login not working

Hey guys,

I have a file viewer installed on my server. Everything works good, except for the login.
If you just type anything or even leave the fields blank and hit "login" the system keep log in everyone.

What I need is:

If the password is wrong, show a message: "invalid password" or something like that.
This is the code that i have:
<?php
@session_start();
include "config.php";
 
if(isset($_POST['user']) && isset($_POST['pass']))
{
	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) $_SESSION['auth']=1;
 
	for($i=0;$i<count($conf['users']);$i++)
		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])
		{
			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) req_auth();
			$conf['userid']=$i;
			$_SESSION['user_auth']=1;
			break;
		}
}
else
{
	if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] 
		&& strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth']))
	{
		req_auth();
	}
}
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
	width: 250px;
	margin: 15% auto auto;
}
</style>	
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
	<table>
		<tr>
			<td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
		</tr>
		<tr>
			<td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
		</tr>
	</table>
</form>
</div>
</body>
';
exit();
}
?>

Open in new window

fackzAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
nplibConnect With a Mentor Commented:
this is an update to auth.php

although this should solve your problem, I would recommend investing some time into learning classes and functions, it will save you time and effort in the future.
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
		else
		{
			echo '<font size="3" color="#ff0000">Invalid Password</font>';
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1;
			}
			else
			{
				echo '<font size="3" color="#ff0000">Invalid Password</font>';
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 
RoonaanCommented:
You not need the else. Try the snippet I added below.

What is the purpose of the $_SESSION['auth'] variable? It only tests if a auth has been attempted, not if it is succesful or anything.
if(isset($_POST['user']) && isset($_POST['pass']))
{
	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) 
	{
		$_SESSION['auth']=1;
	}
 
	for($i=0;$i<count($conf['users']);$i++)
	{
		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])
		{
			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
			{
				req_auth();
			}
			$conf['userid']=$i;
			$_SESSION['user_auth']=1;
			break;
		}
	}
}
if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] && strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth'])) {
	req_auth();
}

Open in new window

0
 
fackzAuthor Commented:
I tried your code but it doesn't solve the problem.
I still can access the files without a password.
You can view the files here: www.kbytes.com.br/fileview/fileview2.zip

I don't know about the $_SESSION thing...I got this code already done by someone and I have basic skills on php. :(
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
nplibCommented:
remove the @ infront of the session_start();

remove break;

break is only used in switch statements, it could be breaking your script altogether

and your calling req_auth(); before it's even written. Place that function at the top.

and you don't need exit() at the end, exit is for exiting a script early
and if it's in a function the function will not finish executing

Also, I don't think this actually matters but I like to use more () in my if statements to better organize my thoughts,.

let me know of any syntax errors, the last if statement had a lot of brackets and I didn't feel to test.
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1
			}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 
fackzAuthor Commented:
Thank for your help nplib.

I'm getting this message:
Parse error: syntax error, unexpected '}' in /home/fackz/public_html/fileview/auth.php on line 56
0
 
nplibCommented:
try that,

forgot a closing }
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 
fackzAuthor Commented:
I changed but still getting the same error.
Look here: http://www.kbytes.com.br/fileview/
0
 
nplibCommented:
noticed a missing ;
<?php
session_start();
include "config.php";
 
function req_auth()
{
print '
<html>
<head>
<title>Authentication</title>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />
<meta http-equiv="cache-control" content="no-cache">
<style>
body {text-align: center;}
td {font-weight: bold;}
div
{
        width: 250px;
        margin: 15% auto auto;
}
</style>        
</head>
<body onload="javascript:document.getElementById(\'ilogin\').focus()">
<div>
<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">
        <table>
                <tr>
                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>
                </tr>
                <tr>
                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>
                </tr>
        </table>
</form>
</div>
</body>
';
}
 
if((isset($_POST['user'])) && (isset($_POST['pass'])))
{
        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))
		{
			$_SESSION['auth']=1;
		}
         for($i=0;$i<count($conf['users']);$i++)
		{
            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))
            {
				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)
				{
					req_auth();
				}
				$conf['userid']=$i;
				$_SESSION['user_auth']=1;
			}
		}
}
else
{
        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))
        {
                req_auth();
        }
}
?>

