XML PHP LOGIN

hi im doing a login but not wrking for some reason
code:
$error = false;
if(isset($_POST['login'])){
      $username = $_POST['username'];
      $password = $_POST['password'];
      $file = "files/staff.xml";
            $xml = simplexml_load_file($file) or die ("Unable to Load File");
            $pass = $xml->employee->staff->password;
            $user = $xml->employee->staff->username;
                  if($password == $pass && $userword == $user){
                        session_start();
                        $_SESSION['username'] = $username;
                        header('Location: index.php');
                        die;
                  }
$error = true;
}
?>

xml code:
<employee>
      <staff>
            <username>bob</username>
            <password>abc</password>
      </staff>      
      <staff>
            <username>joe</username>
            <password>123</password>
      </staff>
</emplyee>
LVL 4
bobby101Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rdivilbissCommented:
If you are going to authenticate against a file, you might as well authenticate using Basic HTTP Authentication.

You have no security as the file must be world readable by the Internet user si it can be simply downloaded by any web user.

Is there some reason you can not employ a database, LDAP, Radius or NTFS?

MySQL is free and you can use the work of a dozen experts here and nearly plug and play a secure authentication method.

http://www.webloginproject.com/
http://code.google.com/p/loginsystem-rd/

In addition to using a file, you are not sanitizing user input and using plain text passwords instead of hashes. At a minimum you could download those files for a better idea of the approach to take.

Sorry to sound harsh but I'm not going to help fix something that is so fatally flawed.  http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Regards
Rod
0
bobby101Author Commented:
this is just a for learning purpose i have a folder with a .htaccess but im more about learning on how to use xml with php simpleXML
0
rdivilbissCommented:
Thank goodness!

Can you post the form?  Where does this if(isset($_POST['login'])){ come from?

0
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

bobby101Author Commented:

<html>
<head>
	<title>Login</title>
</head>
<body>
	<h1>Login</h1>
	<form method="post" action="">
		<p>Username <input type="text" name="username" size="20" /></p>
		<p>Password <input type="password" name="password" size="20" /></p>
		<?php
		if($error){
			echo '<p>Invalid username and/or password</p>';
		}
		?>
		<p><input type="submit" value="Login" name="login" /></p>
	</form>
	</body>
</html>

Open in new window

0
rdivilbissCommented:
I would suggest:

if ($_SERVER["REQUEST_METHOD"]=="POST") {

rather than relying on the name of a submit button. (there's a good reason, I'll share later).

That being said, how is

$pass = $xml->employee->staff->password;
$user = $xml->employee->staff->username;

supposed to iterate through the XML file to find the corresponding pair of fields? That should always pick the first pair and fail for all others.
0
bobby101Author Commented:
yeah i am testing out the foreach loop now with $xml->children() as $test containing the if statement
0
rdivilbissCommented:
Yes, that is the correct approach.  You need to loop through the file, but that's very expensive in terms of processing time.

Also, (again I'm trying to be helpful not critical,) I suggest you add a separate name element:

<employee>
      <staff>
            <username>bob</username>
            <password>abc</password>
            <name>Bob Doe</name>
      </staff>      
      <staff>
            <username>joe</username>
            <password>123</password>
            <name>Joe Doe</name>
      </staff>
</emplyee>

So you can do:

$name = $xml->employee->staff->name;
$_SESSION['name'] = $name;
$_SESSION["login"] = true;

Then you can echo the user's "name" to other pages as needed for personalization without revealing the username.  

If the username is echoed on any other page, you run the risk of a brute force attack...and given the method in use, you can't accurately track the count of login attempts to lock an account or ban an IP.
0
bobby101Author Commented:
i have no idea, first i want o see if ites wrking than refine code later
so far

if(!$password == "" || !$username == ""){
				foreach($xml->Children('username') as $user){	
					foreach($xml->Children('password') as $pass){
					if($user->getName() == $username && $password == $pass){
						session_start();
						$_SESSION['username'] = $username;
						header('Location: index.php');
						die;
					}
					}
				}
				
			}

Open in new window

0
rdivilbissCommented:
Try this:

Mind you THIS IS NO GOOD AS A AUTHENTICATION SYSTEM! <smile>

I changed $error to a string as it is more efficient this way.

Regards,
Rod

<?PHP
$error = "";

if ($_SERVER["REQUEST_METHOD"]=="POST") {
	$username = $_POST['username'];
	$password = $_POST['password'];
	$file = "staff.xml";
	
	$xml = simplexml_load_file($file) or die ("Unable to Load File");

	foreach($xml->Children() as $employee){
		$user = $employee->username;
		if ($user==$username) {
			$pass = $employee->password;
			if ($pass==$password) {
				session_start();
				$_SESSION["username"]=$username;
				break;
			}
		}
	}
	if (isset($_SESSION["username"])) {
		header('Location: index.php');
		die;
	}else{
		$error = "<p>Invalid username and/or password</p>";
	}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Roderick Divilbiss">
<title>Login</title>
</head>

<body>
<?PHP echo $error ?>
<form method="post" action="readXML.php">
<p>Username <input type="text" name="username" size="20" /><br />
Password <input type="password" name="password" size="20" /><br />
<input type="submit" value="Login" name="login" /></p>
</form>
</body>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bobby101Author Commented:
A++++ EXCELLENT and I understand THIS IS NO GOOD AS A AUTHENTICATION SYSTEM but seeing how xml works thank you!!!!
0
rdivilbissCommented:
<security soapbox>

As to the name/username issue, it is nice to personalize pages, say Hello Bob, when a user is logged on, but as I said you don't want to reveal the username or password (duh) so you need a separate name or screen name element. Plus, since you didn't filter the input, a cross site scripting vulnerability will be childs play if you accidentally echo the username.  (Say a debug line you forget to remove.)

Now about using the name of a submit button to check for a form post.

if(isset($_POST['login'])){

doesn't really tell you anything.  What is it set to? It should be "Login" according to your form, but you didn't check for the value being correct and if you did, you would use more code to check for that, than actually checking for a post;

if ($_SERVER["REQUEST_METHOD"]=="POST") {
    //whatever
}

If you are checking for a form post, check for "POST".  That way there is no ambiguity in what your code is supposed to be doing.  A lot of programmers, myself included, will do one thing if a page is loaded (METHOD="GET") to setup items before the form is written and you may need to distinguish between GET and POST.

I can use Tamper Data in Firefox to set login to whatever I want and your going to accept that as a form post.  It may not be a post.  Depends on what kind of trouble I'm trying to cause.  Add that I can also bypass the size on your input fields, I can try "overloading" any field to see if I can open a hole in your web app.  So at a minimum you would want to Trim your inputs before attempting any operation with them.  

Yes, I'm paranoid, but read the Top 10 List and explain why it is the same darn vulnerabilities every year?

</security soapbox>

Good luck with your XML experiments.

Rod
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.