Solved

urgent joomla 1.0.5 SQL query code . . .

Posted on 2006-06-21
22
258 Views
Last Modified: 2013-12-12
Hi experts, I just fantastico-installed joomla 1.0.5, and everything works great, but I am modifying a few lines of PHP and need some help.  

I am working with the mod_login module found at [http://joomla.org.in/doc/modules/mod_login.php.source.html]
text only version at :[http://joomla.org.in/doc/modules/mod_login.php.source.txt]

As you can see by that file, it is simple SQL authentication.  The index.php file calls it and then the mod_login module searches the database for credentials and displays appropriate HTML based on results.  What I am trying to do is automatically log a user in just based on an external link.  The link will call the joomla index.php file, and the mod_login module will determine if [based on the variables passed in the link], the user will be logged in or simply presented with an option to register.  

Currently, if you just call the index.php? file, it presents the user with the option to login or register [found at line 73].  I want to be able to have the user authenticated automatically via the link that comes from an OUTSIDE SITE, for example, if a partner website has a link to our site like, http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes

I know that others will be able to see username/password combinations, but all it means for us in this situation is that we control the access that is granted based on inbound external links.

I am looking for a solution that will fall right around line 73 and search the SQL database for credentials, and redirect the window if the proper credentials are given.  If they are not given, then the user is presented with the default login/register form found after line 73.

I have attempted to do this  at line 73 with

_____________________________

// autologin if a user
if ( $autologin == yes) {

$location     = 'http://www.educationforliberty.com/altapps/index.php?option=com_content&task=view&id=12&Itemid=27&data=final_destination_for_authenticated_link';

print "<script language=\"javascript\">\n";
print "document.location.href=\"$location\"\n";
print "</script>";

}

else {
//load default html to offer registration for user
// open else statement found in original

      ?>

_____________________________


but there is no authentication aspect in SQL


0
Comment
Question by:mattpiercey
  • 12
  • 7
  • 3
22 Comments
 

Author Comment

by:mattpiercey
ID: 16956818
why is there no discussion? Am I missing something?
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16958401
Try this as a Debug. I want to see what comes out. Adding the debug is NOT a fix.

Instead of ...

if ( $autologin == yes) {

Try ...

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.
0
 

Author Comment

by:mattpiercey
ID: 16960115
calling this page in your browser:
http://www.educationforliberty.com/altapps/index.php?

produces the default login box.[GOOD]

calling this page in your browser:
http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes


with your code:

____________________
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.

____________________

This error is produced:

Parse error: syntax error, unexpected '{' in /educationforliberty/altapps/modules/mod_login.php on line 74



                                                                                                                     V
But, with this code - I put a parentheses after the yes in ($_GET['autologin'], 'yes')),
                                                                                                                     ^
____________________
} else {
// Login output
// ie HTML when not logged in and trying to login

      ?>

      <?php
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0) {
 print_r($_GET); // Show the entire GET array. Hopefully all the data is here.


}

else {
//load default html to offer registration for user
// open else statement found in original

      ?>
      <form action="<?php echo sefRelToAbs( 'index.php' ); ?>" method="post" name="login" >
____________________




The script outputs

Login Form
Array ( [username] => registered_user_username [passwd] => example [autologin] => yes )




I removed the window location redirection because we need to actually log the user in.


Thank you for your support in this question.  Many other Joomla websites have had HUNDREDS of programmers attempt to solve this problem, so whoever solves it will get major eprops.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16960221
<?php
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes') === 0))
      {
      print_r($_GET); // Show the entire GET array. Hopefully all the data is here.
      exit;
      }
?>

And this shows the correct data.

OK.

Can you tell me what is the handler for the login form and what the login form looks like?

0
 

Author Comment

by:mattpiercey
ID: 16960260
Sure, the handler for the login form is found at [http://joomla.org.in/doc/modules/mod_login.php.source.html]
text only version at :[http://joomla.org.in/doc/modules/mod_login.php.source.txt]

The Login form is live and can be found at [http://www.educationforliberty.com/altapps/index.php]
The index.php file calls the handler [mod_login.php] and then the mod_login module searches the database for credentials and displays appropriate HTML based on results.


0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16960301
Ok. This is sort of guess work.

As you are using $_GET for the username and ___PASSWORD___ (very very bad idea - but we'll go with it), you shouldn't be too worried about the $_POST array.

So populate it with the values you get from a normal login form.

<?php
$_POST = array
 (
 'username' => $_GET['username'],
 'password' => $_GET['password'],
 'remember' => 'yes',
 'option' => 'login',
 'submit' => _BUTTON_LOGIN, // I assume this is a constant defined in your code somewhere.
 );
?>

So. This is like having filled in the data by the form and submitted.

Now all you need to do is call the login module as index.php does.

I assume it looks for $_POST['option'] and makes the appropriate call from there.

