login script working from nothing?
Ok, this is the most confusing script I've ever worked with.
I have no problem getting it to work.....the problem is that I don't know why it's working.....It shouldn't work....
and some of the variables aren't even defined unless I'm using globals I guess
Well anyway let me explain
Here is the link to the full script I've been editing and using if you want to look at it
www.dockterz.com/party/oldlogin.phps
Alright.....
What I understand of this script is
It first checks to see if you are logging out or not..and logs you out
Then it checks to see if you just came from the login form.....and if you did.....check the login information
Then it has the set of form templates to display at specific times.
On the check login part is where I have the problem/confusion
Right here starting at line 20 it says
[PHP Code]
$user_data = mysql_num_rows($result);
if ($user_data != 0) {
setcookie ("user", md5($user_data[user]));
setcookie ("pass", md5($user_data[pass]));
header("Location: $_SERVER[PHP_SELF]");
} else {
$login_error = true; }
It sets a cookie for what it recieves for a num_rows query. And not only that, it pretends that it's an array when it's not.
What I've been trying to do is this.
[PHP Code]
$num = mysql_num_rows($result);
$user_data = mysql_num_rows($result);
if ($num != 0) {
setcookie ("user", md5($user_data[user]));
setcookie ("pass", md5($user_data[pass]));
header("Location: $_SERVER[PHP_SELF]");
} else {
$login_error = true; }
but it doesn't work for some reason
On Line 45 it compares what I typed in the login form to the cookie....but the odd thing is.......It says....if the Cookie....which has a value of nothing equals the value of what they put for username....then let them pass
And it works....WTF?!?!
it doesn't take a genious to know that username != ""
[PHP Code]
} elseif ($_COOKIE[user] == md5($_POST[username]) && $_COOKIE[pass] == md5($_POST[password])) {
Can anyone make heads or tails of this....because I'm lost....
Here's the link below to see this script in action
www.dockterz.com/party/post.php
the username is : user
and the password is : pass
I have no problem getting it to work.....the problem is that I don't know why it's working.....It shouldn't work....
and some of the variables aren't even defined unless I'm using globals I guess
Well anyway let me explain
Here is the link to the full script I've been editing and using if you want to look at it
www.dockterz.com/party/oldlogin.phps
Alright.....
What I understand of this script is
It first checks to see if you are logging out or not..and logs you out
Then it checks to see if you just came from the login form.....and if you did.....check the login information
Then it has the set of form templates to display at specific times.
On the check login part is where I have the problem/confusion
Right here starting at line 20 it says
[PHP Code]
$user_data = mysql_num_rows($result);
if ($user_data != 0) {
setcookie ("user", md5($user_data[user]));
setcookie ("pass", md5($user_data[pass]));
header("Location: $_SERVER[PHP_SELF]");
} else {
$login_error = true; }
It sets a cookie for what it recieves for a num_rows query. And not only that, it pretends that it's an array when it's not.
What I've been trying to do is this.
[PHP Code]
$num = mysql_num_rows($result);
$user_data = mysql_num_rows($result);
if ($num != 0) {
setcookie ("user", md5($user_data[user]));
setcookie ("pass", md5($user_data[pass]));
header("Location: $_SERVER[PHP_SELF]");
} else {
$login_error = true; }
but it doesn't work for some reason
On Line 45 it compares what I typed in the login form to the cookie....but the odd thing is.......It says....if the Cookie....which has a value of nothing equals the value of what they put for username....then let them pass
And it works....WTF?!?!
it doesn't take a genious to know that username != ""
[PHP Code]
} elseif ($_COOKIE[user] == md5($_POST[username]) && $_COOKIE[pass] == md5($_POST[password])) {
Can anyone make heads or tails of this....because I'm lost....
Here's the link below to see this script in action
www.dockterz.com/party/post.php
the username is : user
and the password is : pass
OK I think I see what is going on. As you pointed out, the $user_data = mysql_num_rows($result) is surprising.
If I logged in correctly, then line 22:
setcookie ("user", md5($user_data[user]));
$user_data currently equals 1. "user" is being used as an undeclared constant. So the cookie is md5( 1[someconstant] ). That would never compile, but if you experiment you will find that this is exactly what is going on:
$foo = 1;
print md5( $foo[someconstant] );
The so-called encrypted password on line 23 is of course exactly the same.
But here is the catch, line 24 redirects the page to itself. Go back to the beginning of the code and start again. On line 7, logout == true fails. Lines 12 and 13 reference $_POST -- but we currently have no form submission (because of the redirect). Well guess what, md5($_POST['username']) is equal to md5($user_date[user]) -- both pretty useless, but equal.
On line 16, the if() fails -- again because no $POST. Line 30 if() fails, so we're left at line 45. This is true, because all the referenced variables came from md5( $someArray[SomeUnsetIndex]
If you had instead entered the wrong password, the only prevention from logging you in is on line 21, which sets $login_error because the num_rows() was 0.
My advice: start from scratch! Or better yet, use PEAR's Auth stuff, which saves you from reinventing the wheel.
If I logged in correctly, then line 22:
setcookie ("user", md5($user_data[user]));
$user_data currently equals 1. "user" is being used as an undeclared constant. So the cookie is md5( 1[someconstant] ). That would never compile, but if you experiment you will find that this is exactly what is going on:
$foo = 1;
print md5( $foo[someconstant] );
The so-called encrypted password on line 23 is of course exactly the same.
But here is the catch, line 24 redirects the page to itself. Go back to the beginning of the code and start again. On line 7, logout == true fails. Lines 12 and 13 reference $_POST -- but we currently have no form submission (because of the redirect). Well guess what, md5($_POST['username']) is equal to md5($user_date[user]) -- both pretty useless, but equal.
On line 16, the if() fails -- again because no $POST. Line 30 if() fails, so we're left at line 45. This is true, because all the referenced variables came from md5( $someArray[SomeUnsetIndex]
If you had instead entered the wrong password, the only prevention from logging you in is on line 21, which sets $login_error because the num_rows() was 0.
My advice: start from scratch! Or better yet, use PEAR's Auth stuff, which saves you from reinventing the wheel.
ASKER
Wow, great interpretation you gave....must have took some time
But yeah I'm just about to agree. I am going to have to use something else.
I've never been anygood with login scripts.....even simple ones......because they have to do with sessions..and cookies....which I can't really figure out because they're not really there.
This login works great if you just want it to restrict a page...but I'm trying to include user information and such.........and that's not possible with this script.
Do you or anybody have a working login script that you could post? That'd be great.
But yeah I'm just about to agree. I am going to have to use something else.
I've never been anygood with login scripts.....even simple ones......because they have to do with sessions..and cookies....which I can't really figure out because they're not really there.
This login works great if you just want it to restrict a page...but I'm trying to include user information and such.........and that's not possible with this script.
Do you or anybody have a working login script that you could post? That'd be great.
ASKER
Some questions on the script.......I know you didn't write it but some of the key things you pointed out are the things that I couldn't believe were working.......like
"That would never compile, but if you experiment you will find that this is exactly what is going on:
$foo = 1;
print md5( $foo[someconstant] ); "
I've experimented with them here
www.dockterz.com/party/wtf.php
If I md5 an [undeclared constant]=>[value], then basically I'll get a value of nothing and that's what it encrypts to: d41d8cd98f00b204e9800998ec
and it encrypts both the username and the password the same way.
I mean.....this isn't the thing that bothering me.....it's just that later on, when you said
"
Go back to the beginning of the code and start again. On line 7, logout == true fails. Lines 12 and 13 reference $_POST -- but we currently have no form submission (because of the redirect).
----------------------
Well guess what, md5($_POST['username']) is equal to md5($user_date[user]) -- both pretty useless, but equal.
"
Well guess what else I don't get........
One: how come later on when I close the page and open it again it works.....If I close the page..the POST vars should delete themselves like they have on every other project I've done.
and Two: If the POST vars did happen to save the information.....how....whe
Well anyway......I'm gonna have to find a new alternative if I want user info
"That would never compile, but if you experiment you will find that this is exactly what is going on:
$foo = 1;
print md5( $foo[someconstant] ); "
I've experimented with them here
www.dockterz.com/party/wtf.php
If I md5 an [undeclared constant]=>[value], then basically I'll get a value of nothing and that's what it encrypts to: d41d8cd98f00b204e9800998ec
and it encrypts both the username and the password the same way.
I mean.....this isn't the thing that bothering me.....it's just that later on, when you said
"
Go back to the beginning of the code and start again. On line 7, logout == true fails. Lines 12 and 13 reference $_POST -- but we currently have no form submission (because of the redirect).
----------------------
Well guess what, md5($_POST['username']) is equal to md5($user_date[user]) -- both pretty useless, but equal.
"
Well guess what else I don't get........
One: how come later on when I close the page and open it again it works.....If I close the page..the POST vars should delete themselves like they have on every other project I've done.
and Two: If the POST vars did happen to save the information.....how....whe
Well anyway......I'm gonna have to find a new alternative if I want user info
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is what I've been trying to do....on Line 20
[PHP Code]
$num = mysql_num_rows($result);
$user_data = mysql_fetch_array($result)
if ($num != 0) {
setcookie ("user", md5($user_data[user]));
setcookie ("pass", md5($user_data[pass]));
header("Location: $_SERVER[PHP_SELF]");
} else {
$login_error = true; }