Hi,
After a long time not playing with it I have picked up my website project and been fiddling with it to try and get it to work the way I want.
I am now trying to make an automatic login, using the existing script which was session and user based. By using cookies. For this project the security issue presented by using cookies isn’t important.
So…
<?php
// access.php
session_start(); ?>
<?php
if (!dbcnx)
{
include_once 'dbcnx.php';
}
else
{
include_once './security/dbcnx.php';
}
// Logged in function
function loggedIn()
{
return isset($_SESSION['authorized']);
}
//Process login attempt
if (isset($_COOKIE['ablueman'])){
if($_COOKIE ['ablueman'] != ""){
$usrpass = $_COOKIE['ablueman'];
$usrpass = explode(",", $usrpass);
$cusername = $usrpass[0];
$cupassword = $usrpass[1];
}
}
if (isset($_POST['username']) || isset($cusername) ) {
$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'] ;
$upassword = isset($_POST['upassword']) ? $_POST['upassword'] : $_SESSION['upassword'] ;
// SELECT statement -----------FIRST ATTEMPT ------- No PASSWORD or MD5
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$upassword'";
$result = mysql_query($sql);
while ($results = mysql_fetch_array($result))
{
$uid = $results['uid'];
$username = $results['username'];
$ulevel = $results['ulevel'];
}
// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5
if (mysql_num_rows($result) == 0) {
$upassword = md5 ($upassword);
$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
$result = mysql_query ($sql);
while ($results = mysql_fetch_array($result))
{
$uid = $results['uid'];
$username = $results['username'];
$ulevel = $results['ulevel'];
}
// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5 - COOKIE
if (mysql_num_rows($result) == 0) {
$username = $cusername;
$upassword = md5 ($cupassword);
$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
$result = mysql_query ($sql);
while ($results = mysql_fetch_array($result))
{
$uid = $results['uid'];
$username = $results['username'];
$ulevel = $results['ulevel'];
}
echo $username;
echo MD5($upassword);
}
}
if (mysql_num_rows($result) == 0)
{
unset($_SESSION['username']);
unset($_SESSION['upassword']);
echo "What we are dealing with here is a failure to communicate.(Unset Usr/Pass)";
}
// Session variables to add once logged in.
if (mysql_num_rows($result) != 0 )
{
$_SESSION['authorized'] = TRUE;
$_SESSION['uid'] = $uid;
$_SESSION['username'] = $username;
$_SESSION['ulevel'] = $ulevel;
$cookie = array($_SESSION['username'], md5($upassword), 'MD5');
$usrpass = implode(",", $cookie);
//echo $comma_separated; // username, password, md5
// Empty string when using an empty array:
//var_dump(implode('Hello', array())); // string(0) ""
setcookie("ablueman", $usrpass , time() + 31536000);
}
}
// Process logout
if (isset($_REQUEST['logout']))
{
unset($_SESSION['authorized']);
unset($_SESSION['uid']);
unset($_SESSION['username']);
unset($_SESSION['ulevel']);
}
?>
The problem I am getting is that the cookie is correctly storing the details so I get the correct username and md5(password) echoing. But it doesn’t find it in the SQL database. I presume Im either presenting the md5 password wrong or requesting it incorrectly. Can someone give me a pointer. This was an authentication script from Kevin Yanks book many many moons ago.
Thanks in advance.
Andy