Page 1 of 1

User Account Login tutorial - any username and password work

Posted: Sun Nov 06, 2011 8:21 pm
by kgdd
Issue:

I tested a few different password and username combinations to ensure the login system only allowed the correct combination to work, and I found that no matter combination i use, it logs me in even if that information is not in the DB! Here is my code for the users.inc.php and login.php:
<?php

// checks if  the given username exists in the table
function user_exists($user){

$user = mysql_real_escape_string($user);

$total = mysql_query("SELECT COUNT(`user_id`) FROM `blogusers` WHERE `user_name` = '{$user}'");

return (mysql_result($total, 0) == '1') ? true : false;
}

// checks if the given username and password combo is valid
function valid_credentials($user, $pass){

$user = mysql_real_escape_string($user);

$pass = sha1($pass);

$total = mysql_query("SELECT COUNT(`user_id`) FROM `blogusers` WHERE `user_name` = '{$user}' AND `user_password` = '{$pass}'");

return (mysql_result($total, 0) == '1') ? true : false;

}

// adds a user to the database
function add_user($user, $pass){

$user = mysql_real_escape_string(htmlentities($user));

$pass = sha1($pass);

mysql_query("INSERT INTO `blogusers` (`user_name`, `user_password`) VALUES ('{$user}', '{$pass}') ");

}

?>
<?php

include('core/init.inc.php');

$errors = array();

if (isset($_POST['username'], $_POST['password'])){
if (empty($_POST['username'])){
$errors[] = 'The username cannot be empty';
}

if (empty($_POST['password'])){
$errors[] = 'The password cannot be empty';
}

if (valid_credentials($_POST['username'], $_POST['password'] === false)){
$errors[] = 'Username / Password is Incorrect';
}
if (empty($errors)){
// log in
$_SESSION['username'] = htmlentities($_POST['username']);

header('Location: index.php');
die();
}
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Blog Login</title>
</head>

<body>

<form action="" method="post">
<label for="username">Username:</label>
<input type="text" name="username" id="username" value="<?php if (isset($_POST['username'])) echo htmlentities($_POST['username']); ?>/><BR /><BR />
<label for="password">Password:</label>
<input type="password" name="password" id="password"/><BR /><BR />
<input type="submit" value="login"/>
</form>

<div>

<?php

if (empty($errors) === false){
?>
<ul>
<?php
foreach ($errors as $error){
echo"<li>{$error}</li>";
}
?>
</ul>
<?php
}else{

echo '';
}

?>
</div>
<p><a href="../index.php">Back to the blog</a></p>
</body>
</html>

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 9:25 pm
by Temor
this could be it.
You're checking to see if $_POST['password'] is false as an argument for valid_credentials.

This
if (valid_credentials($_POST['username'], $_POST['password'] === false)){
$errors[] = 'Username / Password is Incorrect';
}
Should be this:
if (valid_credentials($_POST['username'], $_POST['password']) === false){
$errors[] = 'Username / Password is Incorrect';
}

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 9:31 pm
by kgdd
Temor, thanks for the fast response, but those look exactly the same? Your two answers this and should be this..

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 9:35 pm
by kgdd
My mistake!! Sorry these poor eyes haha. Thanks it worked perfectly!!

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 10:10 pm
by Temor
kgdd wrote:My mistake!! Sorry these poor eyes haha. Thanks it worked perfectly!!
Easy to miss one parentheses :)

Always happy to help!

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 10:15 pm
by kgdd
You want to tackle another problem? Making a function and webpage for deleting users from the table?

Here's my users.php page:
<?php
include('core/init.inc.php');

$query="SELECT * FROM blogusers";
$result=mysql_query($query);

$num=mysql_numrows($result);

if (isset($_GET['action'])){
    if ($_GET['action'] == 'delete'){
        delete_user($_GET['userid']);
    }
}

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Magicfish Manage Users</title>
</head>

<body>
<a href="index.php">Admin Home</a>

<div>
<table border="0" cellspacing="2" cellpadding="2">
<tr>
<th>Username</th>
<th>Profile</th>
<th>Actions</th>
</tr>

<?php
$i=0;
while ($i < $num) {

$username=mysql_result($result,$i,"user_name");
$password=mysql_result($result,$i,"user_password");
?>

<tr>
<td><?php echo $username; ?></td>
<td>Profile</td>
<td><a href="?action=delete&userid=<?php echo $username; ?>">Delete User</a></td>
</tr>

<?php
$i++;
}
?>

</div>

</body>
</html>
And here is the function:
// delete a user
function delete_user($userid){
    $username = $userid;
 
    mysql_query("DELETE FROM `blogusers` WHERE `user_name` = {$username}");
}
Any thoughts why it isn't working?

Re: User Account Login tutorial - any username and password

Posted: Sun Nov 06, 2011 10:41 pm
by Temor
are you getting any errors? What exactly isn't working? Is it not removing the user?

/Edit
DELETE FROM `blogusers` WHERE `user_name` = {$username}
{$username} should have semi-quotes around it ( ' ).

Like this:
DELETE FROM `blogusers` WHERE `user_name` = '{$username}'
I doubt that's what's causing your problem though.

Re: User Account Login tutorial - any username and password

Posted: Mon Nov 07, 2011 2:03 am
by kgdd
it "worked". I put that in quotes because I had to click the Delete User link twice before it actually deleted the user.. any thoughts..? Weird I know.

Re: User Account Login tutorial - any username and password

Posted: Mon Nov 07, 2011 8:55 am
by Temor
kgdd wrote:it "worked". I put that in quotes because I had to click the Delete User link twice before it actually deleted the user.. any thoughts..? Weird I know.
That is most likely caused due to you outputting the name of the user before you actually run the logic to delete it from the database... It shows up, but it's been deleted.

You could try to run the logic for deletion before the output of the username and see if it helps.

I had the same problem myself a while back.... Switched a few lines around and voila!