• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

Avoid setting cookie for password and username in my script to stop it effecting if statement

Hey, my problem is that I have a login box which is displayed only if the cookie for password and username is not set yet. I plan to make it so that while it is set the box is replaced with some type of user account tools.

That works fine until I attempt a login. The script calls the following...

      setcookie ("USERNAME", $_POST['username'],0,'/');
      setcookie ("PASSWORD", $_POST['password'],0,'/');

This happens no matter what the results of the login will be. So if the user fails to enter the correct details the cookies are set. The login box will then disappear because of the following if statement...

<?php
    if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
    {
         //Member only indicators get places here
    }
    else
    {
         include 'signup/login.php';
    }
?>

I'm just wondering on the best way to get around this! I've considered creating another variable which holds the final authorisation status but I'm breaking it so far or dont get the overall output required.

There are two scripts below. What is the best way to convert it to work for me?

Thanks
<?php
class auth{
	// CHANGE THESE VALUES TO REFLECT YOUR SERVER'S SETTINGS
	var $HOST = "###";	// Change this to the proper DB HOST
	var $USERNAME = "###";	// Change this to the proper DB USERNAME
	var $PASSWORD = "###";	// Change this to the proper DB USER PASSWORD
	var $DBNAME = "###";	// Change this to the proper DB NAME
 
	// AUTHENTICATE
	function authenticate($username, $password) {
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
		
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
		
		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 
        $UpdateRecords = "UPDATE authuser SET lastlogin = NOW(), logincount = logincount + 1 WHERE uname='$username'";
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
 
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($query); 
		
		$numrows = mysql_num_rows($result);
		$row = mysql_fetch_array($result);
		
		// CHECK IF THERE ARE RESULTS
		// Logic: If the number of rows of the resulting recordset is 0, that means that no
		// match was found. Meaning, wrong username-password combination.
		if ($numrows == 0) {
			return 0;
		}
        /*
        elseif ($row["level"]==1) {  // ADMIN LOGIN
			$Update = mysql_query($UpdateRecords);
			return 1;
		}
        */
		else {
			$Update = mysql_query($UpdateRecords);
			return $row;
		}
	} // End: function authenticate
 
	// PAGE CHECK
	// This function is the one used for every page that is to be secured. This is not the same one
	// used in the initial login screen
	function page_check($username, $password) {
 
		// Let's comment this out and use the preg_match method 
		// to restrict username and password characters and disallow
		// the semicolon (;) and apostrophe (') characters
		// Anti-SQL Injection..	
		// if (!get_magic_quotes_gpc()) 
		// {
		// 		$username = addslashes($username);
		//		$password = addslashes($password);
		// }
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
		
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
 
		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 
        $connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($query); 
		
		$numrows = mysql_num_rows($result);
		$row = mysql_fetch_array($result);
 
		// CHECK IF THERE ARE RESULTS
		// Logic: If the number of rows of the resulting recordset is 0, that means that no
		// match was found. Meaning, wrong username-password combination.
		if ($numrows == 0) {
			return false;
		}
		else {
			return $row;
		}
	} // End: function page_check
	
	// MODIFY USERS
	function modify_user($username, $password, $team, $level, $status) {
		
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
			$password = addslashes($password);
			$team = addslashes($team);
			$level = addslashes($level);
			$status = addslashes($status);
		}
		*/
		
        // If $password is blank, make no changes to the current password
        if (trim($password == ''))
        {
            $qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'";
        }
        else
        {
            $qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status'
					    WHERE uname='$username'";
        }
 
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
 
		if (trim($level)=="") {
			return "blank level";
		}
		elseif (($username=="sa" AND $status=="inactive")) {
			return "sa cannot be inactivated";
		}
		elseif (($username=="admin" AND $status=="inactive")) {
			return "admin cannot be inactivated";
		}
		else {
			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qUpdate); 
			return 1;
		}
		
	} // End: function modify_user
	
	// DELETE USERS
	function delete_user($username) {
	
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
		}
		*/
		
		$qDelete = "DELETE FROM  authuser WHERE uname='$username'";	
 
		if ($username == "sa") {
			return "User sa cannot be deleted.";
		}
		elseif ($username == "admin") {
			return "User admin cannot be deleted.";
		}
		elseif ($username == "test") {
			return "User test cannot be deleted.";
		}
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($qDelete); 
	
		return mysql_error();
		
	} // End: function delete_user
	
	// ADD USERS
	function add_user($username, $password, $team, $level, $status) {
	
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
			$password = addslashes($password);
			$team = addslashes($team);
			$level = addslashes($level);
			$status = addslashes($status);
		}
		*/
		
		$qUserExists = "SELECT * FROM authuser WHERE uname='$username'";
		$qInsertUser = "INSERT INTO authuser(uname, passwd, team, level, status, lastlogin, logincount)
				  			   VALUES ('$username', MD5('$password'), '$team', '$level', '$status', '', 0)";
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		// Check if all fields are filled up
		if (trim($username) == "") { 
			return "blank username";
		}
		// password check added 09-19-2003
		elseif (trim($password) == "") {
			return "blank password";
		}
		elseif (trim($level) == "") {
			return "blank level";
		}
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
 
