Ryan Bayne
asked on
Avoid setting cookie for password and username in my script to stop it effecting if statement
Hey, my problem is that I have a login box which is displayed only if the cookie for password and username is not set yet. I plan to make it so that while it is set the box is replaced with some type of user account tools.
That works fine until I attempt a login. The script calls the following...
setcookie ("USERNAME", $_POST['username'],0,'/');
setcookie ("PASSWORD", $_POST['password'],0,'/');
This happens no matter what the results of the login will be. So if the user fails to enter the correct details the cookies are set. The login box will then disappear because of the following if statement...
<?php
if (isset($_COOKIE['USERNAME' ]) && isset($_COOKIE['PASSWORD'] ))
{
//Member only indicators get places here
}
else
{
include 'signup/login.php';
}
?>
I'm just wondering on the best way to get around this! I've considered creating another variable which holds the final authorisation status but I'm breaking it so far or dont get the overall output required.
There are two scripts below. What is the best way to convert it to work for me?
Thanks
That works fine until I attempt a login. The script calls the following...
setcookie ("USERNAME", $_POST['username'],0,'/');
setcookie ("PASSWORD", $_POST['password'],0,'/');
This happens no matter what the results of the login will be. So if the user fails to enter the correct details the cookies are set. The login box will then disappear because of the following if statement...
<?php
if (isset($_COOKIE['USERNAME'
{
//Member only indicators get places here
}
else
{
include 'signup/login.php';
}
?>
I'm just wondering on the best way to get around this! I've considered creating another variable which holds the final authorisation status but I'm breaking it so far or dont get the overall output required.
There are two scripts below. What is the best way to convert it to work for me?
Thanks
<?php
class auth{
// CHANGE THESE VALUES TO REFLECT YOUR SERVER'S SETTINGS
var $HOST = "###"; // Change this to the proper DB HOST
var $USERNAME = "###"; // Change this to the proper DB USERNAME
var $PASSWORD = "###"; // Change this to the proper DB USER PASSWORD
var $DBNAME = "###"; // Change this to the proper DB NAME
// AUTHENTICATE
function authenticate($username, $password) {
// Check for apostrophe in $username to avoid SQL injection
if (ereg("'", $username))
{
return "invalid username";
}
// Check for apostrophe in $password to avoid SQL injection
if (ereg("'", $password))
{
return "invalid password";
}
$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
$UpdateRecords = "UPDATE authuser SET lastlogin = NOW(), logincount = logincount + 1 WHERE uname='$username'";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($query);
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
// CHECK IF THERE ARE RESULTS
// Logic: If the number of rows of the resulting recordset is 0, that means that no
// match was found. Meaning, wrong username-password combination.
if ($numrows == 0) {
return 0;
}
/*
elseif ($row["level"]==1) { // ADMIN LOGIN
$Update = mysql_query($UpdateRecords);
return 1;
}
*/
else {
$Update = mysql_query($UpdateRecords);
return $row;
}
} // End: function authenticate
// PAGE CHECK
// This function is the one used for every page that is to be secured. This is not the same one
// used in the initial login screen
function page_check($username, $password) {
// Let's comment this out and use the preg_match method
// to restrict username and password characters and disallow
// the semicolon (;) and apostrophe (') characters
// Anti-SQL Injection..
// if (!get_magic_quotes_gpc())
// {
// $username = addslashes($username);
// $password = addslashes($password);
// }
// Check for apostrophe in $username to avoid SQL injection
if (ereg("'", $username))
{
return "invalid username";
}
// Check for apostrophe in $password to avoid SQL injection
if (ereg("'", $password))
{
return "invalid password";
}
$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd=MD5('$password') AND status <> 'inactive'";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($query);
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
// CHECK IF THERE ARE RESULTS
// Logic: If the number of rows of the resulting recordset is 0, that means that no
// match was found. Meaning, wrong username-password combination.
if ($numrows == 0) {
return false;
}
else {
return $row;
}
} // End: function page_check
// MODIFY USERS
function modify_user($username, $password, $team, $level, $status) {
// Add slashes to prevent SQL Injection
// However, we trust that we don't need to do this checking for the admin
// That's why the code snippet below is commented out
/*
if (!get_magic_quotes_gpc())
{
$username = addslashes($username);
$password = addslashes($password);
$team = addslashes($team);
$level = addslashes($level);
$status = addslashes($status);
}
*/
// If $password is blank, make no changes to the current password
if (trim($password == ''))
{
$qUpdate = "UPDATE authuser SET team='$team', level='$level', status='$status' WHERE uname='$username'";
}
else
{
$qUpdate = "UPDATE authuser SET passwd=MD5('$password'), team='$team', level='$level', status='$status'
WHERE uname='$username'";
}
// Check for apostrophe in $password to avoid SQL injection
if (ereg("'", $password))
{
return "invalid password";
}
if (trim($level)=="") {
return "blank level";
}
elseif (($username=="sa" AND $status=="inactive")) {
return "sa cannot be inactivated";
}
elseif (($username=="admin" AND $status=="inactive")) {
return "admin cannot be inactivated";
}
else {
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($qUpdate);
return 1;
}
} // End: function modify_user
// DELETE USERS
function delete_user($username) {
// Add slashes to prevent SQL Injection
// However, we trust that we don't need to do this checking for the admin
// That's why the code snippet below is commented out
/*
if (!get_magic_quotes_gpc())
{
$username = addslashes($username);
}
*/