I would need to see index.php.
0
 

Author Comment

by:mattpiercey
ID: 16960489
The source for the index.php is found at [http://joomla.org.in/doc/index.php.source.html]

with this code:


_________________
// Login output
// ie HTML when not logged in and trying to login

      ?>



      <?php
// autologin if a user
if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0) {

$_POST = array
 (
 'username' => $_GET['username'],
 'password' => $_GET['password'],
 'remember' => 'yes',
 'option' => 'login',
 'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
 );

}

else {
//load default html to offer registration for user
// open else statement found in original
_________________

It looks like it is trying to log the user in, but does not do any authentication, and does not actually log a person in.

Click on this link:
[http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes]

and you will see what I mean.  The login form completely dissapears in HTML.

0
 

Author Comment

by:mattpiercey
ID: 16960524
Normally if a user attempts to log in with incorrect credentials an alert pops up.
And if a user is correctly logged in, an alert does pop up that says, "you have sucessfully logged in."

This tells me that we are not authenticating.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16960577
We haven't got that far yet.

What I'm wanting to make sure is that the data I fill in in a form is the same as I am going to send programatically.

In your index.php, just before line 53 ...

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0)
      {
      $_POST = array
            (
            'username' => $_GET['username'],
            'password' => $_GET['password'],
            'remember' => 'yes',
            'option' => 'login',
            'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
            );
      $_GET['option'] = 'login';
      }



0
 

Author Comment

by:mattpiercey
ID: 16960656
What I'm wanting to make sure is that the data I fill in in a form is the same as I am going to send programatically.

Good, we are on the same track, that is exactly what I am trying to do:]

I placed the above code into the index.php file just before line 53, and left that code in the mod_login.php file.
0
 

Author Comment

by:mattpiercey
ID: 16960869
I have attempted to do this with the javascript onLoad submit form function, but for some reason, the page needs to be manually refreshed before the automatic login is complete.  It VERY slow and bulky - and not the completely automatic solution I was looking for.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 49

Expert Comment

by:Roonaan
ID: 16961392
Note that this is quite a dirry solution

Personally I would just drop this whole code at the very top of the index.php:

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0 && !empty($_GET['username']) && !empty($_GET['password'])) {
     $_POST = $_REQUEST = $_GET = array
          (
          'username' => $_GET['username'],
          'password' => $_GET['password'],
          'remember' => 'yes',
          'option' => 'login',
          'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
          );
    $_SERVER['REQUEST_METHOD'] = 'POST';
 }

-r-
0
 

Author Comment

by:mattpiercey
ID: 16962308
I placed the above code into the index.php file at the very top, removed it from line 53, and left RQuadling's code in the mod_login.php file.

It looks like it is trying to log the user in, but does not do any authentication, and does not actually log a person in.

Click on this link:
[http://www.educationforliberty.com/altapps/index.php?username=registered_user_username&passwd=example&autologin=yes]

and you will see what I mean.  The login form completely dissapears in HTML.Normally if a user attempts to log in with incorrect credentials an alert pops up. And if a user is correctly logged in, an alert does pop up that says, "you have sucessfully logged in."

This tells me that we are not authenticating.
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 16962566
The user login is handled somewhere else, as the alertboxes are not inside the code you reference.

As mentioned, I'm no yoomla specialist, and other than browsing through includes/yoomla.php there is little I can do.

-r-
0
 

Author Comment

by:mattpiercey
ID: 16963575
The user login altertboxes are handled on the index.php page.  The authentication displays a defined message [aka constant].

see:
http://joomla.org.in/doc/_constants/_LOGIN_SUCCESS.html

so to answer your question, the login is handled on the index.php page and the original SQL lookup is found near the top of the mod_login.php page.


0
 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 16964132
It seems that the login function looks for passwd rather than password variable.

Try using:

if (isset($_GET['autologin']) && (strcasecmp($_GET['autologin'], 'yes')) === 0 && !empty($_GET['username']) && !empty($_GET['password'])) {
     $_POST = $_REQUEST = $_GET = array
          (
          'username' => $_GET['username'],
          'passwd' => $_GET['password'],
          'remember' => 'yes',
          'option' => 'login',
          'submit' => _BUTTON_LOGIN, // This is a constant defined in the code.
          );
    $_SERVER['REQUEST_METHOD'] = 'POST';
 }

-r-
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16966835
ARGH!!!
0
 

Author Comment

by:mattpiercey
ID: 16968886
It seems to have authenticated, but now it is redirecting. Hold on while I check a few server settings. . .
0
 

Author Comment

by:mattpiercey
ID: 16969357
That worked RQuadling! Thank you SO much - you are amazing.  I wish I could give you more points.  I spent a week and a half trying to get this to work and you did it!
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16969399
Actually, you didn't give me ANY points!

0
 

Author Comment

by:mattpiercey
ID: 16969457
i just sent you an email at spam_free_life acct about some free ice cream. . .
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 16969563
Ah. Whilst I have a spam_free_life Yahoo ID, I don't actually have a Yahoo email account. my EE id here @GMail.com

(Always like free stuff - free tvs, free money, free cars, etc).
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now