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
		
		// Check if user exists
		$SelectedDB = mysql_select_db($this->DBNAME);
		$user_exists = mysql_query($qUserExists); 
 
		if (mysql_num_rows($user_exists) > 0) {
			return "username exists";
		}
		else {
			// Add user to DB			
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qInsertUser);
	
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qInsertUser); 
			return mysql_affected_rows();
		}
	} // End: function add_user
 
 
	// ADD TEAM
	function add_team($teamname, $teamlead, $status="active") {
		$qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'";
		$qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status) 
				  			   VALUES ('$teamname', '$teamlead', '$status')";
		
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		// Check if all fields are filled up
		if (trim($teamname) == "") { 
			return "blank team name";
		}
		
		// Check if group exists
		// OLD CODE - DO NOT REMOVE
		// $group_exists = mysql_db_query($this->DBNAME, $qGroupExists);
		
		// REVISED CODE
		$SelectedDB = mysql_select_db($this->DBNAME);
		$group_exists = mysql_query($qGroupExists); 
 
		if (mysql_num_rows($group_exists) > 0) {
			return "group exists";
		}
		else {
			// Add user to DB
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qInsertGroup);
 
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qInsertGroup); 
 
			return mysql_affected_rows();
		}
	} // End: function add_group
	
	// MODIFY TEAM
	function modify_team($teamname, $teamlead, $status) {
		$qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status'
					WHERE teamname='$teamname'";
		$qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'";
 
		if ($teamname == "Admin" AND $status=="inactive") {
			return "Admin team cannot be inactivated.";
		}
		elseif ($teamname == "Ungrouped" AND $status=="inactive") {
			return "Ungrouped team cannot be inactivated.";
		}
		else {		
			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
			
			// UPDATE STATUS IF STATUS OF TEAM IS INACTIVATED
			// OLD CODE - DO NOT REMOVE
			//$userresult = mysql_db_query($this->DBNAME, $qUserStatus);
 
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$userresult = mysql_query($qUserStatus); 
	
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qUpdate);
 
			// REVISED CODE
			$result = mysql_query($qUpdate); 
	
			return 1;
		}
		
	} // End: function modify_team
 
	// DELETE TEAM
	function delete_team($teamname) {
		$qDelete = "DELETE FROM authteam WHERE teamname='$teamname'";
		$qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'";	
		
		if ($teamname == "Admin") {
			return "Admin team cannot be deleted.";
		}
		elseif ($teamname == "Ungrouped") {
			return "Ungrouped team cannot be deleted.";
		}
		elseif ($teamname == "Temporary") {
			return "Temporary team cannot be deleted.";
		}
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		// OLD CODE - DO NOTE REMOVE
		// $result = mysql_db_query($this->DBNAME, $qUpdateUser);
 
		// REVISED CODE
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($qUpdateUser); 
 
		// OLD CODE - DO NOT REMOVE
		// $result = mysql_db_query($this->DBNAME, $qDelete);
		
		// REVISED CODE
		$result = mysql_query($qDelete); 
 
		return mysql_error();
		
	} // End: function delete_team
 
 
} // End: class auth
?>
 
 
--------------------------  vAuthenticate.php ---------------------
THIS SETS THE COOKIE CAUSING THE PROBLEM AND SENDS USER TO NEW DESTINATION DEPENDING ON RESULTS
-------------------------------------------------------------------
<?
// Start Code
 
	// Use Sessions
	// NOTE: This will store the username and password entered by the user to the cookie
	// variables USERNAME and PASSWORD respectively even if the combination is correct or
	// not. Be sure to authenticate every page that you want to be secured and pass as 
	// parameters the variables USERNAME and PASSWORD.
	setcookie ("USERNAME", $_POST['username'],0,'/');
	setcookie ("PASSWORD", $_POST['password'],0,'/');
 
    // Change the path to auth.php and authconfig.php if you moved
    // vAuthenticate.php from its original directory.
  	include_once ("auth.php");
	include_once ("authconfig.php");
 
    $username =  $_POST['username'];
    $password =  $_POST['password'];
 
	$Auth = new auth();
	$detail = $Auth->authenticate($username, $password);
 
	if ($detail==0)
	{
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $failure; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	}
	elseif ($detail['team'] == "Admin") {
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $admin; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	}
	else 
	{
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $success; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	  }
?>

Open in new window

0
Ryan Bayne
Asked:
Ryan Bayne
2 Solutions
 
hernst42Commented:
move line 374 and 375 after line 399 and line 410 (need to copy)
0
 
Ali KayahanFull Stack DeveloperCommented:
  You should use sessions instead of cookies ,it will be much more safer...
lets say $password is the password that user typed in and $pass is the pass that you get from DB ,
$query = "select * from users where user_name = '$username'" ;
<?php

    if($password == $pass) {
  session_start();
  session_register($username) ;
}
else
{
//show login form...
}
?>

And you may check if the user logged in or not by using session variable like;
if(!$username) {
//show login panel..
}
else {
//show admin panel
}
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now