Solved

login not working

Posted on 2008-06-20
25
248 Views
Last Modified: 2013-12-12
Hey guys,

I have a file viewer installed on my server. Everything works good, except for the login.
If you just type anything or even leave the fields blank and hit "login" the system keep log in everyone.

What I need is:

If the password is wrong, show a message: "invalid password" or something like that.
This is the code that i have:
<?php

@session_start();

include "config.php";
 

if(isset($_POST['user']) && isset($_POST['pass']))

{

	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) $_SESSION['auth']=1;
 

	for($i=0;$i<count($conf['users']);$i++)

		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])

		{

			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) req_auth();

			$conf['userid']=$i;

			$_SESSION['user_auth']=1;

			break;

		}

}

else

{

	if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] 

		&& strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth']))

	{

		req_auth();

	}

}
 

function req_auth()

{

print '

<html>

<head>

<title>Authentication</title>

<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />

<meta http-equiv="cache-control" content="no-cache">

<style>

body {text-align: center;}

td {font-weight: bold;}

div

{

	width: 250px;

	margin: 15% auto auto;

}

</style>	

</head>

<body onload="javascript:document.getElementById(\'ilogin\').focus()">

<div>

<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">

	<table>

		<tr>

			<td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>

		</tr>

		<tr>

			<td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>

		</tr>

	</table>

</form>

</div>

</body>

';

exit();

}

?>

Open in new window

0
Comment
Question by:fackz
  • 13
  • 11
25 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21829183
You not need the else. Try the snippet I added below.

What is the purpose of the $_SESSION['auth'] variable? It only tests if a auth has been attempted, not if it is succesful or anything.
if(isset($_POST['user']) && isset($_POST['pass']))

{

	if($_POST['user']==$conf['user'] && $_POST['pass']==$conf['pass']) 

	{

		$_SESSION['auth']=1;

	}

 

	for($i=0;$i<count($conf['users']);$i++)

	{

		if($_POST['user']==$conf['users'][$i][0] && $_POST['pass']==$conf['users'][$i][1])

		{

			if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)

			{

				req_auth();

			}

			$conf['userid']=$i;

			$_SESSION['user_auth']=1;

			break;

		}

	}

}

if((!$_SESSION['auth']&&!$_SESSION['user_auth']) || ($_SESSION['user_auth'] && strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false&&!$_SESSION['auth'])) {

	req_auth();

}

Open in new window

0
 

Author Comment

by:fackz
ID: 21829226
I tried your code but it doesn't solve the problem.
I still can access the files without a password.
You can view the files here: www.kbytes.com.br/fileview/fileview2.zip

I don't know about the $_SESSION thing...I got this code already done by someone and I have basic skills on php. :(
0
 
LVL 17

Expert Comment

by:nplib
ID: 21831811
remove the @ infront of the session_start();

remove break;

break is only used in switch statements, it could be breaking your script altogether

and your calling req_auth(); before it's even written. Place that function at the top.

and you don't need exit() at the end, exit is for exiting a script early
and if it's in a function the function will not finish executing

Also, I don't think this actually matters but I like to use more () in my if statements to better organize my thoughts,.

let me know of any syntax errors, the last if statement had a lot of brackets and I didn't feel to test.
<?php

session_start();

include "config.php";
 

function req_auth()

{

print '

<html>

<head>

<title>Authentication</title>

<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />

<meta http-equiv="cache-control" content="no-cache">

<style>

body {text-align: center;}

td {font-weight: bold;}

div

{

        width: 250px;

        margin: 15% auto auto;

}

</style>        

</head>

<body onload="javascript:document.getElementById(\'ilogin\').focus()">

<div>

<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">

        <table>

                <tr>

                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>

                </tr>

                <tr>

                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>

                </tr>

        </table>

</form>

</div>

</body>

';

}
 

if((isset($_POST['user'])) && (isset($_POST['pass'])))

{

        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))

		{

			$_SESSION['auth']=1;

		}

         for($i=0;$i<count($conf['users']);$i++)

		{

            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))

            {

				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)

				{

					req_auth();

				}

				$conf['userid']=$i;

				$_SESSION['user_auth']=1

			}

}

else

{

        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))

        {

                req_auth();

        }

}

?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21832648
Thank for your help nplib.

