0

I was using this code before and it worked but then i updated my code base to php 5.3 and now it doesnt work anymore. I have looked over the logic time and time again and it should work fine, what am i doing wrong, or am i using deprecated functions again? here is my login index.php file

<?php
ini_set('session.save_path', '/opt/lampp/htdocs/tmp'); // linux specific line for setting session tmp path
session_start();
$con = mysqli_connect("localhost", "root", "", "numbers") or die(mysqli_error($con));
$error = NULL;

if(isset($_POST['login']))
{
    //get username and password entered by user
    $myusername=mysqli_real_escape_string($con,$_POST['username']);
    $mypassword=mysqli_real_escape_string($con,$_POST['password']);

    $sql="SELECT username, password FROM admin WHERE username='".$myusername."' AND BINARY password='".$mypassword."' UNION SELECT username, password FROM superuser WHERE username='".$myusername."' AND BINARY password='".$mypassword."'";
    $check= mysqli_query($con,$sql);
    $row = mysqli_fetch_row($check);
    if($row[0]!="" && $row[1] !="") //compare username and password to ones  found in database
    {

         ## set logged_in to true
        $_SESSION['logged_in']= true;
         ## set username session
        $_SESSION['user'] = $row[0]; 

        header('location: table.php');
        exit();
    }
    else
    {
        $error="Your Login Name or Password is invalid";
        //echo "$error";
        //echo "<META http-equiv=' refresh' ;URL='index.php'>";
    }
}

This part works fine, at least i think it does.

while this little part here is whats giving me the trouble.

if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] == false){
    header('Location: index.php');
    exit();
}

Before i could put that in front of any file i wanted to protect with a password, now it doesnt work anymore, anyone can just copy the url and paste it in and it will take you right to the page without prompting for a password, it should prompt for a password if a session hasnt be started already, and in this case it has not, what exactly is wrong with it?

Thanks all, every bit of guidance is welcomed and appreciated.

4
Contributors
23
Replies
110
Views
3 Years
Discussion Span
Last Post by berserk
Featured Replies
  • 1
    diafol 3,720   3 Years Ago

    Nothing jumps out. BUT mysqli_real_escape_string() instead of binding values/params? ALso, you seem to be storing password as cleartext, not even hashed? Read More

  • Do a var_dump on your $row and session to see what you get? If you are not getting anything in the row var than you have a problem with your sql, if your session is empty then you have a problem with ini_set or session. Read More

  • This maybe a dump question but do you have session_start() as the first line in every page you want protected? Read More

  • 1
    diafol 3,720   3 Years Ago

    with regard to password security - if you're using php5.5.0+ then you can have a loop at a class I posted in the snippets section. With regard to data binding, pritaeas posted a snippet on mysqli (as well as PDO). Read More

  • This is perfect, i have also been looking into cereals idea as well. Honestly eithe rof these solutions will work for me but i may end up looking into cereals a bit more, i just need to read up mainly. My question diafol is will i be able ot use … Read More

1

Nothing jumps out. BUT

mysqli_real_escape_string() instead of binding values/params?

ALso, you seem to be storing password as cleartext, not even hashed?

1

Do a var_dump on your $row and session to see what you get? If you are not getting anything in the row var than you have a problem with your sql, if your session is empty then you have a problem with ini_set or session.

Votes + Comments
Thank you for helping me learn new ways to test errors, this will come in handy for future bug testing
0

ok here is what i did, i made the folowing changes to my code to get it to echo the results of all the variables i could var_dump

if(isset($_POST['login']))
{
    //get username and password entered by user
    $myusername=mysqli_real_escape_string($con,$_POST['username']);
    $mypassword=mysqli_real_escape_string($con,$_POST['password']);

    $sql="SELECT username, password FROM admin WHERE username='".$myusername."' AND BINARY password='".$mypassword."' UNION SELECT username, password FROM superuser WHERE username='".$myusername."' AND BINARY password='".$mypassword."'";
    $check= mysqli_query($con,$sql);
    $row = mysqli_fetch_row($check);

    if($row[0]!="" && $row[1] !="") //compare username and password to ones  found in database
    {

