MD5 is an algorith, this doesn't change acros platforms or programming languages. it will always be the same algorithm
besides, the problem is probably in your database, not php. check the values in the database in both versions and also check what TYPE en Length the column is that has the password stored. For example if it's less then 32 chars, then that would explain a lot.
ah another problem could be (and this ís in php) is that your script doesn't function with register_globals=off
please also do a check if the login routine is executed at all .. otherwise you're chasing non-existent bugs
ah i forgot about that i had to rewrite some of my site to allow for navigation because of the registered globals
i got my login script off a mate and i dont know much about HTTP auth would i need to assign some form of global to $PHP_AUTH_USER and $PHP_AUTH_PW
PHP Code:
<?php
function displayLogin()
{
header("WWW-Authenticate: Basic realm=\"www.knowj.com - email = login/user name\"");
header("HTTP/1.0 401 Unauthorized");
echo '<div id="contleft">';
echo "<h1>Authentication Failure</h1>";
echo "<p>The username and password provided did not work. Please reload this page and try again.</p>";
include "includes/footer.php";
exit;
}
if (!isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW))
{
// If username or password hasn't been set, display the login request.
displayLogin();
}
else
{
$banlist = array
(
"insert", "select", "update", "delete", "distinct", "having", "truncate", "replace",
"handler", "procedure", "limit", "order by", "group by", "asc", "desc"
);
if (eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $PHP_AUTH_USER))
{
$PHP_AUTH_USER = trim(str_replace($banlist, '', strtolower($PHP_AUTH_USER)));
}
else
{
echo "Login Name not a valid Email Address";
displayLogin();
}
//check the password is valid
if (eregi("[a-zA-Z0-9]+", $PHP_AUTH_PW))
{
$PHP_AUTH_PW = trim(str_replace($banlist, '', strtolower($PHP_AUTH_PW)));
}
else
{
echo "Login Password not a valid Email Address";
displayLogin();
}
// Escape both the password and username string to prevent users from inserting bogus data.
$PHP_AUTH_USER = addslashes($PHP_AUTH_USER);
$PHP_AUTH_PW = md5($PHP_AUTH_PW);
// Check username and password against the database.
$results = mysql_query("SELECT * FROM atable WHERE someuser='$PHP_AUTH_USER'") or die("Couldn't query the user-database.");
$sql = mysql_fetch_array($results);
if(!$sql || !($PHP_AUTH_PW === $sql['somepass']) || !$PHP_AUTH_PW)
{
displayLogin();
}
}
?>
i realize it isn't a very well wrote script but its old and i implemented it long before i know what i know now i will probably rewrite it when i get time
iv changed all the variables but for some reason i just keep getting the login box reload every time :S even tho my password and login are incorrect.
PHP Code:
<?php
function displayLogin()
{
header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
header("HTTP/1.0 401 Unauthorized");
echo "<h1>Authentication Failure</h1>";
echo "<p>The username and password provided did not work. Please reload this page and try again.</p>";
include "includes/footer.php";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
// If username or password hasn't been set, display the login request.
displayLogin();
}
else
{
if (eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_SERVER['PHP_AUTH_USER']))
{
$_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
}
else
{
echo "Login Name not a valid Email Address";
displayLogin();
}
//check the password is valid
if (eregi("[a-zA-Z0-9]+", $_SERVER['PHP_AUTH_PW']))
{
$_SERVER['PHP_AUTH_PW'] = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);
}
else
{
echo "Login Password not a valid Email Address";
displayLogin();
}
// Escape both the password and username string to prevent users from inserting bogus data.
$_SERVER['PHP_AUTH_PW'] = md5($_SERVER['PHP_AUTH_PW']);
// Check username and password against the database.
$results = mysql_query("SELECT * FROM users WHERE user='$_SERVER[PHP_AUTH_USER]'") or die("Couldn't query the user-database.");
$sql = mysql_fetch_array($results);
if(!$sql || !($_SERVER['PHP_AUTH_PW'] === $sql['pass']) || !$_SERVER['PHP_AUTH_PW'])
{
displayLogin();
}
}
?>
first of all, set the error_reporting to E_ALL
second, find out which route the parser takes you. for example, just put a die("here") after an if or else. if it is being outputted to the screen, you know that that if or else validates to True. If not, you know something is wrong there. Right now you still don't know whether the database is queried at all
also, in some cases you're outputting stuff to the screen (echo "Login Name not a valid Email Address"; ) for example), after which you try to modify the headers (with the displayLogin() function) - this should/will generate errors
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include(), or require(), functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
btw, your email address validation is also a bit outdated. For example person@domain.info wouldn't pass the validation, but is a valid email address however.
it's only for me to login tbh i'm not having people register.
this file is included and the file ob_start() ob_end_flush() as i use this for cookies which are set in parts of my site
thanks for the help ill look into it.
update:
error reporting did nothing the script seems to compile fine.
PHP Code:
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
// If username or password hasn't been set, display the login request.
displayLogin();
}
i think thats the route which it's taking as i have put exit; and error messages on all the other areas which the function could be called but i cant error report the top one as its what calls the function when your not logged in.
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
// If username or password hasn't been set, display the login request.
