Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New to the CF scene
    Join Date
    Feb 2012
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Exclamation Help Needed! Accesscontrol.php not working?!

    Hello,
    I am having trouble getting this code to work.
    Basicly, you register(works) then you log in.
    To stop you viewing pages that you are only supposed to view once you are logged in, there is a code added to the top of each 'secure' page.
    Code:
    <?php include 'accesscontrol.php'; ?>
    The code in access control.php is
    Code:
    <?php // accesscontrol.php
    include_once 'common.php';
    include_once 'db.php';
    session_start();
    $uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
    $pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
    if(!isset($uid)) {
    ?>
    <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1" />
    </head>
    <body>
    <h1> Login Required </h1>
    <p>You must log in to access this area of the site. If you are
    not a registered user, <a href="signup.php">click here</a>
    to sign up for instant access!</p>
    <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="uid" size="8" /><br />
    Password: <input type="password" name="pwd" SIZE="8" /><br />
    <input type="submit" value="Log in" />
    </form></p>
    </body>
    </html>
    <?php
    exit;
    }
    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;
    dbConnect("u954620823_login");
    $sql = "SELECT * FROM user WHERE
    userid = '$uid' AND password = PASSWORD('$pwd')";
    $result = mysql_query($sql);
    if (!$result) {
    error('A database error occurred while checking your '.
    'login details.\\nIfhis error persists, please '.
    'contact you@example.com.');
    }
    if (mysql_num_rows($result) == 0) {
    unset($_SESSION['uid']);
    unset($_SESSION['pwd']);
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1" />
    </head>
    <body>
    <h1> Access Denied </h1>
    <p>Your user ID or password is incorrect, or you are not a
    registered user on this site. To try logging in again, click
    <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
    access, click <a href="signup.php">here</a>.</p>
    </body>
    </html>
    <?php
    exit;
    }
    $username = mysql_result($result,0,'uid');
    ?>
    What my Dilema is, when you try to log in, it says access denied meaning that your account has not been found on the database. However, the accounts are properly regsitered and show up in the database. Help?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    You're storing a cleartext password on the filesystem O.o
    Aside from this, drop the AND password check from your query, and pull the password out to compare the provided password to that inserted. Adjust the logic to handle the comparison otherwise it will accept and validate just the userid.
    You'll want to look at escaping your data as well with mysql_real_escape_string and stripping out GPC if its been enabled.

    Edit:
    This won't work actually. PASSWORD() is a SQL function which means you'd need two queries to test this.
    Have you manually typed this all in through your SQL console or PHPMyAdmin or something else? Use something hard-coded to verify.
    Edit:
    Actually what am I thinking, sure you can. Just alter the query:
    Code:
    SELECT *, PASSWORD('$pwd') AS providedPassword FROM user WHERE userid = '$uid'

    Last edited by Fou-Lu; 02-01-2012 at 07:26 PM.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •