Beginners Problem

------=_Part_11362_13128261.1199803860608
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,

I am having another problem with PHP, and I have tried rectifying the
problem with each try failing. The problem I have is, whenever I refresh the
page or visit the URL to where the login form is (which is index.php), it
automatically refreshes to the members page, even if I did not click the
'Submit' button (with or without the correct login details, for that matter,
even if I did click the 'Submit' button). I hope someone will be able to
help me in some way or another to rectify the issue; I have tried seeing all
possibilities of the problem. Once more, I am relatively knew to PHP, so I
appreciate help towards the right direction.

Cheers,
Ben Stones.

(PS: The PHP code is below)

$con = mysql_connect("localhost", "ben_test", "removed") or
die(mysql_error());
$db = mysql_select_db("ben_test") or die(mysql_error());
$user = $_POST['username'];
$pass = $_POST['password'];
$select_sql = sprintf("SELECT `username` FROM `users` WHERE `username` =
'$user' AND `password` = '$pass'", mysql_real_escape_string($user),
mysql_real_escape_string($pass));
$select_sql_two = mysql_query($select_sql);

if($select_sql_two) {
echo 'Redirecting you to members page...';
echo '[meta http-equiv="refresh" content="5;url=members.php" /]';
}
else {
echo 'Error';
}

I've changed the HTML code, by the way, so it doesn't render the HTML code
in some mail boxes.

------=_Part_11362_13128261.1199803860608--

Re: Beginners Problem

------=_Part_10726_21198848.1199804591932
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

The way I normally run any sort of form page is something like this. (im
fairly new as well)

Since youre setting $select_sql_two without any conditions, it is setting
the refresh on the page and therefore redirecting you to members.php

You should then place some sort of authentication on the members.php so that
people cant just go there directly.

if(isset($_POST['submit'])) {

..... run sql query

} else {

.... display login form

}

On Jan 8, 2008 9:51 AM, Ben Stones wrote:

> Hello,
>
> I am having another problem with PHP, and I have tried rectifying the
> problem with each try failing. The problem I have is, whenever I refresh
> the
> page or visit the URL to where the login form is (which is index.php), it
> automatically refreshes to the members page, even if I did not click the
> 'Submit' button (with or without the correct login details, for that
> matter,
> even if I did click the 'Submit' button). I hope someone will be able to
> help me in some way or another to rectify the issue; I have tried seeing
> all
> possibilities of the problem. Once more, I am relatively knew to PHP, so I
> appreciate help towards the right direction.
>
> Cheers,
> Ben Stones.
>
> (PS: The PHP code is below)
>
> $con = mysql_connect("localhost", "ben_test", "removed") or
> die(mysql_error());
> $db = mysql_select_db("ben_test") or die(mysql_error());
> $user = $_POST['username'];
> $pass = $_POST['password'];
> $select_sql = sprintf("SELECT `username` FROM `users` WHERE `username` =
> '$user' AND `password` = '$pass'", mysql_real_escape_string($user),
> mysql_real_escape_string($pass));
> $select_sql_two = mysql_query($select_sql);
>
> if($select_sql_two) {
> echo 'Redirecting you to members page...';
> echo '[meta http-equiv="refresh" content="5;url=members.php" /]';
> }
> else {
> echo 'Error';
> }
>
> I've changed the HTML code, by the way, so it doesn't render the HTML code
> in some mail boxes.
>



--
-Juan

------=_Part_10726_21198848.1199804591932--

Re: Beginners Problem

I use:

if(ISSET($select_sql_two)&&$select_sql_two<>""&&!is_null($select_sql_two)) {

or

if($select_sql_two=="submit") {

if "submit" is the button value. I am not sure which is best.

John

Ben Stones wrote:
> Hello,
>
> I am having another problem with PHP, and I have tried rectifying the
> problem with each try failing. The problem I have is, whenever I refresh the
> page or visit the URL to where the login form is (which is index.php), it
> automatically refreshes to the members page, even if I did not click the
> 'Submit' button (with or without the correct login details, for that matter,
> even if I did click the 'Submit' button). I hope someone will be able to
> help me in some way or another to rectify the issue; I have tried seeing all
> possibilities of the problem. Once more, I am relatively knew to PHP, so I
> appreciate help towards the right direction.
>
> Cheers,
> Ben Stones.
>
> (PS: The PHP code is below)
>
> $con = mysql_connect("localhost", "ben_test", "removed") or
> die(mysql_error());
> $db = mysql_select_db("ben_test") or die(mysql_error());
> $user = $_POST['username'];
> $pass = $_POST['password'];
> $select_sql = sprintf("SELECT `username` FROM `users` WHERE `username` =
> '$user' AND `password` = '$pass'", mysql_real_escape_string($user),
> mysql_real_escape_string($pass));
> $select_sql_two = mysql_query($select_sql);
>
> if($select_sql_two) {
> echo 'Redirecting you to members page...';
> echo '[meta http-equiv="refresh" content="5;url=members.php" /]';
> }
> else {
> echo 'Error';
> }
>
> I've changed the HTML code, by the way, so it doesn't render the HTML code
> in some mail boxes.
>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Beginners Problem

Ben, I would say that the only reason
> $select_sql_two = mysql_query($select_sql);
>
> if($select_sql_two) {
>

would refuse to execute is if $select_sql represents an invalid SQL
statement. Whether it has records or not, you should (if I'm not very
much mistaken) get a resource returned in select_sql_two, which will
make your IF succeed.

You should probably check out http://php.net/mysql_query for more
information on this function. The difference between "empty result" and
"invalid query" is significant. Once you've determined that the query
is valid, you must also then check to see if it returned any rows,
possibly using a function like mysql_num_rows.

Hope that helps!
-P

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Re: Beginners Problem

Hi Peter,

I'm also sort of a beginner.

That's along the lines that I was thinking.

Doesn't mysql_query return a result set object. So in this sample, wouldn't the IF be testing if the result object was set?

I'm just trying to learn what's going on, I realized the code is wrong but didn't know why, which is why I didn't respond earlier.

Gary

> -----Original Message-----
> From: Peter Westergaard [mailto:p.j.westergaard@gmail.com]On Behalf Of
> Peter Westergaard
> Sent: Tue, January 08, 2008 11:09 AM
> To: php-db@lists.php.net
> Subject: [PHP-DB] Re: Beginners Problem
>
>
> Ben, I would say that the only reason
> > $select_sql_two = mysql_query($select_sql);
> >
> > if($select_sql_two) {
> >
>
> would refuse to execute is if $select_sql represents an invalid SQL
> statement. Whether it has records or not, you should (if I'm
> not very
> much mistaken) get a resource returned in select_sql_two, which will
> make your IF succeed.
>
> You should probably check out http://php.net/mysql_query for more
> information on this function. The difference between "empty
> result" and
> "invalid query" is significant. Once you've determined that
> the query
> is valid, you must also then check to see if it returned any rows,
> possibly using a function like mysql_num_rows.
>
> Hope that helps!
> -P
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Beginners Problem

Hi Ben,

Number of things wrong with your code, look below.

> $select_sql = sprintf("SELECT `username` FROM `users` WHERE `username` =
> '$user' AND `password` = '$pass'", mysql_real_escape_string($user),
> mysql_real_escape_string($pass));
>
In the string you are printing using sprintf you need to use a
conversion specification (see http://uk2.php.net/sprintf), in your case
%s. It will look like this:

sprintf("SELECT `username` FROM `users` WHERE `username`='%s' AND `password` = '%s'", mysql_real_escape_string($user),
mysql_real_escape_string($pass))

> if($select_sql_two)
As Peter points out, mysql_query (http://uk2.php.net/mysql_query) will
always return a resource if and only if the query syntax was correct,
even if the actual result set is empty. Knowing that anything that is
not <= 0, null or false will return true, the above condition will
always be true (which is why the login works). So instead, use one of
the mysql_fetch functions, e.g.

if ($row = mysql_fetch_array($select_sql_two))

Couple of other tips. Put your php functionality for login in a
function, with username and password as parameters (function
login($user, $pass)). This way you can reuse it, and it makes your code
a lot easier to handle. Also, instead of printing an HTML redirect I'd
recommend doing the redirect in the HTTP header (http://uk.php.net/header).

if (!empty($_POST['username']) && !empty($_POST['password']))
login($_POST['username'], $_POST['password']);
else header(|'location: members.php'|);

Do remember that in order to use the header function you cannot output
anything else before the function is called, like it says in the manual.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Beginners Problem

Peter Westergaard wrote:
>
> You should probably check out http://php.net/mysql_query for more
> information on this function. The difference between "empty result"
> and "invalid query" is significant. Once you've determined that the
> query is valid, you must also then check to see if it returned any
> rows, possibly using a function like mysql_num_rows.
I usually skip the validity check and simply check for rows. But then I
also write my code a little differently, which may be why it doesn't break.

This is part of my login code:

$chkuserquery = "SELECT userID
FROM $TB_USERS
WHERE `loginID`='$loginID' AND `password`='$password'
LIMIT 1";
$chkuser = $db->query($chkuserquery);

if($db->num_rows($chkuser)) {
$userID = $db->result($chkuser,0);
$ip = $_SERVER['REMOTE_ADDR'];

// update active session
$query = "UPDATE $TB_SESSIONS
SET `userID`='$userID',`logintime`=NOW(),`loginIP`='$ip'
WHERE `sessionID`='$sessionID'
LIMIT 1";
$result = $db->query($query);

$alert_level = 1;
$alert_message = 'You are now logged in. Please remember to logout
when done.';
} else {
$alert_level = 3;
$alert_message = 'Username and/or password incorrect';
}

May deserve some elaboration, as this is just a piece of a much bigger code.
$TB_USERS and $TB_SESSIONS are merely variables (constants) set earlier
so that I can re-use the code more easily for different projects. $db is
a simple database object that's merely a wrapper for the mysql
functions. Inside $db, all the mysql functions have the or die() part
set with mysql_errno() and mysql_error() which catches invalid queries.

