Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

login not working

Posted on 2008-06-20
25
Medium Priority
?
256 Views
Last Modified: 2013-12-12
Hey guys,

I have a file viewer installed on my server. Everything works good, except for the login.
If you just type anything or even leave the fields blank and hit "login" the system keep log in everyone.

What I need is:

If the password is wrong, show a message: "invalid password" or something like that.
This is the code that i have:
<?php
@session_start();
include "config.php";
 
if(isset($_POST['user']) && isset($_POST['pass']))
{
	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) $_SESSION['auth']=1;
 
	for($i=0;$i<count($conf['users']);$i++)
		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])
		{
			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) req_auth();
			$conf['userid']=$i;
			$_SESSION['user_auth']=1;
			break;
		}
}
else
{
	if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] 
		&& strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth']))
	{
		req_auth();
	}
}
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
	width: 250px;
	margin: 15% auto auto;
}
</style>	
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
	<table>
		<tr>
			<td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
		</tr>
		<tr>
			<td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
		</tr>
	</table>
</form>
</div>
</body>
';
exit();
}
?>

Open in new window

0
Comment
Question by:fackz
  • 13
  • 11
25 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21829183
You not need the else. Try the snippet I added below.

What is the purpose of the $_SESSION['auth'] variable? It only tests if a auth has been attempted, not if it is succesful or anything.
if(isset($_POST['user']) && isset($_POST['pass']))
{
	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) 
	{
		$_SESSION['auth']=1;
	}
 
	for($i=0;$i<count($conf['users']);$i++)
	{
		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])
		{
			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
			{
				req_auth();
			}
			$conf['userid']=$i;
			$_SESSION['user_auth']=1;
			break;
		}
	}
}
if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] && strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth'])) {
	req_auth();
}

Open in new window

0
 

Author Comment

by:fackz
ID: 21829226
I tried your code but it doesn't solve the problem.
I still can access the files without a password.
You can view the files here: www.kbytes.com.br/fileview/fileview2.zip

I don't know about the $_SESSION thing...I got this code already done by someone and I have basic skills on php. :(
0
 
LVL 17

Expert Comment

by:nplib
ID: 21831811
remove the @ infront of the session_start();

remove break;

break is only used in switch statements, it could be breaking your script altogether

and your calling req_auth(); before it's even written. Place that function at the top.

and you don't need exit() at the end, exit is for exiting a script early
and if it's in a function the function will not finish executing

Also, I don't think this actually matters but I like to use more () in my if statements to better organize my thoughts,.

let me know of any syntax errors, the last if statement had a lot of brackets and I didn't feel to test.
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1
			}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:fackz
ID: 21832648
Thank for your help nplib.

I'm getting this message:
Parse error: syntax error, unexpected '}' in /home/fackz/public_html/fileview/auth.php on line 56
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832664
try that,

forgot a closing }
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21832709
I changed but still getting the same error.
Look here: http://www.kbytes.com.br/fileview/
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832722
noticed a missing ;
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1;
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21832755
I still getting the login problem. Now is a little worst because the script is showing the files underneath the login form. lol

Check it out: http://www.kbytes.com.br/fileview/
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832784
screenshot or something would help.

and is this the entirety of the script?
0
 

Author Comment

by:fackz
ID: 21832838
Check on my website....I already post it for you see the problem.
thw whole script is here: www.kbytes.com.br/fileview/fileview2.zip
print.jpg
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833379
your auth.php doesn't look like what I've been posting.

you changed some minor things,

copy and paste the whole thing.
0
 

Author Comment

by:fackz
ID: 21833479
np, the zipped file are the original....yours are running on my server.
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833514
ah, so what is wrong exactly.

from what I can see, it;s doing exactly what your programmed it to do.

what do you want it to do?
0
 

Author Comment

by:fackz
ID: 21833562
I got this file done by someone else. What I need is:

If user and pass right = show the file manager
if not = echo invalid password

Now, if you go to the website, it allows you to login with any user/pass
Also, after the changes on the code, the file manager is showing in the login page, and it is supposed to appear just after the validation.
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833610
what you need to do is test for the session value that is being set during auth

you have $_SESSION['auth'] and $_SESSION['user_auth']

what is the difference?
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833652
there's a line I added

if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {

if you only need to test for one, then do just one

also

the @ symbol suppresses error messages, if you suppress your session_start() error if it has one, your script will continue to run regardless potentially casuing serious problems.
<?php
if(isset($_GET['action']) && $_GET['action']=='logout')
{
	session_start();
	$_SESSION['user_auth']=0;
	$_SESSION['auth']=0;
	//print_r($_SESSION);
}
require('auth.php');
 
print '
<head>
<style>
.large { font-size: 15pt; }
div.main { text-align: center; }
a, a:visited
{
	text-decoration: none;
	font-weight: bold;
}
a:hover
{
	text-decoration: underline;
}
td.line
{
	border-style: solid;
	border-color: gray;
	margin: 0px;
	padding: 10px;
	border-width:  0px 0px 1px 0px;
}
td.fname
{
	font-weight: bold;
}
td.right
{
	text-align: right;
}
a.rm:hover
{
	text-decoration: underline;
	color: red;
}
a.dl:hover
{
	text-decoration: underline;
	color: green;
}
</style>
<meta http-equiv="cache-control" content="no-cache">
<title>view files</title>
<script>
function check() { return confirm("Are you sure?"); }
</script>
</head>
<body>
<div class="main">
';
 
if(isset($_GET['cd']))
{
	$curdir=urldecode($_GET['cd'])."/";
	if(!file_exists($curdir)) $curdir=$conf['filesdir']."/";
}
else $curdir=$conf['filesdir']."/";
if(strpos($curdir,"..")!==false) $curdir=$conf['filesdir'];
 
