PHP Beginner- More on Security - 2

Last updated: 8/13/2002; 9:35:50 AM

The FuzzyBlog!

Marketing 101. Consulting 101. PHP Consulting. Random geeky stuff. I Blog Therefore I Am.

PHP Beginner: More on Security - 2

Note – some of this is redundant with my other expansion on security.  Some of it is probably not.  I thought it might help some folks out.  Hence the post.

Wow, I didn't mean to put you to that much work. Thanks alot!  It Works! Thank you so much :)

—– Original Message —–

From: J. Scott Johnson

To: XXX

Sent: Sunday, July 21, 2002 6:08 AM

Subject: RE: Handling Users and Passwords

Hi there,

 

I just hit the same problem myself and i think it's missing the header command to redirect you to another location i.e. after the cookies have been set and the user is authenticated then add this line:

 

  header("Location: control.php");

 

where "control.php" is the url you want to go.

 

If that's not it then I'd check if the $num_rows returned by the database query is 1.  If not it may be that there isn't a fall thru on the last clause of the if test. 

 

NOTE: I just rewrote it from scratch since it was easier than going to www.phpbeginner.com which desperately needs a "view entire article" feature.

 

Here's the full code I just rewrote:

 

<?php
// //////////////////////////////////////////////////////
// Mock loging page -- takes your login -- and sets
//&nbsp; the correct cookie triad
//&nbsp; ck_username
//&nbsp; ck_emailaddress
//&nbsp; ck_userid
//&nbsp; ck_password
// /////////////////////////////////////////////////////

 

  include "../z/zcommon.php";

 

  $link = mysql_connect("$dbhost", "$dbuser", "$dbpassword")
    or die("Could not connect");

 

  //select the database
  mysql_select_db("$db")
    or die("Could not select database");
    //print "|$loginusername|";die();
  $query = "SELECT username, password, initials, emailaddress FROM fo_useremailaccounts where username='$loginusername' order by user_id limit 1";

 

  $result = mysql_query($query)
    or die ('<H1 align=center><font color=red>Bad Database Request</font></H2> in :<BR>'
    . __FILE__.' line '. __LINE__
    .'<BR><br /><b>The query used was:</b><BR><BR> '.$query
    .'<BR><br /><b>MySQL says</b><BR><BR> '.mysql_error()
    .'<BR><BR>Email administrator for help at ' . $sysadminemail . ' for help' );

 

  $num_rows = mysql_num_rows($result);
  //login succeeds if the query succeeds i.e. there is at least 1 user who matches
  if ($num_rows == 1) {
    $row = mysql_fetch_array($result);
    $password = $row["password"];
    $username = $row["username"];
    $emailaddress = $row["emailaddress"];
    $initials = $row["initials"];
    //print "in if";die();
    if ($loginpassword == $password) {
    // success!!! They have access

 

      setcookie("ck_username",$username);
      setcookie("ck_password",$password);
      setcookie("ck_emailaddress",$emailaddress);
      setcookie("ck_userid",$userid);
      setcookie("ck_initials",$initials);

 

      header("Location:

http://www.fuzzygroup.net/fuzzyoffice/control_pagebody.htm");
      //print "doh!";

 

    }
    else {
      print "Invalid login.  Access denied.";
    }
  }
  else {
    print "user not found in database";
  }
?>

 

 

Login form (with wildly different text than you need of course)

 

<HTML>
<HEAD>
<TITLE>
FuzzyGroup :: FuzzyOffice :: Login
</TITLE>
<BODY>
<center>
<table width=750>
<tr>
<td>

 

Welcome to the FuzzyOffice Login page.  This grants you access to the currently available FuzzyOffice modules including Tasks, Calendar, etc (oh and it also looks better than this very simple, very plain, very white page).  From this page you can either Login (if you have an existing account) or Register (if you need an account).
<H1>Login</H1>
Use the form below if you are already a FuzzyOffice user.
<form name=login action="mlogin.php" method="get">

 

<input type="hidden" name="action" value="login">
        Username:
        <input name="loginusername" type="text" width="10"><BR>
        Password:
        <input name="loginpassword" type="password" width="10"><BR>
        <INPUT TYPE=SUBMIT VALUE=Log In>
        </form>
<h1>Registration / Sign Up</h1>
Use this form to sign up as a new user of FuzzyOffice.
<form name=registration action="signup.php" method="get">
                Username:
                <input name="signupusername" type="text" width="10"><BR>
                Password:
                <input name="signuppassword" type="password" width="10"><BR>
                Verify your password:
                <input name="signuppasswordverify" type="password" width="10"><BR>
                Email Address:
                <input name="emailaddress" type="text" width="10"><BR>
                <INPUT TYPE=SUBMIT VALUE="Sign Up">
        </form>
</td>
</tr>
</table>
</center>
</BODY>
</HTML>

 

Hope this helps.

 

Scott

-----Original Message-----
From: Christopher Jeffrey [mailto:cjj@XXX]
Sent: Friday, July 19, 2002 7:57 PM
To: scott@phpbeginner.com
Subject: Handling Users and Passwords

Hello,

I read your "Handling Users and Passwords" tutorial, and it worked fine until I tried to login.  When I login all I see is a blank page, I'm pretty sure the problem is the login form.  If you could help me out I'd appreciate it.

Thanks,
Christopher Jeffrey

 

Copyright 2002 © The FuzzyStuff