SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Logging in Problems

    Using Kevin Yanks tutorial at http://www.sitepoint.com/article/use...sessions-mysql
    I am using the following code for authentication.
    The signup process is fine, the email containing password is also sent.
    However with the login details i am not able to sign in and access the page

    PHP Code:
    <?php // signup.php

    include("common.php");
    include(
    "db.php");

    if (!isset(
    $_POST['submitok'])):
        
    // Display the user signup form
        
    ?>
    <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
      <title> New User Registration </title>
      <meta http-equiv="Content-Type"
        content="text/html; charset=iso-8859-1
    </head>
    <body>

    <h3>New User Registration Form</h3>
    <p><font color="orangered" size="+1"><tt><b>*</b></tt></font>
       indicates a required field</p>
    <form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    <table border="0" cellpadding="0" cellspacing="5">
        <tr>
            <td align="right">
                <p>User ID</p>
            </td>
            <td>
                <input name="newid" type="text" maxlength="100" size="25" />
                <font color="orangered" size="+1"><tt><b>*</b></tt></font>
            </td>
        </tr>
        <tr>
            <td align="right">
                <p>Full Name</p>
            </td>
            <td>
                <input name="newname" type="text" maxlength="100" size="25" />
                <font color="orangered" size="+1"><tt><b>*</b></tt></font>
            </td>
        </tr>
        <tr>
            <td align="right">
                <p>E-Mail Address</p>
            </td>
            <td>
                <input name="newemail" type="text" maxlength="100" size="25" />
                <font color="orangered" size="+1"><tt><b>*</b></tt></font>
            </td>
        </tr>
        <tr valign="top">
            <td align="right">
                <p>Other Notes</p>
            </td>
            <td>
                <textarea wrap="soft" name="newnotes" rows="5" cols="30"></textarea>
            </td>
        </tr>
        <tr>
            <td align="right" colspan="2">
                <hr noshade="noshade" />
                <input type="reset" value="Reset Form" />
                <input type="submit" name="submitok" value="   OK   " />
            </td>
        </tr>
    </table>
    </form>

    </body>
    </html>

        <?php
    else:
        
    // Process signup submission
        
    dbConnect('db');

        if (
    $_POST['newid']=='' or $_POST['newname']==''
          
    or $_POST['newemail']=='') {
            
    error('One or more required fields were left blank.\\n'.
                  
    'Please fill them in and try again.');
        }
        
        
    // Check for existing user with the new id
        
    $sql "SELECT COUNT(*) FROM user WHERE userid = '$_POST[newid]'";
        
    $result mysql_query($sql);
        if (!
    $result) {    
            
    error('A database error occurred in processing your '.
                  
    'submission.\\nIf this error persists, please '.
                  
    'contact admin');
        }
        if (
    mysql_result($result,0,0)>0) {
            
    error('A user already exists with your chosen userid.\\n'.
                  
    'Please try another.');
        }
        
        
    $newpass substr(md5(time()),0,6);
        
        
    $sql "INSERT INTO user SET
                  userid = '
    $_POST[newid]',
                  password = PASSWORD('
    $newpass'),
                  fullname = '
    $_POST[newname]',
                  email = '
    $_POST[newemail]',
                  notes = '
    $_POST[newnotes]'";
        if (!
    mysql_query($sql))
            
    error('A database error occurred in processing your '.
                  
    'submission.\\nIf this error persists, please '.
                  
    'contact admin.\\n' mysql_error());
                  
        
    // Email the new password to the person.
        
    $message "G'Day!

    Your personal account for the Project Web Site
    has been created! To log in, proceed to the
    following address:

        http://mysite.com/

    Your personal login ID and password are as
    follows:

        userid: 
    $_POST[newid]
        password: 
    $newpass

    You aren't stuck with this password! Your can
    change it at any time after you have logged in.

    If you have any problems, feel free to contact me at
    <email@email.com>.

    -Name
     http://mysite.com
    "
    ;

        
    mail($_POST['newemail'],"Your Password for the Project Website",
             
    $message"From:Your Name <admin>");
             
        
    ?>
        <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
          "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
        <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
          <title> Registration Complete </title>
          <meta http-equiv="Content-Type"
            content="text/html; charset=iso-8859-1" />
        </head>
        <body>
        <p><strong>User registration successful!</strong></p>
        <p>Your userid and password have been emailed to
           <strong><?=$_POST['newemail']?></strong>, the email address
           you just provided in your registration form. To log in,
           click <a href="index.php">here</a> to return to the login
           page, and enter your new personal userid and password.</p>
        </body>
        </html>
        <?php
    endif;
    ?>
    accesscontrol.php

    PHP Code:
    <?php // accesscontrol.php
    include_once 'common.php';
    include_once 
    'db.php';

    session_start();

    $uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
    $pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

    if(!isset(
    $uid)) {
      
    ?>
      <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <title> Please Log In for Access </title>
        <meta http-equiv="Content-Type"
          content="text/html; charset=iso-8859-1" />
      </head>
      <body>
      <h1> Login Required </h1>
      <p>You must log in to access this area of the site. If you are
         not a registered user, <a href="signup.php">click here</a>
         to sign up for instant access!</p>
      <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
        User ID: <input type="text" name="uid" size="8" /><br />
        Password: <input type="password" name="pwd" SIZE="8" /><br />
        <input type="submit" value="Log in" />
      </form></p>
      </body>
      </html>
      <?php
      
    exit;
    }

    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;

    dbConnect("bodheorg_sqldb");
    $sql "SELECT * FROM user WHERE
            userid = '
    $uid' AND password = PASSWORD('$pwd')";
    $result mysql_query($sql);
    if (!
    $result) {
      
    error('A database error occurred while checking your '.
            
    'login details.\\nIf this error persists, please '.
            
    'contact admin');
    }

    if (
    mysql_num_rows($result) == 0) {
      unset(
    $_SESSION['uid']);
      unset(
    $_SESSION['pwd']);
      
    ?>
      <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <title> Access Denied </title>
        <meta http-equiv="Content-Type"
          content="text/html; charset=iso-8859-1" />
      </head>
      <body>
      <h1> Access Denied </h1>
      <p>Your user ID or password is incorrect, or you are not a
         registered user on this site. To try logging in again, click
         <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
         access, click <a href="signup.php">here</a>.</p>
      </body>
      </html>
      <?php
      
    exit;
    }

    $username mysql_result($result,0,'fullname');
    ?>

  2. #2
    SitePoint Addict
    Join Date
    Aug 2005
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What exactly is not working? I myself wouldn't use that code because it contains backwards logic and assumes to many things, which makes you do stuff that shouldn't be done until some measure of sanity is matched. In other words, just because variable A is defined or set does not mean variable B will also be set. So making a variable assignment based upon a total different variable is bad by design. It's not to say that it will happen, but doing things like that can lead to bad coding habits being learned, to cross scripting and internal script access via incoming form data injection.

  3. #3
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Quote Originally Posted by printf View Post
    variable A is defined or set does not mean variable B will also be set. So making a variable assignment based upon a total different variable is bad by design.
    Please explain what you mean by quoting the above I didn't get the meaning ...

    Secondly i am aware of variable cleaning and validation and other security concerns and will implement it after the basic authentication is tested.

    Thirdly, is there any other recommended class or code for user authentication and registration because it's a very common and standard thing.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •