TalkPHP - View Single Post

Peuplarchie · 03-22-2010, 05:33 PM

Good day to you all,
I'm working on a flat file database login script.

I have notice that once the user have input his/her username in the field what ever he/she put as password, as long as they put something in the field, matching or not, they are in.

I'm sure I'm doing something wrong.

Don't worries, I hide my flat file behind a httpassword file.

Here is my code:

PHP Code:


			

<?php
//sessions must be initialized prior to any output if output buffering if off
session_start();

//the list of files containing passwords
$files = array(
    "../../MurSec/FSC/memmob.txt", 
    "../../MurSec/FSC/memmob.txt", 
    "../../MurSec/FSC/memmob.txt"
);

//if list of users not set create a new array
if(!isset($_SESSION['users']))
    $_SESSION['users'] = array();
    
if(isset($_POST['username']) && isset($_POST['password'])){
    
    //need to remove slashes from POST if magic_quotes are on 
    if(get_magic_quotes_gpc()){
        $_POST['username'] = stripslashes($_POST['username']);
        $_POST['password'] = stripslashes($_POST['password']);
    }            
    
    $userFound = false; //we need this to exit the loops
    foreach($files as $file){ //loop every file in the $files array
        if($fh = fopen($file, "r")){
            while(!feof($fh) && !$userFound){ //while not the end of the current file or the user was not found
                list($username, $password, $url) = explode(",", fgets($fh,1024));
            
                if(($username == $_POST['username']) && ($password = $_POST['password'])){
                    $_SESSION['username'] = $username;
                    $_SESSION['present'] = true;
                    $_SESSION['legal'] = true;
                    $_SESSION['profile'] = $username.".txt";
                    array_push($_SESSION['users'], $username); //add the current user to the list of users
                    header("Location: ".$url);
                    $userFound = true; //confirm that the user was found

// other session and log action
    
    
}
                }    
            }
            
            fclose($fh);
            //we need to use break to exit the foreach loop if the user is found in one of the files
            if($userFound)
                break;
        } else
            echo "Unable to open a required password file: $file";
    }
    if(!$userFound)
        login('Wrong username or password.<br />');
} else {
    login();
}
?>
<?php

function login($response='Bienvenue, invit&eacute;(e) !') {
?>

<html>
</head>





</head>
<body>




<fieldset  style="background-color:#cccccc;">
  <legend><?=$response?></legend>
<form action="" method="post">
        <label for="nom">Membre :</label><input name="username" type="text" /><br>
        <label for="nom">Passe :</label><input name="password" type="password"><br>
        <br><center><input type="submit" value="Valider" /><br/></center>
</form>
</fieldset>

</body>
</html>




<?php } ?>

Thanks !

03-22-2010, 05:33 PM	#1 (permalink)
Peuplarchie The Acquainted Join Date: May 2008 Location: Québec Posts: 104 Thanks: 10	Login script, session password issue.. Good day to you all, I'm working on a flat file database login script. I have notice that once the user have input his/her username in the field what ever he/she put as password, as long as they put something in the field, matching or not, they are in. I'm sure I'm doing something wrong. Don't worries, I hide my flat file behind a httpassword file. Here is my code: PHP Code: <?php //sessions must be initialized prior to any output if output buffering if off session_start(); //the list of files containing passwords $files = array( "../../MurSec/FSC/memmob.txt", "../../MurSec/FSC/memmob.txt", "../../MurSec/FSC/memmob.txt" ); //if list of users not set create a new array if(!isset($_SESSION['users'])) $_SESSION['users'] = array(); if(isset($_POST['username']) && isset($_POST['password'])){ //need to remove slashes from POST if magic_quotes are on if(get_magic_quotes_gpc()){ $_POST['username'] = stripslashes($_POST['username']); $_POST['password'] = stripslashes($_POST['password']); } $userFound = false; //we need this to exit the loops foreach($files as $file){ //loop every file in the $files array if($fh = fopen($file, "r")){ while(!feof($fh) && !$userFound){ //while not the end of the current file or the user was not found list($username, $password, $url) = explode(",", fgets($fh,1024)); if(($username == $_POST['username']) && ($password = $_POST['password'])){ $_SESSION['username'] = $username; $_SESSION['present'] = true; $_SESSION['legal'] = true; $_SESSION['profile'] = $username.".txt"; array_push($_SESSION['users'], $username); //add the current user to the list of users header("Location: ".$url); $userFound = true; //confirm that the user was found // other session and log action } } } fclose($fh); //we need to use break to exit the foreach loop if the user is found in one of the files if($userFound) break; } else echo "Unable to open a required password file: $file"; } if(!$userFound) login('Wrong username or password.<br />'); } else { login(); } ?> <?php function login($response='Bienvenue, invité(e) !') { ?> <html> </head> </head> <body> <fieldset style="background-color:#cccccc;"> <legend><?=$response?></legend> <form action="" method="post"> <label for="nom">Membre :</label><input name="username" type="text" /><br> <label for="nom">Passe :</label><input name="password" type="password"><br> <br><center><input type="submit" value="Valider" /><br/></center> </form> </fieldset> </body> </html> <?php } ?> Thanks ! __________________ That's why we are not alone on earth... let's build !