I'm getting this message:
Parse error: syntax error, unexpected '}' in /home/fackz/public_html/fileview/auth.php on line 56
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832664
try that,

forgot a closing }
<?php

session_start();

include "config.php";
 

function req_auth()

{

print '

<html>

<head>

<title>Authentication</title>

<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />

<meta http-equiv="cache-control" content="no-cache">

<style>

body {text-align: center;}

td {font-weight: bold;}

div

{

        width: 250px;

        margin: 15% auto auto;

}

</style>        

</head>

<body onload="javascript:document.getElementById(\'ilogin\').focus()">

<div>

<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">

        <table>

                <tr>

                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>

                </tr>

                <tr>

                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>

                </tr>

        </table>

</form>

</div>

</body>

';

}
 

if((isset($_POST['user'])) && (isset($_POST['pass'])))

{

        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))

		{

			$_SESSION['auth']=1;

		}

         for($i=0;$i<count($conf['users']);$i++)

		{

            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))

            {

				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)

				{

					req_auth();

				}

				$conf['userid']=$i;

				$_SESSION['user_auth']=1

			}

		}

}

else

{

        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))

        {

                req_auth();

        }

}

?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21832709
I changed but still getting the same error.
Look here: http://www.kbytes.com.br/fileview/
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832722
noticed a missing ;
<?php

session_start();

include "config.php";
 

function req_auth()

{

print '

<html>

<head>

<title>Authentication</title>

<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />

<meta http-equiv="cache-control" content="no-cache">

<style>

body {text-align: center;}

td {font-weight: bold;}

div

{

        width: 250px;

        margin: 15% auto auto;

}

</style>        

</head>

<body onload="javascript:document.getElementById(\'ilogin\').focus()">

<div>

<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">

        <table>

                <tr>

                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>

                </tr>

                <tr>

                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>

                </tr>

        </table>

</form>

</div>

</body>

';

}
 

if((isset($_POST['user'])) && (isset($_POST['pass'])))

{

        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))

		{

			$_SESSION['auth']=1;

		}

         for($i=0;$i<count($conf['users']);$i++)

		{

            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))

            {

				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)

				{

					req_auth();

				}

				$conf['userid']=$i;

				$_SESSION['user_auth']=1;

			}

		}

}

else

{

        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))

        {

                req_auth();

        }

}

?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21832755
I still getting the login problem. Now is a little worst because the script is showing the files underneath the login form. lol

Check it out: http://www.kbytes.com.br/fileview/
0
 
LVL 17

Expert Comment

by:nplib
ID: 21832784
screenshot or something would help.

and is this the entirety of the script?
0
 

Author Comment

by:fackz
ID: 21832838
Check on my website....I already post it for you see the problem.
thw whole script is here: www.kbytes.com.br/fileview/fileview2.zip
print.jpg
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833379
your auth.php doesn't look like what I've been posting.

you changed some minor things,

copy and paste the whole thing.
0
 

Author Comment

by:fackz
ID: 21833479
np, the zipped file are the original....yours are running on my server.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 17

Expert Comment

by:nplib
ID: 21833514
ah, so what is wrong exactly.

from what I can see, it;s doing exactly what your programmed it to do.

what do you want it to do?
0
 

Author Comment

by:fackz
ID: 21833562
I got this file done by someone else. What I need is:

If user and pass right = show the file manager
if not = echo invalid password

Now, if you go to the website, it allows you to login with any user/pass
Also, after the changes on the code, the file manager is showing in the login page, and it is supposed to appear just after the validation.
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833610
what you need to do is test for the session value that is being set during auth

you have $_SESSION['auth'] and $_SESSION['user_auth']

what is the difference?
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833652
there's a line I added

if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {

if you only need to test for one, then do just one

also

the @ symbol suppresses error messages, if you suppress your session_start() error if it has one, your script will continue to run regardless potentially casuing serious problems.
<?php

if(isset($_GET['action']) && $_GET['action']=='logout')

{

	session_start();

	$_SESSION['user_auth']=0;

	$_SESSION['auth']=0;

	//print_r($_SESSION);

}

require('auth.php');
 

print '

