Solved

Avoid setting cookie for password and username in my script to stop it effecting if statement

Posted on 2008-06-10
2
283 Views
Last Modified: 2009-07-29
Hey, my problem is that I have a login box which is displayed only if the cookie for password and username is not set yet. I plan to make it so that while it is set the box is replaced with some type of user account tools.

That works fine until I attempt a login. The script calls the following...

      setcookie ("USERNAME", $_POST['username'],0,'/');
      setcookie ("PASSWORD", $_POST['password'],0,'/');

This happens no matter what the results of the login will be. So if the user fails to enter the correct details the cookies are set. The login box will then disappear because of the following if statement...

<?php
    if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
    {
         //Member only indicators get places here
    }
    else
    {
         include 'signup/login.php';
    }
?>

I'm just wondering on the best way to get around this! I've considered creating another variable which holds the final authorisation status but I'm breaking it so far or dont get the overall output required.

There are two scripts below. What is the best way to convert it to work for me?

Thanks
<?php
class auth{
	// CHANGE THESE VALUES TO REFLECT YOUR SERVER'S SETTINGS
	var $HOST = "###";	// Change this to the proper DB HOST
	var $USERNAME = "###";	// Change this to the proper DB USERNAME
	var $PASSWORD = "###";	// Change this to the proper DB USER PASSWORD
	var $DBNAME = "###";	// Change this to the proper DB NAME
 
	// AUTHENTICATE
	function authenticate($username, $password) {
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
		
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
		
		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 
        $UpdateRecords = "UPDATE authuser SET lastlogin = NOW(), logincount = logincount + 1 WHERE uname='$username'";
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
 
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($query); 
		
		$numrows = mysql_num_rows($result);
		$row = mysql_fetch_array($result);
		
		// CHECK IF THERE ARE RESULTS
		// Logic: If the number of rows of the resulting recordset is 0, that means that no
		// match was found. Meaning, wrong username-password combination.
		if ($numrows == 0) {
			return 0;
		}
        /*
        elseif ($row["level"]==1) {  // ADMIN LOGIN
			$Update = mysql_query($UpdateRecords);
			return 1;
		}
        */
		else {
			$Update = mysql_query($UpdateRecords);
			return $row;
		}
	} // End: function authenticate
 
	// PAGE CHECK
	// This function is the one used for every page that is to be secured. This is not the same one
	// used in the initial login screen
	function page_check($username, $password) {
 
		// Let's comment this out and use the preg_match method 
		// to restrict username and password characters and disallow
		// the semicolon (;) and apostrophe (') characters
		// Anti-SQL Injection..	
		// if (!get_magic_quotes_gpc()) 
		// {
		// 		$username = addslashes($username);
		//		$password = addslashes($password);
		// }
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
		
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
 
		$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
 
        $connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($query); 
		
		$numrows = mysql_num_rows($result);
		$row = mysql_fetch_array($result);
 
		// CHECK IF THERE ARE RESULTS
		// Logic: If the number of rows of the resulting recordset is 0, that means that no
		// match was found. Meaning, wrong username-password combination.
		if ($numrows == 0) {
			return false;
		}
		else {
			return $row;
		}
	} // End: function page_check
	
	// MODIFY USERS
	function modify_user($username, $password, $team, $level, $status) {
		
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
			$password = addslashes($password);
			$team = addslashes($team);
			$level = addslashes($level);
			$status = addslashes($status);
		}
		*/
		
        // If $password is blank, make no changes to the current password
        if (trim($password == ''))
        {
            $qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'";
        }
        else
        {
            $qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status'
					    WHERE uname='$username'";
        }
 
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
 
		if (trim($level)=="") {
			return "blank level";
		}
		elseif (($username=="sa" AND $status=="inactive")) {
			return "sa cannot be inactivated";
		}
		elseif (($username=="admin" AND $status=="inactive")) {
			return "admin cannot be inactivated";
		}
		else {
			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qUpdate); 
			return 1;
		}
		
	} // End: function modify_user
	
	// DELETE USERS
	function delete_user($username) {
	
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
		}
		*/
		
		$qDelete = "DELETE FROM  authuser WHERE uname='$username'";	
 
		if ($username == "sa") {
			return "User sa cannot be deleted.";
		}
		elseif ($username == "admin") {
			return "User admin cannot be deleted.";
		}
		elseif ($username == "test") {
			return "User test cannot be deleted.";
		}
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($qDelete); 
	
		return mysql_error();
		
	} // End: function delete_user
	
	// ADD USERS
	function add_user($username, $password, $team, $level, $status) {
	
		// Add slashes to prevent SQL Injection
		// However, we trust that we don't need to do this checking for the admin
		// That's why the code snippet below is commented out
		/*   	
		if (!get_magic_quotes_gpc()) 
		{
			$username = addslashes($username);
			$password = addslashes($password);
			$team = addslashes($team);
			$level = addslashes($level);
			$status = addslashes($status);
		}
		*/
		
		$qUserExists = "SELECT * FROM authuser WHERE uname='$username'";
		$qInsertUser = "INSERT INTO authuser(uname, passwd, team, level, status, lastlogin, logincount)
				  			   VALUES ('$username', MD5('$password'), '$team', '$level', '$status', '', 0)";
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		// Check if all fields are filled up
		if (trim($username) == "") { 
			return "blank username";
		}
		// password check added 09-19-2003
		elseif (trim($password) == "") {
			return "blank password";
		}
		elseif (trim($level) == "") {
			return "blank level";
		}
		
		// Check for apostrophe in $username to avoid SQL injection
		if (ereg("'", $username)) 
		{
			return "invalid username";
		}
 
