• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

urgent joomla 1.0.5 SQL query code . . .

Hi experts, I just fantastico-installed joomla 1.0.5, and everything works great, but I am modifying a few lines of PHP and need some help.  

I am working with the mod_login module found at [http://joomla.org.in/doc/modules/mod_login.php.source.html]
text only version at :[http://joomla.org.in/doc/modules/mod_login.php.source.txt]

As you can see by that file, it is simple SQL authentication.  The index.php file calls it and then the mod_login module searches the database for credentials and displays appropriate HTML based on results.  What I am trying to do is automatically log a user in just based on an external link.  The link will call the joomla index.php file, and the mod_login module will determine if [based on the variables passed in the link], the user will be logged in or simply presented with an option to register.  

Currently, if you just call the index.php? file, it presents the user with the option to login or register [found at line 73].  I want to be able to have the user authenticated automatically via the link that comes from an OUTSIDE SITE, for example, if a partner website has a link to our site like, http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes

I know that others will be able to see username/password combinations, but all it means for us in this situation is that we control the access that is granted based on inbound external links.

I am looking for a solution that will fall right around line 73 and search the SQL database for credentials, and redirect the window if the proper credentials are given.  If they are not given, then the user is presented with the default login/register form found after line 73.

I have attempted to do this  at line 73 with

_____________________________

// autologin if a user
if ( $autologin == yes) {

$location     = 'http://www.educationforliberty.com/altapps/index.php?option=com_content&task=view&id=12&Itemid=27&data=final_destination_for_authenticated_link';

print "<script language=\"javascript\">\n";
print "document.location.href=\"$location\"\n";
print "</script>";

}

else {
//load default html to offer registration for user
// open else statement found in original

      ?>

_____________________________


but there is no authentication aspect in SQL


0
mattpiercey
Asked:
mattpiercey
  • 12
  • 7
  • 3
1 Solution
 
mattpierceyAuthor Commented:
why is there no discussion? Am I missing something?
0
 
Richard QuadlingSenior Software DeveloperCommented:
Try this as a Debug. I want to see what comes out. Adding the debug is NOT a fix.

Instead of ...

if ( $autologin == yes) {

Try ...

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.
0
 
mattpierceyAuthor Commented:
calling this page in your browser:
http://www.educationforliberty.com/altapps/index.php?

produces the default login box.[GOOD]

calling this page in your browser:
http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes


with your code:

____________________
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.

____________________

This error is produced:

Parse error: syntax error, unexpected '{' in /educationforliberty/altapps/modules/mod_login.php on line 74



                                                                                                                     V
But, with this code - I put a parentheses after the yes in ($_GET['autologin'], 'yes')),
                                                                                                                     ^
____________________
} else {
// Login output
// ie HTML when not logged in and trying to login

      ?>

      <?php
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.


}

else {
//load default html to offer registration for user
// open else statement found in original

      ?>
      <form action="<?php echo sefRelToAbs( 'index.php' ); ?>" method="post" name="login" >
____________________




The script outputs

Login Form
Array ( [username] => registered_user_username [passwd] => example [autologin] => yes )




I removed the window location redirection because we need to actually log the user in.


Thank you for your support in this question.  Many other Joomla websites have had HUNDREDS of programmers attempt to solve this problem, so whoever solves it will get major eprops.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
Richard QuadlingSenior Software DeveloperCommented:
<?php
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0))
      {
      print_r($_GET); // Show the entire GET array. Hopefully all the data is here.
      exit;
      }
?>

And this shows the correct data.

OK.

Can you tell me what is the handler for the login form and what the login form looks like?

0
 
mattpierceyAuthor Commented:
Sure, the handler for the login form is found at [http://joomla.org.in/doc/modules/mod_login.php.source.html]
text only version at :[http://joomla.org.in/doc/modules/mod_login.php.source.txt]

The Login form is live and can be found at [http://www.educationforliberty.com/altapps/index.php]
The index.php file calls the handler [mod_login.php] and then the mod_login module searches the database for credentials and displays appropriate HTML based on results.


0
 
Richard QuadlingSenior Software DeveloperCommented:
Ok. This is sort of guess work.

As you are using $_GET for the username and ___PASSWORD___ (very very bad idea - but we'll go with it), you shouldn't be too worried about the $_POST array.

So populate it with the values you get from a normal login form.

<?php
$_POST = array
 (
 'username' => $_GET['username'],
 'password' => $_GET['password'],
 'remember' => 'yes',
 'option' => 'login',
 'submit' => _BUTTON_LOGIN, // I assume this is a constant defined in your code somewhere.
 );
?>

So. This is like having filled in the data by the form and submitted.

Now all you need to do is call the login module as index.php does.

I assume it looks for $_POST['option'] and makes the appropriate call from there.

I would need to see index.php.
0
 
mattpierceyAuthor Commented:
The source for the index.php is found at [http://joomla.org.in/doc/index.php.source.html]

with this code:


_________________
// Login output
// ie HTML when not logged in and trying to login

      ?>



      <?php
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0) {

$_POST = array
 (
 'username' => $_GET['username'],
 'password' => $_GET['password'],
 'remember' => 'yes',
 'option' => 'login',
 'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
 );

}

else {
//load default html to offer registration for user
// open else statement found in original
_________________

It looks like it is trying to log the user in, but does not do any authentication, and does not actually log a person in.

Click on this link:
[http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes]

and you will see what I mean.  The login form completely dissapears in HTML.

0
 
mattpierceyAuthor Commented:
Normally if a user attempts to log in with incorrect credentials an alert pops up.
And if a user is correctly logged in, an alert does pop up that says, "you have sucessfully logged in."

This tells me that we are not authenticating.
0
 
Richard QuadlingSenior Software DeveloperCommented:
We haven't got that far yet.

What I'm wanting to make sure is that the data I fill in in a form is the same as I am going to send programatically.

In your index.php, just before line 53 ...

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0)
      {
      $_POST = array
            (
            'username' => $_GET['username'],
            'password' => $_GET['password'],
            'remember' => 'yes',
            'option' => 'login',
            'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
            );
      $_GET['option'] = 'login';
      }



0
 
mattpierceyAuthor Commented:
What I'm wanting to make sure is that the data I fill in in a form is the same as I am going to send programatically.

Good, we are on the same track, that is exactly what I am trying to do:]

I placed the above code into the index.php file just before line 53, and left that code in the mod_login.php file.
0
 
mattpierceyAuthor Commented:
I have attempted to do this with the javascript onLoad submit form function, but for some reason, the page needs to be manually refreshed before the automatic login is complete.  It VERY slow and bulky - and not the completely automatic solution I was looking for.
0
 
RoonaanCommented:
Note that this is quite a dirry solution

Personally I would just drop this whole code at the very top of the index.php:

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0 && !empty($_GET['username']) && !empty($_GET['password'])) {
     $_POST = $_REQUEST = $_GET = array
          (
          'username' => $_GET['username'],
          'password' => $_GET['password'],
          'remember' => 'yes',
          'option' => 'login',
          'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
          );
    $_SERVER['REQUEST_METHOD'] = 'POST';
 }

-r-
0
 
mattpierceyAuthor Commented:
I placed the above code into the index.php file at the very top, removed it from line 53, and left RQuadling's code in the mod_login.php file.

It looks like it is trying to log the user in, but does not do any authentication, and does not actually log a person in.

Click on this link:
[http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes]

and you will see what I mean.  The login form completely dissapears in HTML.Normally if a user attempts to log in with incorrect credentials an alert pops up. And if a user is correctly logged in, an alert does pop up that says, "you have sucessfully logged in."

This tells me that we are not authenticating.
0
 
RoonaanCommented:
The user login is handled somewhere else, as the alertboxes are not inside the code you reference.

As mentioned, I'm no yoomla specialist, and other than browsing through includes/yoomla.php there is little I can do.

-r-
0
 
mattpierceyAuthor Commented:
The user login altertboxes are handled on the index.php page.  The authentication displays a defined message [aka constant].

see:
http://joomla.org.in/doc/_constants/_LOGIN_SUCCESS.html

so to answer your question, the login is handled on the index.php page and the original SQL lookup is found near the top of the mod_login.php page.


0
 
RoonaanCommented:
It seems that the login function looks for passwd rather than password variable.

Try using:

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0 && !empty($_GET['username']) && !empty($_GET['password'])) {
     $_POST = $_REQUEST = $_GET = array
          (
          'username' => $_GET['username'],
          'passwd' => $_GET['password'],
          'remember' => 'yes',
          'option' => 'login',
          'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
          );
    $_SERVER['REQUEST_METHOD'] = 'POST';
 }

-r-
0
 
Richard QuadlingSenior Software DeveloperCommented:
ARGH!!!
0
 
mattpierceyAuthor Commented:
It seems to have authenticated, but now it is redirecting. Hold on while I check a few server settings. . .
0
 
mattpierceyAuthor Commented:
That worked RQuadling! Thank you SO much - you are amazing.  I wish I could give you more points.  I spent a week and a half trying to get this to work and you did it!
0
 
Richard QuadlingSenior Software DeveloperCommented:
Actually, you didn't give me ANY points!

0
 
mattpierceyAuthor Commented:
i just sent you an email at spam_free_life acct about some free ice cream. . .
0
 
Richard QuadlingSenior Software DeveloperCommented:
Ah. Whilst I have a spam_free_life Yahoo ID, I don't actually have a Yahoo email account. my EE id here @GMail.com

(Always like free stuff - free tvs, free money, free cars, etc).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 12
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now