404 Not Found error on Login Page

Hi
I am trying to execute the login form. The code is given below:

<?php
  require_once('header.php');
  $error = $user = $pass = "";

  if (isset($_POST['userlogin']))
  {
    $user = $_POST['user'];
    $pass = $_POST['pass'];

    if ($user == "" || $pass == "") {

      echo '<div class="alert alert-danger" role="alert">Not all fields were entered.</div>';
      echo $login_form;

    } else {

      $result = queryMySQL("SELECT username, CONCAT_WS('', firstname, ' ', lastname) as uname, is_admin FROM users
        WHERE username='$user' AND password='$pass' AND is_active=1");

      if ($result->num_rows == 0)
      {
        echo '<div class="alert alert-danger" role="alert">Invalid login attempt.</div>';
        echo $login_form;
      }
      else
      {

        $row = $result->fetch_array(MYSQLI_ASSOC);

        $_SESSION['user'] = $row['username'];
        $_SESSION['uname'] = $row['uname'];
        $_SESSION['is_admin'] = $row['is_admin'];
        setcookie("user_details", $row['username'], time()+3600*24);

        $uri = $_SERVER['REQUEST_URI'];
        $uri_tokens = explode("/", $uri);

        if ($uri_tokens[1] == "login.php") {
          echo("<script>location.href = 'board.php';</script>");
        } else {
          $redirect_uri = $uri_tokens[1] . "/board.php";
          echo("<script>location.href = '" . $redirect_uri . "';</script>");
        }

      }
    }

  } else {

    echo $login_form;

  }


In the login form, I am typing “z1” as the username and “z1” as the password. The mysql table has an entry for this user:

mysql> select * from users;
±---------±---------±----------±---------±---------±----------+
| username | password | firstname | lastname | is_admin | is_active |
±---------±---------±----------±---------±---------±----------+
| admin | admin | Admin | User | 1 | 1 |
| user | user | Ordinary | User | 0 | 1 |
| z1 | z1 | at | attacker | 0 | 1 |
±---------±---------±----------±---------±---------±----------+
3 rows in set (0.00 sec)

mysql>
However, its going to the next page, the url changes to:

http://localhost/CS4331-TOY-APPLICATION/CS4331-TOY-APPLICATION/board.php

but I am getting the message:
“404 not Found”
I have tried with other users also. I dont know what is the purpose of CONCAT_WS
My nginx server’s error.log file empty.

Some body please guide me what is the problem.

Zulfi.

It’s not the reason your code isn’t working, but a big, big problem here is that you’re storing passwords in plain text. Use password_hash() and password_verify() instead.

It seems strange to me that your redirect has repeated the directory name. Would that be correct, or should it be http://localhost/CS4331-TOY-APPLICATION/board.php really?

I don’t, but I bet it’s documented somewhere. The doc ( https://dev.mysql.com/doc/refman/8.0/en/string-functions.html ) says it means “concatenate with separator”.

The fact you don’t know the purpose of some parts suggests you did not write this code, who did?

Here CONCAT_WS is being misused, WS means “With Separator”, that’s the first parameter, which is an empty string, so therefore pointless. Though I don’t think this is the problem, it should still “work”.

This problem is compunded more by using code which is super easy to hack with SQL injection, so a hacker could get the full list of passwords in plain text.
Use prepared statements and use password hashing.

Thanks for your reply:

You mean I have to change the following code:

if ($uri_tokens[1] == "login.php") {
          echo("<script>location.href = 'board.php';</script>");
        } else {
          $redirect_uri = $uri_tokens[1] . "/board.php";
          echo("<script>location.href = '" . $redirect_uri . "';</script>");
        }

I am still learning. Can you please guide me how to correct this code? You mean I have to remove the dots from the string? It should be like this:

echo("<script>location.href = '" $redirect_uri "';</script>");

Zulfi.

Hi,
This is a leaning phase. My friend gave me this code so that I can develop familiarity with professional Php. I was reading Php from the book and did some programming and also posted my problems on the forum and tried to get the name of a good book also. With the help of forums I got some understanding. I thank all of you guys. Advantage of this code is that it shows me how the files can be connected.

Now I got a code. So I am trying to understand it. Thanks for pointing the problems in the code, but I can’t understand why I am getting 404 error.

Some body please help me.
God bless you people.

Zulfi.

A 404 (Not found) is the error you get when a URL is requested that does not exist. It seems the script is forwarding to the wrong URL. It’s hard for anyone to advise, unless we know the correct URL it should point to.
But…

To be brutally honest, I would not consider this to be “professional” PHP.
It’s more ametureish and dangerously insecure, to the point that my best advice would be to start over using more modern and secure methods.

Firstly remove the processing logic from the body of the HTML page. It will not only make things neater and easier to read and manage, it will also allow you to use headers to do the URL redirect, instead of relying javascript output, because there won’t have been any output to the browser when the redirect happens.
And as already mentioned, the login needs some security fixes, hashed passwords and prepared statements for the database query.
It may seem a lot to take in and change, but it is quite necessary.

Log-in scripts have been discussed here before, do a search.

Hi,
I found the error:
Its generating the wrong URL when I click the submit button after providing my user name and password:
http://localhost/CS4331-TOY-APPLICATION/CS4331-TOY-APPLICATION/board.php
instead it should generate:
http://localhost/CS4331-TOY-APPLICATION/board.php

Can some body please guide me how to fix the above error.

Zulfi.

I seem to recall mentioning that, wondering whether the duplicated directory name was correct:

What is in your $uri_tokens array? Or is it that you are adding the directory on and it does not need to be added?

1 Like

Hi,
Thanks.

$uri = $_SERVER['REQUEST_URI'];
The above is taking the value from server, so we can’t change this
$uri_tokens = explode("/", $uri);
The above is splitting the string. If the string is “localhost/CS4331-TOY_Application/login.php” then $uri_token[1] == “CS4331-TOY_Application”, so its false because $uri_token[0]=“localhost”, $uri_token[1]=“CS433-TOY_Application”

if ($uri_tokens[1] == "login.php") {
         echo("<script>location.href = 'board.php';</script>");
        } else {
          $redirect_uri = $uri_tokens[1] . "/board.php";
          echo("<script>location.href = '" . $redirect_uri . "';</script>");
        } 

So we come to the else part.
$redicrect_uri = “CS4331-TOY_Application” . “/board.php”
which is correct. I can’t understand why its generating wrong url.

Some body please guide me.

Zulfi.

What is actually in $redirect_uri if you var_dump() it? And what is the default directory that your PHP script is running in? If you’re already in that directory, and you specify it again, could that be the problem? Adding a leading / would confirm or deny that.

Hi,
I tried:

$uri = $_SERVER['REQUEST_URI'];
         var_dump($uri)."<br>";

and also:

$uri = $_SERVER['REQUEST_URI'];
   echo      var_dump($uri)."<br>";

it is just displaying error 404 message, no value of any thing.

Zulfi.

Add an exit() after your echo statement, so it doesn’t do anything else.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.