Solved

Avoid setting cookie for password and username in my script to stop it effecting if statement

Posted on 2008-06-10
2
280 Views
Last Modified: 2009-07-29
Hey, my problem is that I have a login box which is displayed only if the cookie for password and username is not set yet. I plan to make it so that while it is set the box is replaced with some type of user account tools.

That works fine until I attempt a login. The script calls the following...

      setcookie ("USERNAME", $_POST['username'],0,'/');
      setcookie ("PASSWORD", $_POST['password'],0,'/');

This happens no matter what the results of the login will be. So if the user fails to enter the correct details the cookies are set. The login box will then disappear because of the following if statement...

<?php
    if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
    {
         //Member only indicators get places here
    }
    else
    {
         include 'signup/login.php';
    }
?>

I'm just wondering on the best way to get around this! I've considered creating another variable which holds the final authorisation status but I'm breaking it so far or dont get the overall output required.

There are two scripts below. What is the best way to convert it to work for me?

Thanks
<?php

class auth{

	// CHANGE THESE VALUES TO REFLECT YOUR SERVER'S SETTINGS

	var $HOST = "###";	// Change this to the proper DB HOST

	var $USERNAME = "###";	// Change this to the proper DB USERNAME

	var $PASSWORD = "###";	// Change this to the proper DB USER PASSWORD

	var $DBNAME = "###";	// Change this to the proper DB NAME
 

	// AUTHENTICATE

	function authenticate($username, $password) {

		

		// Check for apostrophe in $username to avoid SQL injection

		if (ereg("'", $username)) 

		{

			return "invalid username";

		}

		

		// Check for apostrophe in $password to avoid SQL injection

		if (ereg("'", $password)) 

		{

			return "invalid password";

		}

		

		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 

        $UpdateRecords = "UPDATE authuser SET lastlogin = NOW(), logincount = logincount + 1 WHERE uname='$username'";

		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
 

		$SelectedDB = mysql_select_db($this->DBNAME);

		$result = mysql_query($query); 

		

		$numrows = mysql_num_rows($result);

		$row = mysql_fetch_array($result);

		

		// CHECK IF THERE ARE RESULTS

		// Logic: If the number of rows of the resulting recordset is 0, that means that no

		// match was found. Meaning, wrong username-password combination.

		if ($numrows == 0) {

			return 0;

		}

        /*

        elseif ($row["level"]==1) {  // ADMIN LOGIN

			$Update = mysql_query($UpdateRecords);

			return 1;

		}

        */

		else {

			$Update = mysql_query($UpdateRecords);

			return $row;

		}

	} // End: function authenticate
 

	// PAGE CHECK

	// This function is the one used for every page that is to be secured. This is not the same one

	// used in the initial login screen

	function page_check($username, $password) {
 

		// Let's comment this out and use the preg_match method 

		// to restrict username and password characters and disallow

		// the semicolon (;) and apostrophe (') characters

		// Anti-SQL Injection..	

		// if (!get_magic_quotes_gpc()) 

		// {

		// 		$username = addslashes($username);

		//		$password = addslashes($password);

		// }

		

		// Check for apostrophe in $username to avoid SQL injection

		if (ereg("'", $username)) 

		{

			return "invalid username";

		}

		

		// Check for apostrophe in $password to avoid SQL injection

		if (ereg("'", $password)) 

		{

			return "invalid password";

		}
 

		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 

        $connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

		

		$SelectedDB = mysql_select_db($this->DBNAME);

		$result = mysql_query($query); 

		

		$numrows = mysql_num_rows($result);

		$row = mysql_fetch_array($result);
 

		// CHECK IF THERE ARE RESULTS

		// Logic: If the number of rows of the resulting recordset is 0, that means that no

		// match was found. Meaning, wrong username-password combination.

		if ($numrows == 0) {

			return false;

		}

		else {

			return $row;

		}

	} // End: function page_check

	

	// MODIFY USERS

	function modify_user($username, $password, $team, $level, $status) {

		

		// Add slashes to prevent SQL Injection

		// However, we trust that we don't need to do this checking for the admin

		// That's why the code snippet below is commented out

		/*   	

		if (!get_magic_quotes_gpc()) 

		{

			$username = addslashes($username);

			$password = addslashes($password);

			$team = addslashes($team);

			$level = addslashes($level);

			$status = addslashes($status);

		}

		*/

		

        // If $password is blank, make no changes to the current password

        if (trim($password == ''))

        {

            $qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'";

        }

        else

        {

            $qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status'

					    WHERE uname='$username'";

        }
 

		// Check for apostrophe in $password to avoid SQL injection

		if (ereg("'", $password)) 