Open in new window

0
 
fackzAuthor Commented:
I still getting the login problem. Now is a little worst because the script is showing the files underneath the login form. lol

Check it out: http://www.kbytes.com.br/fileview/
0
 
nplibCommented:
screenshot or something would help.

and is this the entirety of the script?
0
 
fackzAuthor Commented:
Check on my website....I already post it for you see the problem.
thw whole script is here: www.kbytes.com.br/fileview/fileview2.zip
print.jpg
0
 
nplibCommented:
your auth.php doesn't look like what I've been posting.

you changed some minor things,

copy and paste the whole thing.
0
 
fackzAuthor Commented:
np, the zipped file are the original....yours are running on my server.
0
 
nplibCommented:
ah, so what is wrong exactly.

from what I can see, it;s doing exactly what your programmed it to do.

what do you want it to do?
0
 
fackzAuthor Commented:
I got this file done by someone else. What I need is:

If user and pass right = show the file manager
if not = echo invalid password

Now, if you go to the website, it allows you to login with any user/pass
Also, after the changes on the code, the file manager is showing in the login page, and it is supposed to appear just after the validation.
0
 
nplibCommented:
what you need to do is test for the session value that is being set during auth

you have $_SESSION['auth'] and $_SESSION['user_auth']

what is the difference?
0
 
nplibCommented:
there's a line I added

if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {

if you only need to test for one, then do just one

also

the @ symbol suppresses error messages, if you suppress your session_start() error if it has one, your script will continue to run regardless potentially casuing serious problems.
<?php
if(isset($_GET['action']) && $_GET['action']=='logout')
{
	session_start();
	$_SESSION['user_auth']=0;
	$_SESSION['auth']=0;
	//print_r($_SESSION);
}
require('auth.php');
 
print '
<head>
<style>
.large { font-size: 15pt; }
div.main { text-align: center; }
a, a:visited
{
	text-decoration: none;
	font-weight: bold;
}
a:hover
{
	text-decoration: underline;
}
td.line
{
	border-style: solid;
	border-color: gray;
	margin: 0px;
	padding: 10px;
	border-width:  0px 0px 1px 0px;
}
td.fname
{
	font-weight: bold;
}
td.right
{
	text-align: right;
}
a.rm:hover
{
	text-decoration: underline;
	color: red;
}
a.dl:hover
{
	text-decoration: underline;
	color: green;
}
</style>
<meta http-equiv="cache-control" content="no-cache">
<title>view files</title>
<script>
function check() { return confirm("Are you sure?"); }
</script>
</head>
<body>
<div class="main">
';
 
if(isset($_GET['cd']))
{
	$curdir=urldecode($_GET['cd'])."/";
	if(!file_exists($curdir)) $curdir=$conf['filesdir']."/";
}
else $curdir=$conf['filesdir']."/";
if(strpos($curdir,"..")!==false) $curdir=$conf['filesdir'];
 
$back=split("/",$curdir);
if(count($back)>3)
{
	array_pop($back);
	array_pop($back);
	$back=urlencode(join("/",$back));
	print "<span class=\"large\"><a href=\"./?cd=$back\">Back</a></span>";
}
 
 
if(isset($_GET['rm']))
{
	//print $curdir.$_GET['rm'];
	$_GET['rm']=urldecode($_GET['rm']);
	if(file_exists($curdir.$_GET['rm']))
	{
		if(is_file($curdir.$_GET['rm'])) unlink($curdir.$_GET['rm']);
		if(is_dir($curdir.$_GET['rm'])) rmdir($curdir.$_GET['rm']);
	}
}
 
