Okay,
I am having some trouble with an Authorization Script to secure
a part of my web application. It seems to timeout after one successful
login. : I have no clue why!
All this script is supossed to do is: take a username and
password from which that user supplied in a simple login form
and then compare them to a mysql database of usernames and
passwords. If they match, let em in. If they don't match give 'em
another try...
Simple Right? well as i said above the script works all fine and
dandy until you attempt to login another or the same user.
Than Auth script doen't even want to show up period (display a
place to input a username and password).
I have no clue why, here is the code:
If anyone could help me by finding the bug in this script, or by
suppling another authorization script, I would greatly Appreciate
it!
<?php
// authorization script
include 'include.inc';
set_error_handler("errorHandler");
function check_login($loginUsername, $loginPassword)
{
global $referer;
global $username;
global $password;
global $hostName;
global $databaseName;
global $message;
// Get the two character salt from the user-name collected from the challenge
$salt = substr($loginUsername, 0, 2);
// Encrypt the loginPassword collected from the challenge
$crypted_password = crypt($loginPassword, $salt);
// Formulate the SQL find the user
$query = "SELECT password FROM users WHERE user_name = '$loginUsername' AND password = '$crypted_password'";
// Open a connection to the DBMS
if (!($connection = @ mysql_pconnect($hostName, $username, $password)))
showerror();
if (!mysql_select_db($databaseName, $connection))
showerror();
// Execute the query
if (!($result = @ mysql_query($query, $connection)))
showerror();
// exactly one row? then we have found the user
if (mysql_num_rows($result) == 1)
{
// Register the loginUsername to how the user is logged in
session_register("loginUsername");
// Clear any other session variables
if (session_is_registered("errors"))
// Delete the form errors session variable
session_register("errors");
if (session_is_registered("formVars"))
// Delete the formVars session variable
session_unregister("formVars");
// Do we need to redirect to a calling page:
if (session_is_registered("referer"));
{
// Delete the referer session variable
session_unregister("referer");
// Then, use it to redirect
header("Location: $referer");
exit;
}
{
header("Location: cart.php");
exit;
}
}
else
{
// Ensure loginUsername is no registered, so the user is not logged in
if (session_is_registered("loginUsername"))
session_unregister("loginUsername");
// Register an error message
session_register("message");
$message = "Username or password incorrect. " . "Login failed.";
// Show the login page so the user can have another go!
login_page();
exit;
}
}
// Function that shows the HTML <form> that is used to collect the username and password
function login_page()
{
?>
<html>
<head>
<title> Login Page</title>
</head>
<body bgcolor="white">
<?php
// Show login status (should be logged out!)
showLogin();
?>
<h2>Trade Login Page</h2>
<form method="POST" action="auth1.php">
<?php
// Show messages
showMessage();
?>
<table>
<tr>
<td>Enter your username:</td>
<td><input type="text" size=15 maxlength=30 name="loginUsername"></td>
</tr>
<tr>
<td>Enter your password:</td>
<td><input type="password" size=15 maxlength=15 name="loginPassword"></td>
</tr>
<tr>
<td><input type="submit" value=http://www.phpbuilder.com/board/archive/index.php/"Log in"></td>
</tr>
</table>
<br>
</form>
</body>
</html>
<?php
}
// ------------------
// Initialise the session
session_start();
if (isset($_POST["loginUsername"]))
$loginUsername = clean($_POST["loginUsername"], 30);
if (isset($_POST["loginPassword"]))
$loginPassword = clean($_POST["loginPassword"], 15);
// Check if the user is already logged in
if (session_is_registered("loginUsername"))
{ // If they are, then just bounce them back where they came from
if (session_is_registered("referer"))
{
session_unregister("referer");
header("Location: $referer");
exit;
}
else
{
header("Location: cart2.php");
exit;
}
}
// Have they provided only one of a username and passowrd?
if ((empty($_POST["loginUsername"]) && !empty($_POST["loginPassword"])) || (!empty($_POST["loginUsername"]) && empty($_POST["loginPassword"])))
{
// Register an error message
session_register("message");
$message = "Both a username and password must " . "be supplied.";
}
// Have they not provided a username/password, or was there an error?
if (!isset($loginUsername) || !isset($loginPassword) || session_is_registered("message"))
login_page();
else
// They have provided a login. Is it valid?
check_login($loginUsername, $loginPassword);
?>
If anyone could help me by finding the bug in this script, or by
suppling another authorization script, I would greatly Appreciate
it!
Thank-you a-head of time!!