		// Check for apostrophe in $password to avoid SQL injection
		if (ereg("'", $password)) 
		{
			return "invalid password";
		}
		
		// Check if user exists
		$SelectedDB = mysql_select_db($this->DBNAME);
		$user_exists = mysql_query($qUserExists); 
 
		if (mysql_num_rows($user_exists) > 0) {
			return "username exists";
		}
		else {
			// Add user to DB			
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qInsertUser);
	
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qInsertUser); 
			return mysql_affected_rows();
		}
	} // End: function add_user
 
 
	// ADD TEAM
	function add_team($teamname, $teamlead, $status="active") {
		$qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'";
		$qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status) 
				  			   VALUES ('$teamname', '$teamlead', '$status')";
		
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		
		// Check if all fields are filled up
		if (trim($teamname) == "") { 
			return "blank team name";
		}
		
		// Check if group exists
		// OLD CODE - DO NOT REMOVE
		// $group_exists = mysql_db_query($this->DBNAME, $qGroupExists);
		
		// REVISED CODE
		$SelectedDB = mysql_select_db($this->DBNAME);
		$group_exists = mysql_query($qGroupExists); 
 
		if (mysql_num_rows($group_exists) > 0) {
			return "group exists";
		}
		else {
			// Add user to DB
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qInsertGroup);
 
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$result = mysql_query($qInsertGroup); 
 
			return mysql_affected_rows();
		}
	} // End: function add_group
	
	// MODIFY TEAM
	function modify_team($teamname, $teamlead, $status) {
		$qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status'
					WHERE teamname='$teamname'";
		$qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'";
 
		if ($teamname == "Admin" AND $status=="inactive") {
			return "Admin team cannot be inactivated.";
		}
		elseif ($teamname == "Ungrouped" AND $status=="inactive") {
			return "Ungrouped team cannot be inactivated.";
		}
		else {		
			$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
			
			// UPDATE STATUS IF STATUS OF TEAM IS INACTIVATED
			// OLD CODE - DO NOT REMOVE
			//$userresult = mysql_db_query($this->DBNAME, $qUserStatus);
 
			// REVISED CODE
			$SelectedDB = mysql_select_db($this->DBNAME);
			$userresult = mysql_query($qUserStatus); 
	
			// OLD CODE - DO NOT REMOVE
			// $result = mysql_db_query($this->DBNAME, $qUpdate);
 
			// REVISED CODE
			$result = mysql_query($qUpdate); 
	
			return 1;
		}
		
	} // End: function modify_team
 
	// DELETE TEAM
	function delete_team($teamname) {
		$qDelete = "DELETE FROM authteam WHERE teamname='$teamname'";
		$qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'";	
		
		if ($teamname == "Admin") {
			return "Admin team cannot be deleted.";
		}
		elseif ($teamname == "Ungrouped") {
			return "Ungrouped team cannot be deleted.";
		}
		elseif ($teamname == "Temporary") {
			return "Temporary team cannot be deleted.";
		}
 
		$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
		// OLD CODE - DO NOTE REMOVE
		// $result = mysql_db_query($this->DBNAME, $qUpdateUser);
 
		// REVISED CODE
		$SelectedDB = mysql_select_db($this->DBNAME);
		$result = mysql_query($qUpdateUser); 
 
		// OLD CODE - DO NOT REMOVE
		// $result = mysql_db_query($this->DBNAME, $qDelete);
		
		// REVISED CODE
		$result = mysql_query($qDelete); 
 
		return mysql_error();
		
	} // End: function delete_team
 
 
} // End: class auth
?>
 
 
--------------------------  vAuthenticate.php ---------------------
THIS SETS THE COOKIE CAUSING THE PROBLEM AND SENDS USER TO NEW DESTINATION DEPENDING ON RESULTS
-------------------------------------------------------------------
<?
// Start Code
 
	// Use Sessions
	// NOTE: This will store the username and password entered by the user to the cookie
	// variables USERNAME and PASSWORD respectively even if the combination is correct or
	// not. Be sure to authenticate every page that you want to be secured and pass as 
	// parameters the variables USERNAME and PASSWORD.
	setcookie ("USERNAME", $_POST['username'],0,'/');
	setcookie ("PASSWORD", $_POST['password'],0,'/');
 
    // Change the path to auth.php and authconfig.php if you moved
    // vAuthenticate.php from its original directory.
  	include_once ("auth.php");
	include_once ("authconfig.php");
 
    $username =  $_POST['username'];
    $password =  $_POST['password'];
 
	$Auth = new auth();
	$detail = $Auth->authenticate($username, $password);
 
	if ($detail==0)
	{
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $failure; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	}
	elseif ($detail['team'] == "Admin") {
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $admin; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	}
	else 
	{
	?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("<? echo $success; ?>");
		//-->
		</SCRIPT>
	  </HEAD>
	<?
	  }
?>

Open in new window

0
Comment
Question by:Ryan Bayne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 48

Accepted Solution

by:
hernst42 earned 300 total points
ID: 21752492
move line 374 and 375 after line 399 and line 410 (need to copy)
0
 
LVL 14

Assisted Solution

by:ali_kayahan
ali_kayahan earned 200 total points
ID: 21752584
  You should use sessions instead of cookies ,it will be much more safer...
lets say $password is the password that user typed in and $pass is the pass that you get from DB ,
$query = "select * from users where user_name = '$username'" ;
<?php

    if($password == $pass) {
  session_start();
  session_register($username) ;
}
else
{
//show login form...
}
?>

And you may check if the user logged in or not by using session variable like;
if(!$username) {
//show login panel..
}
else {
//show admin panel
}
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question