TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > General » && and || are mixed up ?? :S
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 05-19-2010, 05:41 PM   #1 (permalink)
bajingo
 
skibbli's Avatar
 
Join Date: Feb 2010
Posts: 11
Thanks: 2
skibbli is on a distinguished road
Bug && and || are mixed up ?? :S
PHP Code:
if ($_SERVER['PHP_AUTH_USER'] !== "username" && $_SERVER['PHP_AUTH_PW'] !== "password") {
    header('WWW-Authenticate: Basic realm="login"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<h2>Unauthorized!</h2>';
    exit;
}
echo "you are now authenticated."
the above code makes sense doesn't it? it really should work.

but upon further testing with that code above i have come to the conclusion that it will instead of requiring BOTH the username and password. it will only require one or the other...

HOWEVER, using "||" instead of "&&" will cause it to work the way i had originally intended it to work (requiring both fields to match using "&&" instead of one or the other)

PHP Code:
if ($_SERVER['PHP_AUTH_USER'] !== "username" || $_SERVER['PHP_AUTH_PW'] !== "password") {
    header('WWW-Authenticate: Basic realm="login"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<h2>Unauthorized!</h2>';
    exit;
}
echo "you are now authenticated."
can anyone tell me why this may be?
could i have a small error in my code?
__________________
"Stealing! How could you? Haven't you learned anything from that guy who gives sermons at church? Captain what's-his-name?"
skibbli is offline   		Reply With Quote
Old 05-19-2010, 09:38 PM   #2 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 1,393
Thanks: 5
Salathe is on a distinguished road
Default
Consider the cases:

Code:
$_SERVER['PHP_AUTH_USER'] !== "username" && $_SERVER['PHP_AUTH_PW'] !== "password"
-----
Username valid,   password invalid: FALSE && TRUE   gives  Authenticated
Username invalid, password valid:   TRUE  && FALSE  gives  Authenticated
Username valid,   password valid:   FALSE && FALSE  gives  Unauthorized!
Username invalid, password invalid: TRUE  && TRUE   gives  Unauthorized!


$_SERVER['PHP_AUTH_USER'] !== "username" || $_SERVER['PHP_AUTH_PW'] !== "password"
-----
Username valid,   password invalid: FALSE || TRUE   gives  Unauthorized!
Username invalid, password valid:   TRUE  || FALSE  gives  Unauthorized!
Username valid,   password valid:   FALSE || FALSE  gives  Authenticated
Username invalid, password invalid: TRUE  || TRUE   gives  Unauthorized!
A perhaps clear option is to have the condition being not (username valid and password valid)...

PHP Code:
if ( ! ($_SERVER['PHP_AUTH_USER'] === "username" && $_SERVER['PHP_AUTH_PW'] === "password")) { 
Salathe is offline   		Reply With Quote
The Following User Says Thank You to Salathe For This Useful Post:
skibbli (05-20-2010)
Old 05-22-2010, 02:19 PM   #3 (permalink)
The Wanderer
 
Join Date: May 2010
Posts: 19
Thanks: 1
core1024 is on a distinguished road
Default
Hello, skibbly!
The mistake here is that you thought "if username is wrong and password is wrong" instead of "either username or password is wrong" or even "if not username and password are correct". The logic is like in math - first multiply then add. Consider "true" as non-zero, "false" as zero, "not" or exclamation mark means reverse, "and" means multiply, "or" means add. So if in this case you've go wrong username (false/zero) and correct password (true/non-zero) - zero * non-zero equals zero i.e. you pass. In this case the only way to get non-zero is to have two non-zero values. When you add is something different - it is enough to have only one non-zero to get non-zero. I hope you get it ;)
core1024 is offline   		Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mixed Mod_Rewrite with non trs21219 Advanced PHP Programming 5 01-15-2008 02:15 PM


All times are GMT. The time now is 12:42 AM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design