PHP Login System with Admin Features

This forum was created to talk about the PHP Login System with admin features created by jpmaster77 on evolt's website


    HELP!!! Users can login with any password

    Share
    avatar
    madtail

    Number of posts : 3
    Registration date : 2010-02-14

    HELP!!! Users can login with any password

    Post  madtail on Sun Feb 14, 2010 2:18 pm

    Hi,
    My users can login with any password, if it's correct or not. It doesn't seem to check if the password is correct, but it does notice if the password field is empty. Sad I have checked the session.php, database.php and process.php and they look fine. I even restored them to their original, NOTHING WORKS!!!

    I am not sure when this problem started as I didn't try to login with wrong passwords.

    Please help
    avatar
    Linchpin311

    Number of posts : 220
    Age : 32
    Localisation : Long Island
    Registration date : 2007-05-14

    Re: HELP!!! Users can login with any password

    Post  Linchpin311 on Mon Feb 15, 2010 8:43 am

    wow, i can see how this can be a problem. lol.

    alright well, the script 99.9% of the time right out of the box as long as your database and constants are set up correctly. assuming they are, what kinda of modifications have you made to the script?


    _________________
    in the end, the universe tends to unfold as it should...

    Also note that it is your responsibility to die() if necessary.
    avatar
    madtail

    Number of posts : 3
    Registration date : 2010-02-14

    Re: HELP!!! Users can login with any password

    Post  madtail on Mon Feb 15, 2010 9:59 am

    I've added some new session variables but that's it, nothing major. It's like the database page doesn't exist but there are no errors being thrown at me. Apart from the session variables, Ive done nothing else to the script.

    The confirmUserPass() function doesn't seem to return any value. Its like it doesn't exist.

    Code:
    $result = $database->confirmUserPass($subuser, md5($subpass));

    I hope that's the right function...
    avatar
    Linchpin311

    Number of posts : 220
    Age : 32
    Localisation : Long Island
    Registration date : 2007-05-14

    Re: HELP!!! Users can login with any password

    Post  Linchpin311 on Mon Feb 15, 2010 7:27 pm

    well when the script works correctly, and a user enters a valid user name and password the function should return 0. this might be why it looks like there is no value returned in the function.

    i am curious if the function is indeed returning 0 and not some other value ...or no value at all. do you think you could change the values the function is suppose to return to a string. first, open up database.php and find the confirmUserPass function and replace it with the following:

    Code:
      function confirmUserPass($username, $password){
          /* Add slashes if necessary (for query) */
          if(!get_magic_quotes_gpc()) {
             $username = addslashes($username);
          }

          /* Verify that user is in database */
          $q = "SELECT password FROM ".TBL_USERS." WHERE username = '$username'";
          $result = mysql_query($q, $this->connection);
          if(!$result || (mysql_numrows($result) < 1)){
            return 'a'; //Indicates username failure
          }

          /* Retrieve password from result, strip slashes */
          $dbarray = mysql_fetch_array($result);
          $dbarray['password'] = stripslashes($dbarray['password']);
          $password = stripslashes($password);

          /* Validate that password is correct */
          if($password == $dbarray['password']){
            return 'c'; //Success! Username and password confirmed
          }
          else{
            return 'b'; //Indicates password failure
          }
      }

    then you would have to change the conditional in session.php to match the new values the function will return. just under $result = $database->confirmUserPass($subuser, md5($subpass)); look for where the script checks the error codes (originally on line 155) and replace it with this:

    Code:
          /* Check error codes */
          if($result == 'a'){
            $field = "user";
            $form->setError($field, "* Username not found");
          }
          else if($result == 'b'){
            $field = "pass";
            $form->setError($field, "* Invalid password");
          }
          else{
             $field = "user";
             $form->setError($field, "TRIGGERED ERROR:<BR><BR>result: $result<BR>username: $subuser<BR>password (no md5): $subpass<BR>password (md5): " . md5($subpass));
          }

    that last else statement should stop the script from executing regardless of what the function returned. it should also display a few clues as to whats happening here. when we get this all worked out well have to remove that little bit of code.

    try this and let me know what the script does now.


    _________________
    in the end, the universe tends to unfold as it should...

    Also note that it is your responsibility to die() if necessary.
    avatar
    madtail

    Number of posts : 3
    Registration date : 2010-02-14

    Re: HELP!!! Users can login with any password

    Post  madtail on Tue Feb 16, 2010 9:38 pm

    Works now Very Happy thanks
    avatar
    Linchpin311

    Number of posts : 220
    Age : 32
    Localisation : Long Island
    Registration date : 2007-05-14

    Re: HELP!!! Users can login with any password

    Post  Linchpin311 on Tue Feb 16, 2010 10:47 pm

    great, glad i could help!


    _________________
    in the end, the universe tends to unfold as it should...

    Also note that it is your responsibility to die() if necessary.

    Sponsored content

    Re: HELP!!! Users can login with any password

    Post  Sponsored content


      Current date/time is Mon Nov 20, 2017 9:34 am