<head>

<style>

.large { font-size: 15pt; }

div.main { text-align: center; }

a, a:visited

{

	text-decoration: none;

	font-weight: bold;

}

a:hover

{

	text-decoration: underline;

}

td.line

{

	border-style: solid;

	border-color: gray;

	margin: 0px;

	padding: 10px;

	border-width:  0px 0px 1px 0px;

}

td.fname

{

	font-weight: bold;

}

td.right

{

	text-align: right;

}

a.rm:hover

{

	text-decoration: underline;

	color: red;

}

a.dl:hover

{

	text-decoration: underline;

	color: green;

}

</style>

<meta http-equiv="cache-control" content="no-cache">

<title>view files</title>

<script>

function check() { return confirm("Are you sure?"); }

</script>

</head>

<body>

<div class="main">

';
 

if(isset($_GET['cd']))

{

	$curdir=urldecode($_GET['cd'])."/";

	if(!file_exists($curdir)) $curdir=$conf['filesdir']."/";

}

else $curdir=$conf['filesdir']."/";

if(strpos($curdir,"..")!==false) $curdir=$conf['filesdir'];
 

$back=split("/",$curdir);

if(count($back)>3)

{

	array_pop($back);

	array_pop($back);

	$back=urlencode(join("/",$back));

	print "<span class=\"large\"><a href=\"./?cd=$back\">Back</a></span>";

}
 
 

if(isset($_GET['rm']))

{

	//print $curdir.$_GET['rm'];

	$_GET['rm']=urldecode($_GET['rm']);

	if(file_exists($curdir.$_GET['rm']))

	{

		if(is_file($curdir.$_GET['rm'])) unlink($curdir.$_GET['rm']);

		if(is_dir($curdir.$_GET['rm'])) rmdir($curdir.$_GET['rm']);

	}

}
 
 

$dh=opendir($curdir);

while (false!==($filename=readdir($dh)))

{

	if(is_file($curdir.$filename)) $files[] = $filename;

	if(is_dir($curdir.$filename)) $dirs[] = $filename;

}

if(isset($dirs)&&count($dirs)) sort($dirs);

if(isset($files)&&count($files)) sort($files);
 

if (($_SESSION['auth']) || ($_SESSION['user_auth'])) {

	echo '

	<table class="main_table" align="center" cellspacing="0" cellpadding="0">';

	echo "

	<tr> <td colspan=6 class=\"right large\"><a href=\"./?action=logout\">logout</a></td> </tr>

	<tr>

	<td class=\"line\">

		<b>Name</b>

	</td>

	<td class=\"line\">

		<b>Size</b>

	</td>

	<td class=\"line\">

		<b>Path</b>

	</td>

	<td class=\"line\">

		<b>Download</b>

	</td>

	<td class=\"line\">

		<b>Remove</b>

	</td>

	<td class=\"line\">

		<b>Preview</b>

	</td>

	</tr>\n";

	if(isset($dirs)&&count($dirs))

	{

		sort($dirs);

		$rdir=substr($curdir,0,-1);

		foreach($dirs as $dir)

		{

			if($dir=='.'||$dir=='..') continue;

			$cd=urlencode("$curdir$dir");

			echo "

			<tr>

			<td class=\"line fname\">

				<a href=\"./?cd=$cd\" class=\"dl\">$dir</a>

			</td>

			<td class=\"line\">

				&nbsp;

			</td>

			<td class=\"line\">

				$curdir

			</td>

			<td class=\"line\">

				&nbsp;

			</td>

			<td class=\"line\">

				<a href=\"./?rm=".urlencode($dir)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>

			</td>

			<td class=\"line\">

				<a href=\"./?cd=$cd\"><img src=\"./resize.php?f=dir&ext=dir\"></a>

			</td>

			</tr>\n";

			

		}

	}

	if(isset($files)&&count($files))

	{

		sort($dirs);

		$rdir=substr($curdir,0,-1);

		foreach($files as $file)

		{

			$ext=split("\.",$file);

			$ext=strtolower($ext[count($ext)-1]);

			$ffile=urlencode($curdir.$file);

				echo "

				<tr>

				<td class=\"line fname\">

					$file

				</td>

				<td class=\"line\">

					".number_format(filesize($curdir.$file),0,"."," ")."