// displayLogin();
echo "Can you see me? Can you? Can you? eh? well....???";
}
also print_r($_SERVER) might be helpfull
btw, if you have the error_reporting indeed set to E_ALL, then the query is clearly not executed.
mysql_query("SELECT * FROM users WHERE user='$_SERVER[PHP_AUTH_USER]'")
should give an error in that case (undefined constand PHP_AUTH_USER)
you might also want to stop using that hidious buffering. in my opinion it's bad practice to rely on that for your script/program to work.
if i did what you said the function would be called in the first place as that call is what initiates the script so it would just let me through to the admin page which is restricting access to.
so my script is compiling alright its just not working :S
Notice: Undefined index: admin in /home/.mantra/john5115/knowj.com/admin/new.php on line 24
Notice: Undefined index: admin in /home/.mantra/john5115/knowj.com/admin/new.php on line 45
Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit.php on line 3
Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit.php on line 22
Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit_forms.php on line 3
Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit_forms.php on line 40
Yes, that's what you do with ob_start() (OutputBuffering_start)
you put everything into a buffer, until you output it with ob_flush().
But if you structure your code well, there's no need to apply this hack.
if i did what you said the function would be called in the first place as that call is what initiates the script so it would just let me through to the admin page which is restricting access to.
i don't think i understand what you mean ...
undefined index [...] undefined variable [...]
you get these errors because you're trying to use values in an array or variables that do not exist. so check that out.
they arnt defined as there got from the url i was saying there the only errors which are got and i understand why they are there.
If i remove the line you say it wont call the function at all because that check defines if the person is logged in or not. so it just lets you through to the page which it is restricting.
If i remove the line you say it wont call the function at all because that check defines if the person is logged in or not. so it just lets you through to the page which it is restricting.
i didn't put it there to solve your problems, i showed you that it was possible to get debug-information there. If that line is printed on the screen then you know the displayLogin() function is being called from there.
<?php
error_reporting(E_ALL);
include "file-that-connects-to-the-database.php";
function displayLogin($error=False)
{
header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
header("HTTP/1.0 401 Unauthorized");
echo "<h1>Authentication Failure</h1>";
if ($error)
{
echo "<p>The username and password provided did not work. Please reload this page and try again.</p>";
}
include "includes/footer.php";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
// If username or password hasn't been set, display the login request.
displayLogin("Username has not been provided yet");
}
else
{
if (eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_SERVER['PHP_AUTH_USER']))
{
$_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
}
else
{
displayLogin("Login Name not a valid Email Address");
}
//check the password is valid
if (!eregi("[a-zA-Z0-9]+", $_SERVER['PHP_AUTH_PW']))
{
displayLogin("Login Password not a valid Password");
}
// Check username and password against the database.
$query = "SELECT * FROM users WHERE user='".$_SERVER['PHP_AUTH_USER']."'";
if (!$results = mysql_query($query))
{
displayLogin("A database error occured. please try again later<br>".$query."<br>".mysql_error());
}
elseif (mysql_num_rows($result) == 0)
{
// normally you wouldn't give this extra information. it's no-ones business that the username doesn't exist
// but we do it now for debugging purposes
displayLogin("This username doesn't exist");
}
else
{
$sql = mysql_fetch_array($results);
if(md5($_SERVER['PHP_AUTH_PW']) != $sql['pass'])
{
displayLogin("Incorrect password");
}
}
}
echo "logged in";
?>
please only inlude this file:
include "file-that-connects-to-the-database.php";
in which you substitute file-that-connects-to-the-database.php for the file that creates the databse connection.
so don't include any other things. (especially not things that include output buffering and such)
im going to give up and write a cookie based login it will make thing a alot easier and this script just seems to be causing me hassel since i moved to php5
oh i realize now i made one mistake in the script:
PHP Code:
if ($error)
{
echo "<p>The username and password provided did not work. Please reload this page and try again.</p>";
}
should be
PHP Code:
if ($error)
{
echo $error;
}
so, in full:
PHP Code:
<?php
error_reporting(E_ALL);
include "file-that-connects-to-the-database.php";
function displayLogin($error=False)
{
header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
header("HTTP/1.0 401 Unauthorized");
echo "<h1>Authentication Failure</h1>";
if ($error)
{
echo $error;
}
include "includes/footer.php";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
// If username or password hasn't been set, display the login request.
displayLogin("Username has not been provided yet");
}
else
{
if (eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_SERVER['PHP_AUTH_USER']))
{
$_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
}
else
{
displayLogin("Login Name not a valid Email Address");
}
//check the password is valid
if (!eregi("[a-zA-Z0-9]+", $_SERVER['PHP_AUTH_PW']))
{
displayLogin("Login Password not a valid Password");
}
// Check username and password against the database.
$query = "SELECT * FROM users WHERE user='".$_SERVER['PHP_AUTH_USER']."'";
if (!$results = mysql_query($query))
{
displayLogin("A database error occured. please try again later<br>".$query."<br>".mysql_error());
}
elseif (mysql_num_rows($result) == 0)
{
// normally you wouldn't give this extra information. it's no-ones business that the username doesn't exist
// but we do it now for debugging purposes
displayLogin("This username doesn't exist");
}
else
{
$sql = mysql_fetch_array($results);
if(md5($_SERVER['PHP_AUTH_PW']) != $sql['pass'])
{
displayLogin("Incorrect password");
}
}
}
echo "logged in";
?>
Reply With Quote
Originally Posted by knowj
Bookmarks