Jump to content
xisto Community
Sign in to follow this  
leiaah

Restricting Page Access Using Php (need Help)

Recommended Posts

The code below is suppose to restrict access to pages without proper username and password. I've copied it word for word from a book I bought and I've tested it offline. I've already entered appropriate values in the database and nothing is wrong when I query. The problem is when I enter a wrong combination of username and password nothing happens when it should go back to index.html. Also when I correctly entered the username and password secretpage.php doesn't display anything. I'm guessing it has do with the setcookie function in login.php or maybe the header functions. I'm currently lost, has anyone had a similar problem?

 

Index.html --> contains the form where the visitor logs in to access the pages. I don't think there's something wrong with this code.

 

<html><body><form action="login.php" method="post"><table border="1" align="center">	<tr>  <td>Username:</td>	  <td><input type="text" name="username"></td>	</tr>	<tr>  <td>Password:</td>	  <td><input type="password" name="password"></td>	</tr>	<tr>  <td colspan="2" align="right"><input type="Submit" value="Login"></td>	</tr></table></form></body></html>

Login.php --> processes the form in index.html (The error might be from this file)

 

<?phpif((!$_POST[username]) || (!$_POST[password])){	header('Location: index.html');	exit;}$conn = mysql_connect("localhost","root","xxxx") or die(mysql_error());mysql_select_db("samples",$conn) or die(mysql_error());$sql = "select f_name,l_name from auth_users where username='$_POST[username]' AND password=password('$_POST[password]')";$result = mysql_query($sql,$conn) or die(mysql_error());if(mysql_num_rows($result) == 1){	$f_name = mysql_result($result,0,'f_name');	$l_name = mysql_result($result,0,'l_name');	setcookie("auth","1",0,"/","yourdomain.com",0); //IS THE ERROR HERE?		$display_block = "<p>$f_name $l_name is authorized!</p>	<p>Authorized User's Menu:	<ul>	<li><a href=\"secretpage.php\">secret page</a>	</ul>";	}else {	header('Location: index.html');	exit;} ?><html><body><? echo "$display_block"; ?></body></html>

secretpage.php --> page that is accessed when the visitor enters the correct username and password

 

<?phpif($_COOKIE[auth] == "1"){	$display_block = "<p>You are an authorized user.</p>";}else{	header('Location: index.html');	exit;	}?><html><body>	echo $display_block;</body></html>

Share this post


Link to post
Share on other sites

not 100% sure if this is just a preference thing or if it actually makes a difference, but the line "if((!$_POST[username]) || (!$_POST[password]))" looks wrong, it doesn't have a validator (if value <validator> check); try using

if (isset($_POST['username'])==0 || isset($_POST['password'])==0) {

Share this post


Link to post
Share on other sites

<?phpif($_COOKIE[auth] == "1"){	$display_block = "<p>You are an authorized user.</p>";}else{	header('Location: index.html');	exit;	}?><html><body>	echo $display_block;</body></html>

206880[/snapback]


Umm, if I'm not wrong... it should be

 

<?php echo $display_block; ?>

because you ended the php code up there before the html segment starts...

Share this post


Link to post
Share on other sites

Umm, if I'm not wrong... it should be

 

<?php echo $display_block; ?>

because you ended the php code up there before the html segment starts...

206885[/snapback]


Oops! sorry about that. I've changed it already but still nothing. In secretpage.php the IF condition doesn't get satisfied yet it doesn't perform the operations in ELSE too. So I think what's wrong is in here or in the cookie.

 

<?phpif($_COOKIE[auth] == "1"){$display_block = "<p>You are an authorized user.</p>";}else{header('Location: index.html');exit; }?>

Share this post


Link to post
Share on other sites
setcookie("auth","1",0,"/","yourdomain.com",0);
"auth" = name of cookie
"1" = value of cookie
0 = expiration of cookie.. <-- I don't work much with cookies but perhaps if you set that to time()+3600 (expire in 6 hours time) it might work?

Share this post


Link to post
Share on other sites

Just for the record, cookies are very, very easy to forge. All someone would need to do is alter a HTTP request to set the cookie element 'auth' to '1', and they would be considered an authorized user. What I would recommend is generating unique session IDs for each user and storing them in a database, so you can actually check that each user is authorised to view that particular part of your site. And you should never, ever directly pass unsanitized user-entered data to a MySQL query, as this is also very easy for the user to manipulate.Also, 3,600 seconds is one hour, not six. Unix timestamps are in seconds (the number of seconds passed since the first second of the first hour of the first day of 1970 - ie. 00:00:00 01/01/70 - to be more specific), and the time() function returns such a timestamp - so adding any number to it is adding it in seconds. Other than that, Chameleon is on the right track. A cookie cannot be given an infinate life (although it can be marked as not expiring for many years, which is close enough to forever), so setting it to '0' will cause it to expire the second it is set. I also hope you aren't literally using "yourdomain.com" as the domain which has access to the cookie.

Share this post


Link to post
Share on other sites

For extra security, you may wanna add this before connecting to the database:

addslashes(trim($_POST['username']));addslashes(trim($_POST['password']));

Share this post


Link to post
Share on other sites

I have a feeling the problem is around here:

}else {header('Location: index.html');exit;
You can't send a header if anything has already been sent to the browser or processed. Headers always have to be the first thing you do.

 

The domain of the cookie wont really matter a huge amount, and certainly wouldn't cause this script to fail. Spectre's concerns are right though. Someone could easily change the cookie so that they can get onto the system regardless.

Share this post


Link to post
Share on other sites

if((!$_POST[username]) || (!$_POST[password]))

i belive there is something wrong with this code..

try this instead

if((!$_POST['username']) || (!$_POST['password']))

the reason is username and password are actually strings.. which is the key of the $_POST[] associative array...

if it still it gives u problem use the start_session() function of the PHP which is realy the best way in your approach to this kind of problem and it offers a more secure protection too since the only session ID are sent as cookie not the actualy information. The sensitive information are instead save in the servers memory...


anyway good luck...

Share this post


Link to post
Share on other sites

Thanks for the help guys but I still get nothing. I've traced the code and I think the error is definitely in this line:

setcookie("auth","1",0,"/","yourdomain.com",0);
It's not set to 1 so it can't get here:
if($_COOKIE[auth] == "1"){	$display_block = "<p>You are an authorized user.</p>";}
If I don't get it right I'd be shifitng to use sessions. B)

Share this post


Link to post
Share on other sites

Try changing it to:

setcookie("auth","1",time()+3600,"/",".trap17.com");
As Chameleon more or less suggested. Although you could leave it as it is, you should probably change the domain name to whatever your domain name (or Xisto subdomain) is.

saga, that has already been mentioned by Chameleon, although both suggestions were incorrect. It should be:

if(!isset($_POST['username']) || !isset($_POST['password'])) {
The posted values are going to be strings, not boolean values. So checking if they equal 'false' or not will do little to help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.