				</td>

				<td class=\"line\">

					$curdir

				</td>

				<td class=\"line\">

					<a href=\"./dl.php?f=$ffile\" class=\"dl\">download</a>

				</td>

				<td class=\"line\">

					<a href=\"./?rm=".urldecode($file)."&cd=$rdir\" class=\"rm\" onClick=\"return check()\">remove</a>

				</td>

				<td class=\"line\">

					<a href=\"./dl.php?f=$ffile\"><img src=\"./resize.php?f=$ffile&ext=$ext\"></a>

				</td>

				</tr>\n";

		}

	}

	echo '

	</table>';

}

echo '

</div>

</body>

</html>

';

?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21833664
Well, as I told you before this is not my code. and I'm a really beginner in the php things. My boss just gave me this code and asked this change.

Thank you for your effort and patience...I'm gonna increase the point for this.

we dont need to use this validation code, we can use anything easier...I just wanna disable the access without pass into the file viewer.
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833680
try what I just posted.
0
 

Author Comment

by:fackz
ID: 21833711
I got this:

Fatal error: Out of memory (allocated 49020928) (tried to allocate 77824 bytes) in /home/fackz/public_html/fileview/auth.php on line 173
0
 
LVL 17

Expert Comment

by:nplib
ID: 21833732
there is no line 173 in the auth.php

the page I just posted was an update to your index.php
0
 

Author Comment

by:fackz
ID: 21833746
sorry..my fault...let me try again
0
 

Author Comment

by:fackz
ID: 21833764
hey, we are almost there. look:

http://www.kbytes.com.br/fileview/

I just need to show a error message instead of a blank page!

niceeeeeee
0
 
LVL 17

Accepted Solution

by:
nplib earned 325 total points
ID: 21833798
this is an update to auth.php

although this should solve your problem, I would recommend investing some time into learning classes and functions, it will save you time and effort in the future.
<?php

session_start();

include "config.php";
 

function req_auth()

{

print '

<html>

<head>

<title>Authentication</title>

<meta http-equiv=Content-Type content="text/html; charset=windows-1251" />

<meta http-equiv="cache-control" content="no-cache">

<style>

body {text-align: center;}

td {font-weight: bold;}

div

{

        width: 250px;

        margin: 15% auto auto;

}

</style>        

</head>

<body onload="javascript:document.getElementById(\'ilogin\').focus()">

<div>

<form name="auth" method="post" action="'.$_SERVER['SCRIPT_NAME'].'">

        <table>

                <tr>

                        <td>Login:</td><td><input id="ilogin" type="text" name="user"/></td>

                </tr>

                <tr>

                        <td>Password:</td><td><nobr><input type="password" name="pass"/> <input type="submit" value="login"></nobr></td>

                </tr>

        </table>

</form>

</div>

</body>

';

}
 

if((isset($_POST['user'])) && (isset($_POST['pass'])))

{

        if(($_POST['user']==$conf['user']) && ($_POST['pass']==$conf['pass']))

		{

			$_SESSION['auth']=1;

		}

		else

		{

			echo '<font size="3" color="#ff0000">Invalid Password</font>';

		}

         for($i=0;$i<count($conf['users']);$i++)

		{

            if(($_POST['user']==$conf['users'][$i][0]) && ($_POST['pass']==$conf['users'][$i][1]))

            {

				if(strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false)

				{

					req_auth();

				}

				$conf['userid']=$i;

				$_SESSION['user_auth']=1;

			}

			else

			{

				echo '<font size="3" color="#ff0000">Invalid Password</font>';

			}

		}

}

else

{

        if(((!$_SESSION['auth']) && (!$_SESSION['user_auth'])) || (($_SESSION['user_auth']) && (strpos($_SERVER['SCRIPT_NAME'],'upload.php')===false) && (!$_SESSION['auth'])))

        {

                req_auth();

        }

}

?>

Open in new window

0
 

Author Comment

by:fackz
ID: 21833879
it worked! thank you very much for your advice and your help
enjoy the points!
0
 

Author Closing Comment

by:fackz
ID: 31469066
thank you again
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
mysql Encryption with PHP 8 51
windows 10 bash shell 4 37
How do I edit this Drupal page? 9 30
.htaccess file settings 4 36
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now