 
$dh=opendir($curdir);
while (false!==($filename=readdir($dh)))
{
	if(is_file($curdir.$filename)) $files[] = $filename;
	if(is_dir($curdir.$filename)) $dirs[] = $filename;
}
if(isset($dirs)&&count($dirs)) sort($dirs);
if(isset($files)&&count($files)) sort($files);
 
if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {
	echo '
	<table class="main_table" align="center" cellspacing="0" cellpadding="0">';
	echo "
	<tr> <td colspan=6 class=\"right large\"><a href=\"./?action=logout\">logout</a></td> </tr>
	<tr>
	<td class=\"line\">
		<b>Name</b>
	</td>
	<td class=\"line\">
		<b>Size</b>
	</td>
	<td class=\"line\">
		<b>Path</b>
	</td>
	<td class=\"line\">
		<b>Download</b>
	</td>
	<td class=\"line\">
		<b>Remove</b>
	</td>
	<td class=\"line\">
		<b>Preview</b>
	</td>
	</tr>\n";
	if(isset($dirs)&&count($dirs))
	{
		sort($dirs);
		$rdir=substr($curdir,0,-1);
		foreach($dirs as $dir)
		{
			if($dir=='.'||$dir=='..') continue;
			$cd=urlencode("$curdir$dir");
			echo "
			<tr>
			<td class=\"line fname\">
				<a href=\"./?cd=$cd\" class=\"dl\">$dir</a>
			</td>
			<td class=\"line\">
				&nbsp;
			</td>
			<td class=\"line\">
				$curdir
			</td>
			<td class=\"line\">
				&nbsp;
			</td>
			<td class=\"line\">
				<a href=\"./?rm=".urlencode($dir)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>
			</td>
			<td class=\"line\">
				<a href=\"./?cd=$cd\"><img src=\"./resize.php?f=dir&ext=dir\"></a>
			</td>
			</tr>\n";
			
		}
	}
	if(isset($files)&&count($files))
	{
		sort($dirs);
		$rdir=substr($curdir,0,-1);
		foreach($files as $file)
		{
			$ext=split("\.",$file);
			$ext=strtolower($ext[count($ext)-1]);
			$ffile=urlencode($curdir.$file);
				echo "
				<tr>
				<td class=\"line fname\">
					$file
				</td>
				<td class=\"line\">
					".number_format(filesize($curdir.$file),0,"."," ")."
				</td>
				<td class=\"line\">
					$curdir
				</td>
				<td class=\"line\">
					<a href=\"./dl.php?f=$ffile\" class=\"dl\">download</a>
				</td>
				<td class=\"line\">
					<a href=\"./?rm=".urldecode($file)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>
				</td>
				<td class=\"line\">
					<a href=\"./dl.php?f=$ffile\"><img src=\"./resize.php?f=$ffile&ext=$ext\"></a>
				</td>
				</tr>\n";
		}
	}
	echo '
	</table>';
}
echo '
</div>
</body>
</html>
';
?>

Open in new window

0
 
fackzAuthor Commented:
Well, as I told you before this is not my code. and I'm a really beginner in the php things. My boss just gave me this code and asked this change.

Thank you for your effort and patience...I'm gonna increase the point for this.

we dont need to use this validation code, we can use anything easier...I just wanna disable the access without pass into the file viewer.
0
 
nplibCommented:
try what I just posted.
0
 
fackzAuthor Commented:
I got this:

Fatal error: Out of memory (allocated 49020928) (tried to allocate 77824 bytes) in /home/fackz/public_html/fileview/auth.php on line 173
0
 
nplibCommented:
there is no line 173 in the auth.php

the page I just posted was an update to your index.php
0
 
fackzAuthor Commented:
sorry..my fault...let me try again
0
 
fackzAuthor Commented:
hey, we are almost there. look:

http://www.kbytes.com.br/fileview/

I just need to show a error message instead of a blank page!

niceeeeeee
0
 
fackzAuthor Commented:
it worked! thank you very much for your advice and your help
enjoy the points!
0
 
fackzAuthor Commented:
thank you again
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.