$qDelete = "DELETE FROM authuser WHERE uname='$username'";
if ($username == "sa") {
return "User sa cannot be deleted.";
}
elseif ($username == "admin") {
return "User admin cannot be deleted.";
}
elseif ($username == "test") {
return "User test cannot be deleted.";
}
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($qDelete);
return mysql_error();
} // End: function delete_user
// ADD USERS
function add_user($username, $password, $team, $level, $status) {
// Add slashes to prevent SQL Injection
// However, we trust that we don't need to do this checking for the admin
// That's why the code snippet below is commented out
/*
if (!get_magic_quotes_gpc())
{
$username = addslashes($username);
$password = addslashes($password);
$team = addslashes($team);
$level = addslashes($level);
$status = addslashes($status);
}
*/
$qUserExists = "SELECT * FROM authuser WHERE uname='$username'";
$qInsertUser = "INSERT INTO authuser(uname, passwd, team, level, status, lastlogin, logincount)
VALUES ('$username', MD5('$password'), '$team', '$level', '$status', '', 0)";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
// Check if all fields are filled up
if (trim($username) == "") {
return "blank username";
}
// password check added 09-19-2003
elseif (trim($password) == "") {
return "blank password";
}
elseif (trim($level) == "") {
return "blank level";
}
// Check for apostrophe in $username to avoid SQL injection
if (ereg("'", $username))
{
return "invalid username";
}
// Check for apostrophe in $password to avoid SQL injection
if (ereg("'", $password))
{
return "invalid password";
}
// Check if user exists
$SelectedDB = mysql_select_db($this->DBNAME);
$user_exists = mysql_query($qUserExists);
if (mysql_num_rows($user_exists) > 0) {
return "username exists";
}
else {
// Add user to DB
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $qInsertUser);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($qInsertUser);
return mysql_affected_rows();
}
} // End: function add_user
// ADD TEAM
function add_team($teamname, $teamlead, $status="active") {
$qGroupExists = "SELECT * FROM authteam WHERE teamname='$teamname'";
$qInsertGroup = "INSERT INTO authteam(teamname, teamlead, status)
VALUES ('$teamname', '$teamlead', '$status')";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
// Check if all fields are filled up
if (trim($teamname) == "") {
return "blank team name";
}
// Check if group exists
// OLD CODE - DO NOT REMOVE
// $group_exists = mysql_db_query($this->DBNAME, $qGroupExists);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$group_exists = mysql_query($qGroupExists);
if (mysql_num_rows($group_exists) > 0) {
return "group exists";
}
else {
// Add user to DB
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $qInsertGroup);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($qInsertGroup);
return mysql_affected_rows();
}
} // End: function add_group
// MODIFY TEAM
function modify_team($teamname, $teamlead, $status) {
$qUpdate = "UPDATE authteam SET teamlead='$teamlead', status='$status'
WHERE teamname='$teamname'";
$qUserStatus = "UPDATE authuser SET status='$status' WHERE team='$teamname'";
if ($teamname == "Admin" AND $status=="inactive") {
return "Admin team cannot be inactivated.";
}
elseif ($teamname == "Ungrouped" AND $status=="inactive") {
return "Ungrouped team cannot be inactivated.";
}
else {
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
// UPDATE STATUS IF STATUS OF TEAM IS INACTIVATED
// OLD CODE - DO NOT REMOVE
//$userresult = mysql_db_query($this->DBNAME, $qUserStatus);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$userresult = mysql_query($qUserStatus);
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $qUpdate);
// REVISED CODE
$result = mysql_query($qUpdate);
return 1;
}
} // End: function modify_team
// DELETE TEAM
function delete_team($teamname) {
$qDelete = "DELETE FROM authteam WHERE teamname='$teamname'";
$qUpdateUser = "UPDATE authuser SET team='Ungrouped' WHERE team='$teamname'";
if ($teamname == "Admin") {
return "Admin team cannot be deleted.";
}
elseif ($teamname == "Ungrouped") {
return "Ungrouped team cannot be deleted.";
}
elseif ($teamname == "Temporary") {
return "Temporary team cannot be deleted.";
}
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
// OLD CODE - DO NOTE REMOVE
// $result = mysql_db_query($this->DBNAME, $qUpdateUser);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($qUpdateUser);
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $qDelete);
// REVISED CODE
$result = mysql_query($qDelete);
return mysql_error();
} // End: function delete_team
} // End: class auth
?>
-------------------------- vAuthenticate.php ---------------------
THIS SETS THE COOKIE CAUSING THE PROBLEM AND SENDS USER TO NEW DESTINATION DEPENDING ON RESULTS
-------------------------------------------------------------------
<?
// Start Code
// Use Sessions
// NOTE: This will store the username and password entered by the user to the cookie
// variables USERNAME and PASSWORD respectively even if the combination is correct or
// not. Be sure to authenticate every page that you want to be secured and pass as
// parameters the variables USERNAME and PASSWORD.
setcookie ("USERNAME", $_POST['username'],0,'/');
setcookie ("PASSWORD", $_POST['password'],0,'/');
// Change the path to auth.php and authconfig.php if you moved
// vAuthenticate.php from its original directory.
include_once ("auth.php");
include_once ("authconfig.php");
$username = $_POST['username'];
$password = $_POST['password'];
$Auth = new auth();
$detail = $Auth->authenticate($username, $password);
if ($detail==0)
{
?><HEAD>
<SCRIPT language="JavaScript1.1">
<!--
location.replace("<? echo $failure; ?>");
//-->
</SCRIPT>
</HEAD>
<?
}
elseif ($detail['team'] == "Admin") {
?><HEAD>
<SCRIPT language="JavaScript1.1">
<!--
location.replace("<? echo $admin; ?>");
//-->
</SCRIPT>
</HEAD>
<?
}
else
{
?><HEAD>
<SCRIPT language="JavaScript1.1">
<!--
location.replace("<? echo $success; ?>");
//-->
</SCRIPT>
</HEAD>
<?
}
?>
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.