         ## set logged_in to true
        $_SESSION['logged_in']= true;
         ## set username session
        $_SESSION['user'] = $row[0]; 

        var_dump($row);
        echo "<br>";
        var_dump($row[0]);
        echo "<br>";
        var_dump($row[1]);
        echo "<br>";
        var_dump($_SESSION['logged_in']);
        echo "<br>";
        var_dump($_SESSION['user']);
        echo "<br>";
        var_dump($_SESSION);
        echo "<br>";
        //header('location: table.php');
        exit();
    }
    else
    {
        $error="Your Login Name or Password is invalid";
        //echo "$error";
        //echo "<META http-equiv=' refresh' ;URL='index.php'>";
    }
}

and from this i got the follows results on screen, unfortunatly everything checks out from what i can tell, no empty variables or sessions, unless im missing something which is completely possible.

array(2) { [0]=> string(5) "Admin" [1]=> string(5) "Admin" } 
string(5) "Admin" 
string(5) "Admin" 
bool(true) 
string(5) "Admin" 
array(2) { ["logged_in"]=> bool(true) ["user"]=> string(5) "Admin" } 

also @diafol, sorry if im using bad coding practices, or overal wrong code. Im still learning about security in php and mysql which i have realized has been a huge undertaking, if there are any articles or anything u can add to what you were talking about please let me know, i will happily accept any suggestions you make :)

1

This maybe a dump question but do you have session_start() as the first line in every page you want protected?

0

not a dumb question at all, and i did before but now when i have that line in there it will go on through to the page, when i take the line out it will check, is there something else i have to use with session_start?

1

with regard to password security - if you're using php5.5.0+ then you can have a loop at a class I posted in the snippets section. With regard to data binding, pritaeas posted a snippet on mysqli (as well as PDO).

Votes + Comments
Excellent and informative information
0

Sorry, i dont mean to sound dumb but where would the snippets section be? and can you give examples of PDO, im looking at it through a google search but i dont really get how this works? Sorry I apologize for my ignorance, like i said before im still learning.

1

god i am sorry i wasted your time, there was never an issue to begin with this is working perfectly fine, although flawed in the security department as diafol pointed out, it is after further testing working fine. For some reason after i cleared my browsing cache in chrome it then began working flawlessly, not sure exactly what happened there but i am happy now.

Also thank you diafol for linking me to such excellent password verification, my new project is securing my program even further now that i know i can make it easily much better. This has been an incredible learning experience, again thank you so much!

one more small question, do either of you know of a way to package xampp projects into executable files, preferably on windows and linux as these are typical hosting evironments for web based/network based solutions

Edited by berserk

Votes + Comments
no problem
0

Not sure if I understand you. You want to roll an entire project into an executable. Is that like creating a zip or gzipped tarball file, but making it self-extracting?

In Windows you can create an archive with something like 7-Zip and then make a self-extracting executable from it with IExpress. Simply type iexpress.exe in the run box to start it (native program, but well hidden!).

Not familiar with any similar native program with Linux. However, I don't really see the need to create an executable due to the way Windows treats zip files these days. If these executables are for you own use, ok, but if you're sharing these projects, I'd stay aaway from .exe files. I get nervous with .exe files I don't trust. Also email carrier may refuse to transport them.

Edited by diafol

0

I understand what you mean diafol, i guess emailing an exe would seem a little strange now adays, a zip would be more appreopriate, but my problem is i wanted to make a self extracting package that will extract and replace the entire htdocs folder in xampp, thats probably gonna be the limit to what i can do but essentially itll similar to an executable, where you will click it and it will extract like i mentioned earlier. Id like to do this on linux as well but ill stick to windows for now, and thank you gabrielcastillo, this may be sorta what im looking for, instead of being a stand alone application (which i will definitly use this later on for my next project) itll still be web based so itll run in the browser.

0

What about an 'update' button in the local application that would fetch newer files from a server and overwrite / add.

Replacing files in a project may only be one part of an update. Database changes may be something else. We can update DBs with sql files of course, but that won't be done automatically just from a self-extractor. An update script could do this though.

I'm only suggesting this as I'm not really sure about the context of what you're trying to do.