I am having some trouble with an Authorization Script to secure
a part of my web application. It seems to timeout after one successful
login. : I have no clue why!
All this script is supossed to do is: take a username and
password from which that user supplied in a simple login form
and then compare them to a mysql database of usernames and
passwords. If they match, let em in. If they don't match give 'em
another try...
Simple Right? well as i said above the script works all fine and
dandy until you attempt to login another or the same user.
Than Auth script doen't even want to show up period (display a
place to input a username and password).
I have no clue why, here is the code:
If anyone could help me by finding the bug in this script, or by
suppling another authorization script, I would greatly Appreciate
it!
<?php
// authorization script
include 'include.inc';
set_error_handler("errorHandler");
function check_login($loginUsername, $loginPassword)
{
global $referer;
global $username;
global $password;
global $hostName;
global $databaseName;
global $message;
// Get the two character salt from the user-name collected from the challenge
$salt = substr($loginUsername, 0, 2);
// Encrypt the loginPassword collected from the challenge
$crypted_password = crypt($loginPassword, $salt);
// Formulate the SQL find the user
$query = "SELECT password FROM users WHERE user_name = '$loginUsername' AND password = '$crypted_password'";
// Open a connection to the DBMS
if (!($connection = @ mysql_pconnect($hostName, $username, $password)))
showerror();
if (!mysql_select_db($databaseName, $connection))
showerror();
// Execute the query
if (!($result = @ mysql_query($query, $connection)))
showerror();
// exactly one row? then we have found the user
if (mysql_num_rows($result) == 1)
{
// Register the loginUsername to how the user is logged in
session_register("loginUsername");
// Clear any other session variables
if (session_is_registered("errors"))
// Delete the form errors session variable
session_register("errors");
if (session_is_registered("formVars"))
// Delete the formVars session variable
session_unregister("formVars");
// Do we need to redirect to a calling page:
if (session_is_registered("referer"));
{
// Delete the referer session variable
session_unregister("referer");
// Then, use it to redirect
header("Location: $referer");
exit;
}
{
header("Location: cart.php");
exit;
}
}
else
{
// Ensure loginUsername is no registered, so the user is not logged in
if (session_is_registered("loginUsername"))
session_unregister("loginUsername");
// Register an error message
session_register("message");
$message = "Username or password incorrect. " . "Login failed.";
// Show the login page so the user can have another go!
login_page();
exit;
}
}
// Function that shows the HTML <form> that is used to collect the username and password
function login_page()
{
?>
<html>
<head>
<title> Login Page</title>
</head>
<body bgcolor="white">
<?php
// Show login status (should be logged out!)
showLogin();
?>
<h2>Trade Login Page</h2>
<form method="POST" action="auth1.php">
<?php
// Show messages
showMessage();
?>
<table>
<tr>
<td>Enter your username:</td>
<td><input type="text" size=15 maxlength=30 name="loginUsername"></td>
</tr>
<tr>
<td>Enter your password:</td>
<td><input type="password" size=15 maxlength=15 name="loginPassword"></td>
</tr>
<tr>
<td><input type="submit" value=http://www.phpbuilder.com/board/archive/index.php/"Log in"></td>
</tr>
</table>
<br>
</form>
</body>
</html>
<?php
}
// ------------------
// Initialise the session
session_start();
if (isset($_POST["loginUsername"]))
$loginUsername = clean($_POST["loginUsername"], 30);
if (isset($_POST["loginPassword"]))
$loginPassword = clean($_POST["loginPassword"], 15);
// Check if the user is already logged in
if (session_is_registered("loginUsername"))
{ // If they are, then just bounce them back where they came from
if (session_is_registered("referer"))
{
session_unregister("referer");
header("Location: $referer");
exit;
}
else
{
header("Location: cart2.php");
exit;
}
}
// Have they provided only one of a username and passowrd?
if ((empty($_POST["loginUsername"]) && !empty($_POST["loginPassword"])) || (!empty($_POST["loginUsername"]) && empty($_POST["loginPassword"])))
{
// Register an error message
session_register("message");
$message = "Both a username and password must " . "be supplied.";
}
// Have they not provided a username/password, or was there an error?
if (!isset($loginUsername) || !isset($loginPassword) || session_is_registered("message"))
login_page();
else
// They have provided a login. Is it valid?
check_login($loginUsername, $loginPassword);
?>
If anyone could help me by finding the bug in this script, or by
suppling another authorization script, I would greatly Appreciate
it!
Thank-you a-head of time!!