bobby101
asked on
XML PHP LOGIN
hi im doing a login but not wrking for some reason
code:
$error = false;
if(isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$file = "files/staff.xml";
$xml = simplexml_load_file($file) or die ("Unable to Load File");
$pass = $xml->employee->staff->pas sword;
$user = $xml->employee->staff->use rname;
if($password == $pass && $userword == $user){
session_start();
$_SESSION['username'] = $username;
header('Location: index.php');
die;
}
$error = true;
}
?>
xml code:
<employee>
<staff>
<username>bob</username>
<password>abc</password>
</staff>
<staff>
<username>joe</username>
<password>123</password>
</staff>
</emplyee>
code:
$error = false;
if(isset($_POST['login']))
$username = $_POST['username'];
$password = $_POST['password'];
$file = "files/staff.xml";
$xml = simplexml_load_file($file)
$pass = $xml->employee->staff->pas
$user = $xml->employee->staff->use
if($password == $pass && $userword == $user){
session_start();
$_SESSION['username'] = $username;
header('Location: index.php');
die;
}
$error = true;
}
?>
xml code:
<employee>
<staff>
<username>bob</username>
<password>abc</password>
</staff>
<staff>
<username>joe</username>
<password>123</password>
</staff>
</emplyee>
ASKER
this is just a for learning purpose i have a folder with a .htaccess but im more about learning on how to use xml with php simpleXML
Thank goodness!
Can you post the form? Where does this if(isset($_POST['login'])) { come from?
Can you post the form? Where does this if(isset($_POST['login']))
ASKER
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form method="post" action="">
<p>Username <input type="text" name="username" size="20" /></p>
<p>Password <input type="password" name="password" size="20" /></p>
<?php
if($error){
echo '<p>Invalid username and/or password</p>';
}
?>
<p><input type="submit" value="Login" name="login" /></p>
</form>
</body>
</html>
I would suggest:
if ($_SERVER["REQUEST_METHOD" ]=="POST") {
rather than relying on the name of a submit button. (there's a good reason, I'll share later).
That being said, how is
$pass = $xml->employee->staff->pas sword;
$user = $xml->employee->staff->use rname;
supposed to iterate through the XML file to find the corresponding pair of fields? That should always pick the first pair and fail for all others.
if ($_SERVER["REQUEST_METHOD"
rather than relying on the name of a submit button. (there's a good reason, I'll share later).
That being said, how is
$pass = $xml->employee->staff->pas
$user = $xml->employee->staff->use
supposed to iterate through the XML file to find the corresponding pair of fields? That should always pick the first pair and fail for all others.
ASKER
yeah i am testing out the foreach loop now with $xml->children() as $test containing the if statement
Yes, that is the correct approach. You need to loop through the file, but that's very expensive in terms of processing time.
Also, (again I'm trying to be helpful not critical,) I suggest you add a separate name element:
<employee>
<staff>
<username>bob</username>
<password>abc</password>
<name>Bob Doe</name>
</staff>
<staff>
<username>joe</username>
<password>123</password>
<name>Joe Doe</name>
</staff>
</emplyee>
So you can do:
$name = $xml->employee->staff->nam e;
$_SESSION['name'] = $name;
$_SESSION["login"] = true;
Then you can echo the user's "name" to other pages as needed for personalization without revealing the username.
If the username is echoed on any other page, you run the risk of a brute force attack...and given the method in use, you can't accurately track the count of login attempts to lock an account or ban an IP.
Also, (again I'm trying to be helpful not critical,) I suggest you add a separate name element:
<employee>
<staff>
<username>bob</username>
<password>abc</password>
<name>Bob Doe</name>
</staff>
<staff>
<username>joe</username>
<password>123</password>
<name>Joe Doe</name>
</staff>
</emplyee>
So you can do:
$name = $xml->employee->staff->nam
$_SESSION['name'] = $name;
$_SESSION["login"] = true;
Then you can echo the user's "name" to other pages as needed for personalization without revealing the username.
If the username is echoed on any other page, you run the risk of a brute force attack...and given the method in use, you can't accurately track the count of login attempts to lock an account or ban an IP.
ASKER
i have no idea, first i want o see if ites wrking than refine code later
so far
so far
if(!$password == "" || !$username == ""){
foreach($xml->Children('username') as $user){
foreach($xml->Children('password') as $pass){
if($user->getName() == $username && $password == $pass){
session_start();
$_SESSION['username'] = $username;
header('Location: index.php');
die;
}
}
}
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A++++ EXCELLENT and I understand THIS IS NO GOOD AS A AUTHENTICATION SYSTEM but seeing how xml works thank you!!!!
<security soapbox>
As to the name/username issue, it is nice to personalize pages, say Hello Bob, when a user is logged on, but as I said you don't want to reveal the username or password (duh) so you need a separate name or screen name element. Plus, since you didn't filter the input, a cross site scripting vulnerability will be childs play if you accidentally echo the username. (Say a debug line you forget to remove.)
Now about using the name of a submit button to check for a form post.
if(isset($_POST['login'])) {
doesn't really tell you anything. What is it set to? It should be "Login" according to your form, but you didn't check for the value being correct and if you did, you would use more code to check for that, than actually checking for a post;
if ($_SERVER["REQUEST_METHOD" ]=="POST") {
//whatever
}
If you are checking for a form post, check for "POST". That way there is no ambiguity in what your code is supposed to be doing. A lot of programmers, myself included, will do one thing if a page is loaded (METHOD="GET") to setup items before the form is written and you may need to distinguish between GET and POST.
I can use Tamper Data in Firefox to set login to whatever I want and your going to accept that as a form post. It may not be a post. Depends on what kind of trouble I'm trying to cause. Add that I can also bypass the size on your input fields, I can try "overloading" any field to see if I can open a hole in your web app. So at a minimum you would want to Trim your inputs before attempting any operation with them.
Yes, I'm paranoid, but read the Top 10 List and explain why it is the same darn vulnerabilities every year?
</security soapbox>
Good luck with your XML experiments.
Rod
As to the name/username issue, it is nice to personalize pages, say Hello Bob, when a user is logged on, but as I said you don't want to reveal the username or password (duh) so you need a separate name or screen name element. Plus, since you didn't filter the input, a cross site scripting vulnerability will be childs play if you accidentally echo the username. (Say a debug line you forget to remove.)
Now about using the name of a submit button to check for a form post.
if(isset($_POST['login']))
doesn't really tell you anything. What is it set to? It should be "Login" according to your form, but you didn't check for the value being correct and if you did, you would use more code to check for that, than actually checking for a post;
if ($_SERVER["REQUEST_METHOD"
//whatever
}
If you are checking for a form post, check for "POST". That way there is no ambiguity in what your code is supposed to be doing. A lot of programmers, myself included, will do one thing if a page is loaded (METHOD="GET") to setup items before the form is written and you may need to distinguish between GET and POST.
I can use Tamper Data in Firefox to set login to whatever I want and your going to accept that as a form post. It may not be a post. Depends on what kind of trouble I'm trying to cause. Add that I can also bypass the size on your input fields, I can try "overloading" any field to see if I can open a hole in your web app. So at a minimum you would want to Trim your inputs before attempting any operation with them.
Yes, I'm paranoid, but read the Top 10 List and explain why it is the same darn vulnerabilities every year?
</security soapbox>
Good luck with your XML experiments.
Rod
You have no security as the file must be world readable by the Internet user si it can be simply downloaded by any web user.
Is there some reason you can not employ a database, LDAP, Radius or NTFS?
MySQL is free and you can use the work of a dozen experts here and nearly plug and play a secure authentication method.
http://www.webloginproject.com/
http://code.google.com/p/loginsystem-rd/
In addition to using a file, you are not sanitizing user input and using plain text passwords instead of hashes. At a minimum you could download those files for a better idea of the approach to take.
Sorry to sound harsh but I'm not going to help fix something that is so fatally flawed. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Regards
Rod