0

Thats pretty much what id like to accomplish, im deploying my software is for a small call center but they are presented with numbers they are not allowed to call but the files are huge (they range from over 1 million numbers a file and theres normally 3 to 5 files), and they have old hardware and can take anywhere from 30 minutes to an hour to load these files in a text editor, they do load a LOT faster in libre but that idea was shot down immediatly and i got little explanation as to why, so thats the point of my program is to speed this up, only thing is that if i potentially sold to others id need a way for the user to set this up and me not have to be there (automated setup) but i dont know much about batch scripting and it might be easier to write up a guide on how to install it but i doubt many companies would like a set up like that. IDK im really just coming up with this as i go lol

0

Can't you store these in on online DB and allow the clients access to it?

You're providing a XAMPP environment for your client? Be careful with this as it's not production secure.
Is your client running this off a simple standalone pc or via internal network / webserver?
Are the numbers confidential? Should they be presented as cleartext?

0

The client i initially built this for are gonna run it off an old dedicated PC and they will have access to it over the local network, the computer isnt even hooked to the net and no traffic aside from this will go to it. This is more of a cheap solution than anything, and no the numbers arent confidential so its not a big deal if they get leaked in some way.

I too was worried about providing them with this solution via xampp, would it be easier to provide them with some online database so that the program can be internet/web based instead of in house.

How much harder would it be to set this up? Wouldnt i need to set up a domain of some kind and run the software that way?

Edited by berserk

1

You will need some sort of dns, or you will have to edit the host file for each computer that will be accessing the xampp server. If not then each computer will have to enter an ip address in the browser that belongs to the xampp server.

0

You are aware obviously that web solutions have their limitations too, as do internal networks and standalone pc options.

  • You can instruct php to get email docs from imap/pop account.
  • You can unarchive files with php
  • You can move files with php

So if you are running xampp off a pc on the network, you could ask the admin to log in and run the update command (get email attachments (zip?), unzip to location).

On a linux machine, you could even automate this using a cron job - so no need for admin to do anything.

On windows - there's a similar function I'm sure.

However, as you are using xampp, why not send one *.sql file and run a script to update a DB?

Edited by diafol

1

You could also try with Composer: create a private repository and use a php/batch script to run the install or update process for your application, the only requirement for the clients it to have the composer binary installed.

Read: https://getcomposer.org/doc/05-repositories.md#hosting-your-own

The same can be done with PEAR, but some of the management tools, such as Pirum, are not anymore maintained in favour of Composer. This can deal also with private repositories in Github or Bitbucket.

1

You should consider all possibilities here especially if you're going to roll out this "service" to more than one client. It needs to be scalable. I was so intrigued by your use-case and then by my own ramblings and half-thoughts that I created a class to extract attachments and to unzip archives to specified folders. I shall post this in the code snippets section soon, once I've documented it.

cereal's ideas bear serious consideration.

//EDIT here it is...

https://www.daniweb.com/web-development/php/code/486230/email-attachment-downloader-and-extract-archive-content-class#post2127442

Edited by diafol

2

This is perfect, i have also been looking into cereals idea as well. Honestly eithe rof these solutions will work for me but i may end up looking into cereals a bit more, i just need to read up mainly. My question diafol is will i be able ot use your code as a stand alone application, like maybe set it up and then package it using cereals idea, so that i can include it to be able to set up this whole project instantly, basically like an installer but simply moves the files to the correct place.

Also i just wanted to mention that i truly appreciate everything you guys have done. This has been more informative than anything a college class could offer and i thank you for that. The internet is a great place to learn but can be meaningless without the proper guidance.

If there is anything i can do for you guys in the future please dont hesitate to PM me, i will be honered to assist!

Edited by berserk

0

My question diafol is will i be able ot use your code as a stand alone application, like maybe set it up and then package it using cereals idea, so that i can include it to be able to set up this whole project instantly, basically like an installer but simply moves the files to the correct place.

I really wouldn't do that. This was meant as a quick update to an existing project. For example, you want to send a new telephone numbers file to replace an old one.

All you do is fire an email with an attachment and that's it.

If the customer has this class and client code already - as it's part of your "project" code that they're using, then it should be "reasonably ok". There's very little testing for robustness. No error or exception handling. So use with care. As I mentioned in a previous post, it can work automatically off a cron job (Linux - or Windows equivalent) or it can be kicked off manually with something like a big bugger-off "Update Telephone File" button or something.

0

Understood, ty for the headsup, i was looking into that but i was coming across many posts talking about how its a security risk in the way i wantde to use it.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.