LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-18-2007, 02:15 PM   #1
ACDII
Member
 
Registered: Aug 2006
Posts: 87

Rep: Reputation: 16
PHP login script using mysql issue


I am stumped as I dont know how to see what the server is actually recieving when a query is sent to mysql. From mysql, I can run the query and get the results.

mysql> SELECT user_id, user_name FROM Users WHERE user_name='acd' AND password=SHA('mypassword');
+---------+-----------+
| user_id | user_name |
+---------+-----------+
| 2 | acd |
+---------+-----------+
1 row in set (0.00 sec)

But when I enter the same username and password I get

The following error(s) occurred:
- The User name and password entered do not match those on file.
-

Query: SELECT user_id, user_name FROM Users WHERE user_name='' AND password=SHA('')

Please try again.

It appears that the inputted information is not getting sent to the server.

Here are the scripts.

PHP Code:
<?php # login.php
// Send NOTHING to the Web browser prior to the setcookie() lines!

// Check if the form has been submitted.
if (isset($_POST['submitted'])) {

    require_once (
'/var/www/web2/PHP_Secure/mysql_connect.php'); // Connect to the db.
        
    
$errors = array(); // Initialize error array.
    
    // Check for a user name.
    
if (empty($_POST['user_name'])) {
        
$errors[] = 'You forgot to enter your user name.';
    } else {
        
$un escape_data($_POST['user_name']);
    }
    
    
// Check for a password.
    
if (empty($_POST['password'])) {
        
$errors[] = 'You forgot to enter your password.';
    } else {
        
$p escape_data($_POST['password']);
    }
    
    if (empty(
$errors)) { // If everything's OK.

        /* Retrieve the user_id and first_name for 
        that email/password combination. */
        
$query "SELECT user_id, user_name FROM Users WHERE user_name='$un' AND password=SHA('$p')";        
        
$result = @mysql_query ($query); // Run the query.
        
$row mysql_fetch_array ($resultMYSQL_NUM); // Return a record, if applicable.

        
if ($row) { // A record was pulled from the database.
                
            // Set the cookies & redirect.
            
setcookie ('user_id'$row[0]);
            
setcookie ('user_name'$row[1]);

            
// Redirect the user to the loggedin.php page.
            // Start defining the URL.
            
$url 'http://' $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
            
// Check for a trailing slash.
            
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
                
$url substr ($url0, -1); // Chop off the slash.
            
}
            
// Add the page.
            
$url .= '/loggedin.php';
            
            
header("Location: $url");
            exit(); 
// Quit the script.
                
        
} else { // No record matched the query.
            
$errors[] = 'The User name and password entered do not match those on file.'// Public message.
            
$errors[] = mysql_error() . '<br /><br />Query: ' $query// Debugging message.
        
}
        
    } 
// End of if (empty($errors)) IF.
        
    
mysql_close(); // Close the database connection.

} else { // Form has not been submitted.

    
$errors NULL;

// End of the main Submit conditional.

// Begin the page now.
$page_title 'Login';
include (
'./includes/header.html');

if (!empty(
$errors)) { // Print any error messages.
    
echo '<h1 id="mainhead">Error!</h1>
    <p class="error">The following error(s) occurred:<br />'
;
    foreach (
$errors as $msg) { // Print each error.
        
echo " - $msg<br />\n";
    }
    echo 
'</p><p>Please try again.</p>';
}

// Create the form.
?>
<h2>Login</h2>
<form action="login.php" method="post">
    <p>User Name: <input type="text" name="user_name" size="20" maxlength="40" /> </p>
    <p>Password: <input type="password" name="password" size="20" maxlength="20" /></p>
    <p><input type="submit" name="submit" value="Login" /></p>
    <input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>
And here is the mysqlconnect.

PHP Code:
<?php #Script 7.2 - mysql_connect.php

//this file contains the database access information to MySQL and selects the database.

// Set the database access information as constants. 
DEFINE ('DB_USER''admin');
DEFINE ('DB_PASSWORD''password');
DEFINE ('DB_HOST''localhost');
DEFINE ('DB_NAME''dbname');

// Make the connection
$dbc = @mysql_connect (DB_HOSTDB_USERDB_PASSWORD) OR die ('Could not connect to MySQL: ' mysql_error() );

// Select the database
@mysql_select_db (DB_NAME) OR die ('Could not select the database: ' mysql_error());

// Create a function for escaping the data.
function escape_data ($data) {
    
    
// Address Magic Quotes.
    
if (ini_get('magic_quotes_gpc')) {
        
$data stripslashes($data);
    }
    
    
// Check for mysql_real_escape_string() support.
    
if (function_exists('mysql_real_escape_string')) {
        global 
$dbc// Need the connection.
        
$data mysql_real_escape_string (trim($data), $dbc);
    } else {
        
$data mysql_escape_string (trim($data));
    }}

    
// Return the escaped value.    
    
return $data;
    
?>

Last edited by ACDII; 01-19-2007 at 09:13 AM. Reason: Figured out the tqgs. :)
 
Old 01-18-2007, 10:34 PM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Problem with your escape_data() function?

PS Please use code tags when posting code or formatting output

Last edited by Wim Sturkenboom; 01-18-2007 at 10:35 PM.
 
Old 01-19-2007, 08:42 AM   #3
ACDII
Member
 
Registered: Aug 2006
Posts: 87

Original Poster
Rep: Reputation: 16
I wanted to, but didn't have a clue on how to do it.

I think is it DB related as a couple other scritps I have that did work, now dont work and put null data in the database.

Last edited by ACDII; 01-19-2007 at 09:13 AM.
 
Old 01-19-2007, 01:35 PM   #4
ACDII
Member
 
Registered: Aug 2006
Posts: 87

Original Poster
Rep: Reputation: 16
Fixed

I found the problem was in the mysql connect script. I rebuilt it and it works. I finally locked down all the PHP pages, but dont have a clue on how to protect the CGI scripts, if someone were to put domain/cgi-bin/viewvc, they have access to it.
 
Old 01-20-2007, 04:58 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
The easiest way to protect is to use a tree like this:
Code:
start-directory
  |
  +--- www
  |
  +--- inc
  |
  +--- cgi
'www' is the (normal) document root where the visitor's pages are served from; anything that you don't want the visitors to see is OUTSIDE the www directory. Your webserver can access those files but the visitor can't.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mediawiki issue with php and mysql Skip-DMP Linux - Software 3 08-03-2006 02:33 PM
LXer: Title: PHP/MySQL Classifieds Script AddAsset1.php Script Insertion LXer Syndicated Linux News 0 07-02-2006 06:21 PM
A good secure login script with PHP and mySQL genderbender Programming 3 05-02-2006 10:06 AM
Php mysql issue petenyce Linux - Software 4 09-23-2005 02:39 AM
mysql and php issue czarherr Programming 4 04-07-2005 05:36 PM


All times are GMT -5. The time now is 01:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration