0
ubye's Avatar, Join Date: Feb 2007
Newbie Member
i need more explanation about that code..please help me
0
pradeep's Avatar, Join Date: Apr 2005
Team Leader
The code snippet provided is quite self-explanatory, what exactly are you failing to understand?
0
qaladien's Avatar, Join Date: Mar 2007
Newbie Member
I am attemptin gto modify your script to work on my server as a session / user manager authenticator. Logically i can follow th eprogram flow, but I am running in to 2 issues which i hope you are able to assit me with. Any help would be appreciated.

1.) Inside "function confirmUser" i have added the following text to connect to my database and get the information i want to verify (tested this portion alone in a test.php file and i get success when echoing "SUCCESS" on return true)


<----- BEGIN CODE SNIPPET

Code:
//Connecting, selecting database
$link = mysql_connect('X.X.X.X,'USER','PWORD') or die('Could not connect: ' . mysql_error());
mysql_select_db('DBASE') or die('Could not select database');

//DO QUERY
$query = 'SELECT username,password FROM users WHERE username='.$username;
$result = mysql_query($query);
$data = mysql_fetch_assoc($result);
$md5pass = md5($password);

//VALIDATE LOGON
    if($username == $data[username] && $md5pass == $data[password]) 
		return true;
    else 
		return false;
}

^----- END CODE SNIPPET


2. Inside login.php, the section as below is not passing errors when username/pword are blank


<------ BEGIN CODE SNIPPET
Code:
case "login": 
    $username = isset($_POST["username"])?$_POST["username"]:""; 
    $password = isset($_POST["password"])?$_POST["password"]:""; 

    if ($username=="" or $password=="" ) 
    { 
        echo "<h1>Username or password is blank</h1>"; 
        clearsessionscookies(); 
        header("location: login.php?returnurl=$returnurl"); 
    }
^----- END CODE SNIPPET


The page index.php correctly passes me to login.php, i enter a username password, and get returned to the login UName PWord boxes with no error output. Thanks for any assistance and nice elegant code that was easy to follow barring this issue.



Qaladien
caca like this
0
pradeep's Avatar, Join Date: Apr 2005
Team Leader
Try writing

Code: PHP
//DO QUERY
$query = 'SELECT username,password FROM users WHERE username='.$username;

As

Code: PHP
//DO QUERY
$query = sprintf('SELECT username,password FROM users WHERE username="%s" AND password=MD5("%s")',$username,$password);
$r = mysql_query($query);
if(mysql_num_rows($r)>0)
{
  //Success
}
0
qaladien's Avatar, Join Date: Mar 2007
Newbie Member
the password is stored in the database as MD5 not in raw form so i can drop the MD5 you have in the variable right?
0
pradeep's Avatar, Join Date: Apr 2005
Team Leader
yeah right!
0
asgard2005's Avatar, Join Date: Mar 2007
Newbie Member
Hi, am I right in seeing that login.php calls confirmUser() with a plaintext password but if a cookie is present and its called from the checkloggedin() function the password is sent to confirmuser() in MD5 format?
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
Quote:
Originally Posted by asgard2005
Hi, am I right in seeing that login.php calls confirmUser() with a plaintext password but if a cookie is present and its called from the checkloggedin() function the password is sent to confirmuser() in MD5 format?
The point you are making is correct. You need to have a new flag in confirmUser where you know if its plain or encrypted to fix the issue. Very nice point I must say. I guess if I get time I will definitely update the article.
0
asgard2005's Avatar, Join Date: Mar 2007
Newbie Member
Quote:
Originally Posted by shabbir
The point you are making is correct. You need to have a new flag in confirmUser where you know if its plain or encrypted to fix the issue. Very nice point I must say. I guess if I get time I will definitely update the article.

In login.php just change it to:
if(confirmuser($username,md5($password)))


works since the session and cookie stored password is MD5 always.
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
I have rectified the error.