		{

			return "invalid password";

		}
 

		if (trim($level)=="") {

			return "blank level";

		}

		elseif (($username=="sa" AND $status=="inactive")) {

			return "sa cannot be inactivated";

		}

		elseif (($username=="admin" AND $status=="inactive")) {

			return "admin cannot be inactivated";

		}

		else {

			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

			$SelectedDB = mysql_select_db($this->DBNAME);

			$result = mysql_query($qUpdate); 

			return 1;

		}

		

	} // End: function modify_user

	

	// DELETE USERS

	function delete_user($username) {

	

		// Add slashes to prevent SQL Injection

		// However, we trust that we don't need to do this checking for the admin

		// That's why the code snippet below is commented out

		/*   	

		if (!get_magic_quotes_gpc()) 

		{

			$username = addslashes($username);

		}

		*/

		

		$qDelete = "DELETE FROM  authuser WHERE uname='$username'";	
 

		if ($username == "sa") {

			return "User sa cannot be deleted.";

		}

		elseif ($username == "admin") {

			return "User admin cannot be deleted.";

		}

		elseif ($username == "test") {

			return "User test cannot be deleted.";

		}
 

		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

		

		$SelectedDB = mysql_select_db($this->DBNAME);

		$result = mysql_query($qDelete); 

	

		return mysql_error();

		

	} // End: function delete_user

	

	// ADD USERS

	function add_user($username, $password, $team, $level, $status) {

	

		// Add slashes to prevent SQL Injection

		// However, we trust that we don't need to do this checking for the admin

		// That's why the code snippet below is commented out

		/*   	

		if (!get_magic_quotes_gpc()) 

		{

			$username = addslashes($username);

			$password = addslashes($password);

			$team = addslashes($team);

			$level = addslashes($level);

			$status = addslashes($status);

		}

		*/

		

		$qUserExists = "SELECT * FROM authuser WHERE uname='$username'";

		$qInsertUser = "INSERT INTO authuser(uname, passwd, team, level, status, lastlogin, logincount)

				  			   VALUES ('$username', MD5('$password'), '$team', '$level', '$status', '', 0)";
 

		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

		

		// Check if all fields are filled up

		if (trim($username) == "") { 

			return "blank username";

		}

		// password check added 09-19-2003

		elseif (trim($password) == "") {

			return "blank password";

		}

		elseif (trim($level) == "") {

			return "blank level";

		}

		

		// Check for apostrophe in $username to avoid SQL injection

		if (ereg("'", $username)) 

		{

			return "invalid username";

		}
 

		// Check for apostrophe in $password to avoid SQL injection

		if (ereg("'", $password)) 

		{

			return "invalid password";

		}

		

		// Check if user exists

		$SelectedDB = mysql_select_db($this->DBNAME);

		$user_exists = mysql_query($qUserExists); 
 

		if (mysql_num_rows($user_exists) > 0) {

			return "username exists";

		}

		else {

			// Add user to DB			

			// OLD CODE - DO NOT REMOVE

			// $result = mysql_db_query($this->DBNAME, $qInsertUser);

	

			// REVISED CODE

			$SelectedDB = mysql_select_db($this->DBNAME);

			$result = mysql_query($qInsertUser); 

			return mysql_affected_rows();

		}

	} // End: function add_user
 
 

	// ADD TEAM

	function add_team($teamname, $teamlead, $status="active") {

		$qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'";

		$qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status) 

				  			   VALUES ('$teamname', '$teamlead', '$status')";

		

		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

		

		// Check if all fields are filled up

		if (trim($teamname) == "") { 

			return "blank team name";

		}

		

		// Check if group exists

		// OLD CODE - DO NOT REMOVE

		// $group_exists = mysql_db_query($this->DBNAME, $qGroupExists);

		

		// REVISED CODE

		$SelectedDB = mysql_select_db($this->DBNAME);

		$group_exists = mysql_query($qGroupExists); 
 

		if (mysql_num_rows($group_exists) > 0) {

			return "group exists";

		}

		else {

			// Add user to DB

			// OLD CODE - DO NOT REMOVE

			// $result = mysql_db_query($this->DBNAME, $qInsertGroup);
 

			// REVISED CODE

			$SelectedDB = mysql_select_db($this->DBNAME);

			$result = mysql_query($qInsertGroup); 
 

			return mysql_affected_rows();

		}

	} // End: function add_group

	

	// MODIFY TEAM

	function modify_team($teamname, $teamlead, $status) {

		$qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status'

					WHERE teamname='$teamname'";

