_escape_string($_POST['username']);
    $password = md5($_POST['password']);
    
    // MySQL Query
    $result = mysql_query("SELECT * FROM rebus_users WHERE username = '$username' AND password = '$password' "); 


The extra mysql_real_escape_string in morefood2001's post is redundant since an md5 contains no characters that needs to be escaped. Although it doesn't hurt anything by including it (other than maybe a few clock cycles).

I would like to point out something morefood2001 said. mysql_query doesnt always return a result. According to the php manual if *should* return false if there is an error with the query. In light of that, does your query return an error or an empty result set? I believe it is the latter which is why your method is not the best.


However, two of our members have written tutorials retarding the creation of a login/logoff system. Both are great examples, but I would lean toward the latter as it uses a method more similar to mine (checking if the number of rows returned by mysql_query is one).
Simple Register-Login-Logoff System
Simple Login/Register/Main Script

[morefood2001]

Quote:

Originally Posted by John

The extra mysql_real_escape_string in morefood2001's post is redundant since an md5 contains no characters that needs to be escaped. Although it doesn't hurt anything by including it (other than maybe a few clock cycles).

We discussed that after my post, I wasn't thinking correctly on that point. It is redundant.

Quote:

Originally Posted by John

I would like to point out something morefood2001 said. mysql_query doesnt always return a result. According to the php manual if *should* return false if there is an error with the query. In light of that, does your query return an error or an empty result set? I believe it is the latter which is why your method is not the best.

I worded my thought incorrectly, thanks for catching that.

[orjan]

I have worked a bit with this and have concluded to this part to be loaded on every page, if you want the system to log users off automatically after a certain time.

the session name thing is not necesary, but if there are many homepages within the same domain, it is safer to have it so anyone else within the same domain elaborates with your cookies. it does not take much execution time, and makes the code a little bit more secure.

PHP Code:

    $sessname = 'MyTinyApp';
    $session_length=3600   // one hour, time is in seconds
    session_set_cookie_params($session_length);
    session_name($sessname);
    session_start();

    // Reset the expiration time upon page load. 
    // Without this part, the session will limit to 
    // one hour no matter how much access the user do.
    if (isset($_COOKIE[$sessname])) {
        setcookie($sessname, $_COOKIE[$sessname], time() + $session_length, "/");
    } 


In my version of the system, I always create the session cookie, but I never set any variables in $_SESSION until logged in properly.

hope this part can help aswell.