$back=split("/",$curdir);
if(count($back)>3)
{
	array_pop($back);
	array_pop($back);
	$back=urlencode(join("/",$back));
	print "<span class=\"large\"><a href=\"./?cd=$back\">Back</a></span>";
}
 
 
if(isset($_GET['rm']))
{
	//print $curdir.$_GET['rm'];
	$_GET['rm']=urldecode($_GET['rm']);
	if(file_exists($curdir.$_GET['rm']))
	{
		if(is_file($curdir.$_GET['rm'])) unlink($curdir.$_GET['rm']);
		if(is_dir($curdir.$_GET['rm'])) rmdir($curdir.$_GET['rm']);
	}
}
 
 
$dh=opendir($curdir);
while (false!==($filename=readdir($dh)))
{
	if(is_file($curdir.$filename)) $files[] = $filename;
	if(is_dir($curdir.$filename)) $dirs[] = $filename;
}
if(isset($dirs)&&count($dirs)) sort($dirs);
if(isset($files)&&count($files)) sort($files);
 
if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {
	echo '
	<table class="main_table" align="center" cellspacing="0" cellpadding="0">';
	echo "
	<tr> <td colspan=6 class=\"right large\"><a href=\"./?action=logout\">logout</a></td> </tr>
	<tr>
	<td class=\"line\">
		<b>Name</b>
	</td>
	<td class=\"line\">
		<b>Size</b>
	</td>
	<td class=\"line\">
		<b>Path</b>
	</td>
	<td class=\"line\">
		<b>Download</b>
	</td>
	<td class=\"line\">
		<b>Remove</b>
	</td>
	<td class=\"line\">
		<b>Preview</b>
	</td>
	</tr>\n";
	if(isset($dirs)&&count($dirs))
	{
		sort($dirs);
		$rdir=substr($curdir,0,-1);
		foreach($dirs as $dir)
		{
			if($dir=='.'||$dir=='..') continue;
			$cd=urlencode("$curdir$dir");
			echo "
			<tr>
			<td class=\"line fname\">
				<a href=\"./?cd=$cd\" class=\"dl\">$dir</a>
			</td>
			<td class=\"line\">
				&nbsp;
			</td>
			<td class=\"line\">
				$curdir
			</td>
			<td class=\"line\">
				&nbsp;
			</td>
			<td class=\"line\">
				<a href=\"./?rm=".urlencode($dir)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>
			</td>
			<td class=\"line\">
				<a href=\"./?cd=$cd\"><img src=\"./resize.php?f=dir&ext=dir\"></a>
			</td>
			</tr>\n";
			
		}
	}
	if(isset($files)&&count($files))
	{
		sort($dirs);
		$rdir=substr($curdir,0,-1);
		foreach($files as $file)
		{
			$ext=split("\.",$file);
			$ext=strtolower($ext[count($ext)-1]);
			$ffile=urlencode($curdir.$file);
				echo "
				<tr>
				<td class=\"line fname\">
					$file
				</td>
				<td class=\"line\">
					".number_format(filesize($curdir.$file),0,"."," ")."
				</td>
				<td class=\"line\">
					$curdir
				</td>
				<td class=\"line\">
					<a href=\"./dl.php?f=$ffile\" class=\"dl\">download</a>
				</td>
				<td class=\"line\">
					<a href=\"./?rm=".urldecode($file)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>
				</td>
				<td class=\"line\">
					<a href=\"./dl.php?f=$ffile\"><img src=\"./resize.php?f=$ffile&ext=$ext\"></a>
				</td>
				</tr>\n";
		}
	}
	echo '
	</table>';
}
echo '
</div>
</body>
</html>
';
?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21833664
Well, as I told you before this is not my code. and I'm a really beginner in the php things. My boss just gave me this code and asked this change.

Thank you for your effort and patience...I'm gonna increase the point for this.

we dont need to use this validation code, we can use anything easier...I just wanna disable the access without pass into the file viewer.
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833680
try what I just posted.
0
 

Author Comment

by:fackz
ID: 21833711
I got this:

Fatal error: Out of memory (allocated 49020928) (tried to allocate 77824 bytes) in /home/fackz/public_html/fileview/auth.php on line 173
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833732
there is no line 173 in the auth.php

the page I just posted was an update to your index.php
0
 

Author Comment

by:fackz
ID: 21833746
sorry..my fault...let me try again
0
 

Author Comment

by:fackz
ID: 21833764
hey, we are almost there. look:

http://www.kbytes.com.br/fileview/

I just need to show a error message instead of a blank page!

niceeeeeee
0
 
LVL 17

Accepted Solution

by:
nplib earned 1300 total points
ID: 21833798
this is an update to auth.php

although this should solve your problem, I would recommend investing some time into learning classes and functions, it will save you time and effort in the future.
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
		else
		{
			echo '<font size="3" color="#ff0000">Invalid Password</font>';
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1;
			}
			else
			{
				echo '<font size="3" color="#ff0000">Invalid Password</font>';
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21833879
it worked! thank you very much for your advice and your help
enjoy the points!
0
 

Author Closing Comment

by:fackz
ID: 31469066
thank you again
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question