		$qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'";
 

		if ($teamname == "Admin" AND $status=="inactive") {

			return "Admin team cannot be inactivated.";

		}

		elseif ($teamname == "Ungrouped" AND $status=="inactive") {

			return "Ungrouped team cannot be inactivated.";

		}

		else {		

			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

			

			// UPDATE STATUS IF STATUS OF TEAM IS INACTIVATED

			// OLD CODE - DO NOT REMOVE

			//$userresult = mysql_db_query($this->DBNAME, $qUserStatus);
 

			// REVISED CODE

			$SelectedDB = mysql_select_db($this->DBNAME);

			$userresult = mysql_query($qUserStatus); 

	

			// OLD CODE - DO NOT REMOVE

			// $result = mysql_db_query($this->DBNAME, $qUpdate);
 

			// REVISED CODE

			$result = mysql_query($qUpdate); 

	

			return 1;

		}

		

	} // End: function modify_team
 

	// DELETE TEAM

	function delete_team($teamname) {

		$qDelete = "DELETE FROM authteam WHERE teamname='$teamname'";

		$qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'";	

		

		if ($teamname == "Admin") {

			return "Admin team cannot be deleted.";

		}

		elseif ($teamname == "Ungrouped") {

			return "Ungrouped team cannot be deleted.";

		}

		elseif ($teamname == "Temporary") {

			return "Temporary team cannot be deleted.";

		}
 

		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

		// OLD CODE - DO NOTE REMOVE

		// $result = mysql_db_query($this->DBNAME, $qUpdateUser);
 

		// REVISED CODE

		$SelectedDB = mysql_select_db($this->DBNAME);

		$result = mysql_query($qUpdateUser); 
 

		// OLD CODE - DO NOT REMOVE

		// $result = mysql_db_query($this->DBNAME, $qDelete);

		

		// REVISED CODE

		$result = mysql_query($qDelete); 
 

		return mysql_error();

		

	} // End: function delete_team
 
 

} // End: class auth

?>
 
 

--------------------------  vAuthenticate.php ---------------------

THIS SETS THE COOKIE CAUSING THE PROBLEM AND SENDS USER TO NEW DESTINATION DEPENDING ON RESULTS

-------------------------------------------------------------------

<?

// Start Code
 

	// Use Sessions

	// NOTE: This will store the username and password entered by the user to the cookie

	// variables USERNAME and PASSWORD respectively even if the combination is correct or

	// not. Be sure to authenticate every page that you want to be secured and pass as 

	// parameters the variables USERNAME and PASSWORD.

	setcookie ("USERNAME", $_POST['username'],0,'/');

	setcookie ("PASSWORD", $_POST['password'],0,'/');

 

    // Change the path to auth.php and authconfig.php if you moved

    // vAuthenticate.php from its original directory.

  	include_once ("auth.php");

	include_once ("authconfig.php");

 

    $username =  $_POST['username'];

    $password =  $_POST['password'];
 

	$Auth = new auth();

	$detail = $Auth->authenticate($username, $password);
 

	if ($detail==0)

	{

	?><HEAD>

		<SCRIPT language="JavaScript1.1">

		<!--

			location.replace("<? echo $failure; ?>");

		//-->

		</SCRIPT>

	  </HEAD>

	<?

	}

	elseif ($detail['team'] == "Admin") {

	?><HEAD>

		<SCRIPT language="JavaScript1.1">

		<!--

			location.replace("<? echo $admin; ?>");

		//-->

		</SCRIPT>

	  </HEAD>

	<?

	}

	else 

	{

	?><HEAD>

		<SCRIPT language="JavaScript1.1">

		<!--

			location.replace("<? echo $success; ?>");

		//-->

		</SCRIPT>

	  </HEAD>

	<?

	  }

?>

Open in new window

0
Comment
Question by:Ryan Bayne
2 Comments
 
LVL 48

Accepted Solution

by:
hernst42 earned 300 total points
Comment Utility
move line 374 and 375 after line 399 and line 410 (need to copy)
0
 
LVL 14

Assisted Solution

by:ali_kayahan
ali_kayahan earned 200 total points
Comment Utility
  You should use sessions instead of cookies ,it will be much more safer...
lets say $password is the password that user typed in and $pass is the pass that you get from DB ,
$query = "select * from users where user_name = '$username'" ;
<?php

    if($password == $pass) {
  session_start();
  session_register($username) ;
}
else
{
//show login form...
}
?>

And you may check if the user logged in or not by using session variable like;
if(!$username) {
//show login panel..
}
else {
//show admin panel
}
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
This article discusses four methods for overlaying images in a container on a web page
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now