XML PHP LOGIN

hi im doing a login but not wrking for some reason
code:
$error = false;
if(isset($_POST['login'])){
      $username = $_POST['username'];
      $password = $_POST['password'];
      $file = "files/staff.xml";
            $xml = simplexml_load_file($file) or die ("Unable to Load File");
            $pass = $xml->employee->staff->password;
            $user = $xml->employee->staff->username;
                  if($password == $pass && $userword == $user){
                        session_start();
                        $_SESSION['username'] = $username;
                        header('Location: index.php');
                        die;
                  }
$error = true;
}
?>

xml code:
<employee>
      <staff>
            <username>bob</username>
            <password>abc</password>
      </staff>      
      <staff>
            <username>joe</username>
            <password>123</password>
      </staff>
</emplyee>
LVL 4
bobby101Asked:
Who is Participating?
 
rdivilbissCommented:
Try this:

Mind you THIS IS NO GOOD AS A AUTHENTICATION SYSTEM! <smile>

I changed $error to a string as it is more efficient this way.

Regards,
Rod

<?PHP
$error = "";

if ($_SERVER["REQUEST_METHOD"]=="POST") {
	$username = $_POST['username'];
	$password = $_POST['password'];
	$file = "staff.xml";
	
	$xml = simplexml_load_file($file) or die ("Unable to Load File");

	foreach($xml->Children() as $employee){
		$user = $employee->username;
		if ($user==$username) {
			$pass = $employee->password;
			if ($pass==$password) {
				session_start();
				$_SESSION["username"]=$username;
				break;
			}
		}
	}
	if (isset($_SESSION["username"])) {
		header('Location: index.php');
		die;
	}else{
		$error = "<p>Invalid username and/or password</p>";
	}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Roderick Divilbiss">
<title>Login</title>
</head>

<body>
<?PHP echo $error ?>
<form method="post" action="readXML.php">
<p>Username <input type="text" name="username" size="20" /><br />
Password <input type="password" name="password" size="20" /><br />
<input type="submit" value="Login" name="login" /></p>
</form>
</body>

Open in new window

0
 
rdivilbissCommented:
If you are going to authenticate against a file, you might as well authenticate using Basic HTTP Authentication.

You have no security as the file must be world readable by the Internet user si it can be simply downloaded by any web user.

Is there some reason you can not employ a database, LDAP, Radius or NTFS?

MySQL is free and you can use the work of a dozen experts here and nearly plug and play a secure authentication method.

http://www.webloginproject.com/
http://code.google.com/p/loginsystem-rd/

In addition to using a file, you are not sanitizing user input and using plain text passwords instead of hashes. At a minimum you could download those files for a better idea of the approach to take.

Sorry to sound harsh but I'm not going to help fix something that is so fatally flawed.  http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Regards
Rod
0
 
bobby101Author Commented:
this is just a for learning purpose i have a folder with a .htaccess but im more about learning on how to use xml with php simpleXML
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
rdivilbissCommented:
Thank goodness!

Can you post the form?  Where does this if(isset($_POST['login'])){ come from?

0
 
bobby101Author Commented:

<html>
<head>
	<title>Login</title>
</head>
<body>
	<h1>Login</h1>
	<form method="post" action="">
		<p>Username <input type="text" name="username" size="20" /></p>
		<p>Password <input type="password" name="password" size="20" /></p>
		<?php
		if($error){
			echo '<p>Invalid username and/or password</p>';
		}
		?>
		<p><input type="submit" value="Login" name="login" /></p>
	</form>
	</body>
</html>

Open in new window

0
 
rdivilbissCommented:
I would suggest:

if ($_SERVER["REQUEST_METHOD"]=="POST") {

rather than relying on the name of a submit button. (there's a good reason, I'll share later).

That being said, how is

$pass = $xml->employee->staff->password;
$user = $xml->employee->staff->username;

supposed to iterate through the XML file to find the corresponding pair of fields? That should always pick the first pair and fail for all others.
0
 
bobby101Author Commented:
yeah i am testing out the foreach loop now with $xml->children() as $test containing the if statement
0
 
rdivilbissCommented:
Yes, that is the correct approach.  You need to loop through the file, but that's very expensive in terms of processing time.

Also, (again I'm trying to be helpful not critical,) I suggest you add a separate name element:

<employee>
      <staff>
            <username>bob</username>
            <password>abc</password>
            <name>Bob Doe</name>
      </staff>      
      <staff>
            <username>joe</username>
            <password>123</password>
            <name>Joe Doe</name>
      </staff>
</emplyee>

So you can do:

$name = $xml->employee->staff->name;
$_SESSION['name'] = $name;
$_SESSION["login"] = true;

Then you can echo the user's "name" to other pages as needed for personalization without revealing the username.  

If the username is echoed on any other page, you run the risk of a brute force attack...and given the method in use, you can't accurately track the count of login attempts to lock an account or ban an IP.
0
 
bobby101Author Commented:
i have no idea, first i want o see if ites wrking than refine code later
so far

if(!$password == "" || !$username == ""){
				foreach($xml->Children('username') as $user){	
					foreach($xml->Children('password') as $pass){
					if($user->getName() == $username && $password == $pass){
						session_start();
						$_SESSION['username'] = $username;
						header('Location: index.php');
						die;
					}
					}
				}
				
			}

Open in new window

0
 
bobby101Author Commented:
A++++ EXCELLENT and I understand THIS IS NO GOOD AS A AUTHENTICATION SYSTEM but seeing how xml works thank you!!!!
0
 
rdivilbissCommented:
<security soapbox>

As to the name/username issue, it is nice to personalize pages, say Hello Bob, when a user is logged on, but as I said you don't want to reveal the username or password (duh) so you need a separate name or screen name element. Plus, since you didn't filter the input, a cross site scripting vulnerability will be childs play if you accidentally echo the username.  (Say a debug line you forget to remove.)

Now about using the name of a submit button to check for a form post.

if(isset($_POST['login'])){

doesn't really tell you anything.  What is it set to? It should be "Login" according to your form, but you didn't check for the value being correct and if you did, you would use more code to check for that, than actually checking for a post;

if ($_SERVER["REQUEST_METHOD"]=="POST") {
    //whatever
}

If you are checking for a form post, check for "POST".  That way there is no ambiguity in what your code is supposed to be doing.  A lot of programmers, myself included, will do one thing if a page is loaded (METHOD="GET") to setup items before the form is written and you may need to distinguish between GET and POST.

I can use Tamper Data in Firefox to set login to whatever I want and your going to accept that as a form post.  It may not be a post.  Depends on what kind of trouble I'm trying to cause.  Add that I can also bypass the size on your input fields, I can try "overloading" any field to see if I can open a hole in your web app.  So at a minimum you would want to Trim your inputs before attempting any operation with them.  

Yes, I'm paranoid, but read the Top 10 List and explain why it is the same darn vulnerabilities every year?

</security soapbox>

Good luck with your XML experiments.

Rod
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.