I built my own sessions system, using the database and cookies. There's
always a session active, that's why this part of the code doesn't check
for it. I made it this way so I can run the login/logout script at any
phase of the code, without having to worry about setting sessions and
cookies before it sends the headers.


FWIW

Rene

--
Rene Brehmer
aka Metalbunny

We have nothing to fear from free speech and free information on the
Internet but pop-up advertising!

http://metalbunny.net/
References, tools, and other useful stuff...

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Beginners Problem

Could I recommend a more secure approach:
1) using two hashes to protect the data (in case the database is
compromised they are both one-way hashes, and using two protects
against collision attacks whereby a different password string
generates the same hash as the original password)
2) escaping user input to protect against SQL injection attacks (nasty
queries can get more data from the database than your original query
intended, or change the query's intended functionality).

Instead of:
$chkuserquery = "SELECT userID
FROM $TB_USERS
WHERE `loginID`='$loginID' AND `password`='$password'
LIMIT 1";
$chkuser = $db->query($chkuserquery);


This example utilises the mdb2 database layer:

$user_credentials = array( //these are the credentials the user supplied
'user_name' => addslashes($username), //escape username input
'user_password_md5' => md5($password), //generate hash, no
injection is posisble
'user_password_sha1' => sha1($password) //due to 'scrambling' of string
);

foreach ($user_credentials as $k => $v) { //build string
$query_values .= $k . '=' . $db->quote(trim($v)) . ' AND ';
}

$query_values = '(' . substr($query_values, 0, -5) . ')'; //format
string and remove AND

$sql = "SELECT COUNT(user_id) AS user_count FROM user WHERE $query_values";

$result = $db->query($sql);

//this if not only returns a row from the database query, it then
checks if the user_count
//field contains more than one or more results. if so, login is correct
if (($row = $result->fetchRow(MDB2_FETCHMODE_ASSOC)) && $row['user_count']){
$valid_login = true;
//session -> database etc
}

for this example, using 'root' and 'password', $query_values is:

(user_name='root' AND
user_password_md5='5f4dcc3b5aa765d61d8327deb882cf99' AND
user_password_sha1='5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ')

This code is identical in functionality to the previous example,
except the query has no LIMIT - this is not required as it prevents
the possibility of coding error handling for multiple accounts
(perhaps unnecessary, excepting very secure applications).


Andy

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Beginners Problem

Andy,

Thanks for your comment. What I posted is only part of my code though,
as the entire thing is a bit long, and with all the includes rather hard
to follow unless I posted the whole file set. Above the piece I posted I
have code to do slashing, and some MD5 hashing, as well enforcing string
lengths. So the $password I use in the query is actually MD5 hashed
already. I know I need to improve the security though, as my current
code do not counter for every possible attack, so your input is much
appreciated.


sublimino@gmail.com wrote:
> Could I recommend a more secure approach:
> 1) using two hashes to protect the data (in case the database is
> compromised they are both one-way hashes, and using two protects
> against collision attacks whereby a different password string
> generates the same hash as the original password)
> 2) escaping user input to protect against SQL injection attacks (nasty
> queries can get more data from the database than your original query
> intended, or change the query's intended functionality).
>
> Instead of:
> $chkuserquery = "SELECT userID
> FROM $TB_USERS
> WHERE `loginID`='$loginID' AND `password`='$password'
> LIMIT 1";
> $chkuser = $db->query($chkuserquery);
>
>
> This example utilises the mdb2 database layer:
>
> $user_credentials = array( //these are the credentials the user supplied
> 'user_name' => addslashes($username), //escape username input
> 'user_password_md5' => md5($password), //generate hash, no
> injection is posisble
> 'user_password_sha1' => sha1($password) //due to 'scrambling' of string
> );
>
> foreach ($user_credentials as $k => $v) { //build string
> $query_values .= $k . '=' . $db->quote(trim($v)) . ' AND ';
> }
>
> $query_values = '(' . substr($query_values, 0, -5) . ')'; //format
> string and remove AND
>
> $sql = "SELECT COUNT(user_id) AS user_count FROM user WHERE $query_values";
>
> $result = $db->query($sql);
>
> //this if not only returns a row from the database query, it then
> checks if the user_count
> //field contains more than one or more results. if so, login is correct
> if (($row = $result->fetchRow(MDB2_FETCHMODE_ASSOC)) && $row['user_count']){
> $valid_login = true;
> //session -> database etc
> }
>
> for this example, using 'root' and 'password', $query_values is:
>
> (user_name='root' AND
> user_password_md5='5f4dcc3b5aa765d61d8327deb882cf99' AND
> user_password_sha1='5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ')
>
> This code is identical in functionality to the previous example,
> except the query has no LIMIT - this is not required as it prevents
> the possibility of coding error handling for multiple accounts
> (perhaps unnecessary, excepting very secure applications).
>
>
> Andy
>
>

--
Rene Brehmer
aka Metalbunny

We have nothing to fear from free speech and free information on the
Internet but pop-up advertising!

http://metalbunny.net/
References, tools, and other useful stuff...

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php