Find the answer to your Linux question:
Results 1 to 8 of 8
Like Tree3Likes
  • 1 Post By elija
  • 1 Post By elija
  • 1 Post By elija
Completely new to this, hopefully I at least understand what I'm doing if not the coding. Any help is appreciated. I am trying to build a login script for a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9

    php mysql help please login script


    Completely new to this, hopefully I at least understand what I'm doing if not the coding. Any help is appreciated.

    I am trying to build a login script for a website.

    Assets:
    -1 DB located in godaddy
    DB has 1 table: zen_members
    with 4 fields: ID, login, password, site
    it has only 1 entry thus far (verified with phpmyadmin)
    -config [dot] php in [dot slash] js [slash] with DB parameters

    I have the page Login [dot] hteeml in my webroot which calls
    login-exec [dot] php located in [dot slash] js [slash] which depending on the result triages the client. The problem is that right now, if there is a blank input it works as expected and goes back to Login [dot] html, but in all other cases (bad password/user) goes to the catchall index [dot] html instead of where it's supposed to.

    Login [dot] html
    Code:
    <form id="loginform" action=" [dot slash] js [slash] login-exec [dot] php" method="post" accept-charset="UTF-8">
        <table cellpadding="5" cellspacing="1" width="100%" border="0" style="border:1px solid; border-collapse: collapse; border-image: initial; margin-top: auto; margin-right: auto; margin-bottom: auto; margin-left: auto;">
            <tbody>
                <tr>
                    <td align="center">
                    <fieldset >
                    <legend>If you have lost your password, send email.                </legend>
                    <legend>
                    <label for="login" >UserName*:</label>
                    <input type="text" class="login" name="login" id="login"  maxlength="50" /><br />
                    <label for="password" >Password*:</label>
                    <input type="password" class="password" name="password" id="password" maxlength="50" /><br />
                    <input type='submit' name='Submit' value='Login' />
                    </legend>
                    </fieldset>
                    </td>
                </tr>
            </tbody>
        </table>
    					</form>
    [dot slash] js [slash] login-exec [dot] php
    PHP Code:
    <?php
        
    //Start session
        
    session_start();
        
        
    //Include database connection details
        
    require_once(' [dot slash] config [dot] php');
        
        
    //Array to store validation errors
        
    $errmsg_arr = array();
        
        
    //Validation error flag
        
    $errflag false;
        
        
    //Connect to mysql server
        
    $link mysql_connect(DB_HOSTDB_USERDB_PASSWORD);
        if(!
    $link) {
            die(
    'Failed to connect to server: ' mysql_error());
        }
        
        
    //Select database
        
    $db mysql_select_db(DB_DATABASE);
        if(!
    $db) {
            die(
    "Unable to select database");
        }
        
        
    //Function to sanitize values received from the form. Prevents SQL injection
        
    function clean($str) {
            
    $str = [atsigntrim($str);
            if(
    get_magic_quotes_gpc()) {
                
    $str stripslashes($str);
            }
            return 
    mysql_real_escape_string($str);
        }
        
        
    //Sanitize the POST values
        
    $login clean($_POST['login']);
        
    $password clean($_POST['password']);
            
        
    //Input Validations
        
    if($login == '') {
            
    $errmsg_arr[] = 'Login ID missing';
            
    $errflag true;
        }
        if(
    $password == '') {
            
    $errmsg_arr[] = 'Password missing';
            
    $errflag true;
        }
        
        
    //If there are input validations, redirect back to the login form
        
    if($errflag) {
            
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            
    session_write_close();
            
    header("location:  [dot dot slash] /Login [dot] html");
            exit();
        }
        
        
    //Create query
        
    $qry="SELECT * FROM zen_customers WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
        
    $result=mysql_query($qry);
        
        
    //Check whether the query was successful or not
        
    if($result) {
            if(
    mysql_num_rows($result) == 1) {
                
    //Login Successful
                
    session_regenerate_id();
                
    $member mysql_fetch_assoc($result);
                
    $_SESSION['SESS_MEMBER_ID'] = $member['login'];
                
    session_write_close();
                
    header("location:  [dot dot slash] Products [dot] html");
                exit();
            }else {
                
    //Login failed
                
    header("location:  [dot dot slash] Login [dot] html");
                exit();
            }
        }else {
            
    header("location:  [dot dot slash] index [dot] html");
        }
    ?>
    [dot slash] js [slash] config [dot] php
    PHP Code:
    <?php
        define
    ('DB_HOST''can1234567891011 [dot] db [dot] 1213141 [dot] hostedresource [dot] com');
        
    define('DB_USER''1234567891011');
        
    define('DB_PASSWORD''Abcd123');
        
    define('DB_DATABASE''can1234567891011');
    ?>
    Sorry about the [dot] and [slashes] apparently I can't post certain things here yet.

    Thanks in advance.

  2. #2
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,636
    It sounds like it is dropping into the last else which indicates that your query is failing. Try outputting it and running it directly in the DB

    Code:
    $qry="SELECT * FROM zen_customers WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
    echo $qry;
    By the way, did you mean to use the raw post data in that query?
    mellofellow likes this.
    "I used to be with it, then they changed what it was.
    Now what was it isn't it, and what is it is weird and scary to me.
    It'll happen to you too."

    Grandpa Simpson



    The Fifth Continent

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Thanks Elija, for your swift response, very appreciated.

    I had tried debugging it and indeed it falls into the final else.
    Here is the echo output, regardless of good or bad password:

    Code:
    SELECT * FROM zen_customers WHERE login='Nicholas' AND passwd='f23233e3dead8f53253dc78dd05ddcec'
    Warning: Cannot modify header information - headers already sent by (output started at /home/content/92/9475592/html/js/login-exec.php:59) in /home/content/92/9475592/html/js/login-exec.php on line 79
    The page is completely blank with just that as output at the top. In the case of a bad password, the MD5 is different but same idea. The blank login continues to redirect back to the login.

    The passwords are stored as plain text in the DB.

    I'm not sure what you meant by raw data. Basically I want to compare entries in the DB to login vars and if in the DB triage the user to their own webpage (stored in DB also). I'll google around for the raw data bit.

    -Thanks again.

  4. $spacer_open
    $spacer_close
  5. #4
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,636
    In your code you clean the password to make it safe but then use the $_POST array directly in the SQL (you md5 it but still...). Using posted or getted data directly is what I mean by raw data.

    You say The passwords are stored as plain text in the DB so do you need the MD5?

    If you don't have access to the server logs to look for errors then you can add the following after the require statement to show any errors. Note that if this is a public server you shouldn't leave this code in place!

    Code:
    ini_set('display_errors', 1);
    error_reporting(E_ALL);
    mellofellow likes this.
    "I used to be with it, then they changed what it was.
    Now what was it isn't it, and what is it is weird and scary to me.
    It'll happen to you too."

    Grandpa Simpson



    The Fifth Continent

  6. #5
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Thanks again!

    I will try to de-MD5 things and see if that helps. I tried the code you suggested but it gives me the same output as the above error message on the blank page. I can't access the server logs.

  7. #6
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Ok some progress!

    I took out MD5 (I think) and got as error (god/bad login):

    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/content/92/9475592/html/js/login-exec.php on line 69

    Line69 falls in the middle of the login success if area, which suggests it's at least getting through the script.
    This seems like a formatting error so I'm gonna see about debugging it.

  8. #7
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Never mind!

    Solved it! I mean you did! It was the MD5.

    Thanks a TON! Very, very appreciated.

  9. #8
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,636
    /\ Excellent /\

    Don't forget to remove the ini_set and display_errors and to replace the $_POST['password'] with $password in your $sql string.
    mellofellow likes this.
    "I used to be with it, then they changed what it was.
    Now what was it isn't it, and what is it is weird and scary to me.
    It'll happen to you too."

    Grandpa Simpson



    The Fifth Continent

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •