SitePoint Sponsor

User Tag List

Results 1 to 1 of 1
  1. #1
    SitePoint Evangelist ucahg's Avatar
    Join Date
    Apr 2001
    Location
    Sarnia, Ontario, Canada
    Posts
    434
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP, cookies, and user authentication.

    If I run the following script I created, I enter in my username and password, and then I see the login script again, in which no matter what I enter, I am logged in as long as the first username and password I entered has been verified. I realize that with cookies you have to refresh the page before they become active, but I have a header to reload the script. Can anybody please explain what I have done wrong in the script below? Thanks a million!

    PHP Code:
    <?php
    // admin_access.php

    if ($logout == "yes") {
      
    setcookie("sgf_logged_in[0]");
      
    setcookie("sgf_logged_in[1]");
      echo 
    "you have been logged out";
      exit;
    }

    /* Include the files needed for the script */
    include("db.php");

    /*
       set secret variable here, which
       is combined with other variables
       to make a hash.
    */
    $secret_hash_variable "############";

    /*
       if the login cookie doesn't exist,
       display the login page;  if the login
       page has been already submitted, verify
       the values and set the cookie, then
       proceed with the page.
    */
    if (!$HTTP_COOKIE_VARS['sgf_logged_in']) {
      if (
    $form != "Site Admin Login") {
        
    $maindatafile "login";
        include(
    "blue.template");
        exit;
      }
      else {
        
    mysql_connect('localhost');
        
    $verify_query "SELECT * FROM sgf.users WHERE username='$username' AND password=PASSWORD('$password');";
        
    $verify_result mysql_query($verify_query);
        if (
    mysql_num_rows($verify_result) == 0) {
          
    $maindatafile "login";
          
    $feedback "Invalid username/password combination. Please try again:";
          include(
    "blue.template");
          exit;
        }
        else {
          
    $query_results mysql_fetch_array($verify_result);
          
    $db_user_id $query_results['user_id'];
          
    $db_number_of_sessions $query_results['number_of_sessions'];

          
    $db_number_of_sessions++;
          
    $sessions_update_query "UPDATE sgf.users SET last_login = NULL, number_of_sessions = '$db1_number_of_sessions' WHERE user_id = '$db1_user_id';";
          
    mysql_query($sessions_update_query);
          
    $verify_query "SELECT * FROM sgf.users WHERE user_id='$login_cookie[0]';";
          
    $verify_result mysql_query($verify_query);

          
    $query_results mysql_fetch_array($verify_result);
          
    $db_first_name $query_results['first_name'];
          
    $db_last_name $query_results['last_name'];
          
    $db_email $query_results['email'];
          
    $db_username $query_results['usernane'];
          
    $db_password $query_results['password'];
          
    $db_last_login $query_results['last_login'];
          
    $db_number_of_sessions $query_results['number_of_sessions'];

          
    setcookie("sgf_logged_in[0]",$db_user_id);
          
    setcookie("sgf_logged_in[1]",md5($db_user_id.$db_first_name.$db_last_name.$db_email.$db_username.$db_password.$db_last_login.$db_number_of_sessions.$secret_hash_variable));
          
    header("Location: $PHP_SELF");
          exit;
        }
      }
    }
    else {
      
    $login_cookie $HTTP_COOKIE_VARS[sgf_logged_in];
      
    $verify_query "SELECT * FROM sgf.users WHERE user_id='$login_cookie[0]';";
      
    $verify_result mysql_query($verify_query);
      while (
    $query_results mysql_fetch_array($verify_result)) {
        
    $db_user_id $query_results['user_id'];
        
    $db_first_name $query_results['first_name'];
        
    $db_last_name $query_results['last_name'];
        
    $db_email $query_results['email'];
        
    $db_username $query_results['usernane'];
        
    $db_password $query_results['password'];
        
    $db_last_login $query_results['last_login'];
        
    $db_number_of_sessions $query_results['number_of_sessions'];
      }
      
    $hash md5($db_user_id.$db_first_name.$db_last_name.$db_email.$db_username.$db_password.$db_last_login.$db_number_of_sessions.$secret_hash_variable);
      if (
    $login_cookie[1] != $hash) {
        echo 
    "AAAUGH IT DID NOT WORK!<br>$login_cookie[0]$login_cookie[1]<br><br>$login_cookie[1]<br>$hash";
        exit;
      }
      else {
        
    //the page will continue.
        
    echo "It works!!!";
      }
    }
    ?>
    Last edited by ucahg; Jul 7, 2001 at 10:22.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •