Something wrong with this script? PHP

[StefanVonS]

For some reason the following script seems to loop no matter what is input. If I hit cancel, then it behaves as expected; however, inputting correct or incorrect information results in a brief pause before the user/pass prompt returns. I checked in IE, FF, & Safari with the same result.

Code: Select all

<?php // authenticate.php
require_once 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
   or die("Unable to select database: " . mysql_error());

if (isset($_SERVER['PHP_AUTH_USER']) &&
   isset($_SERVER['PHP_AUTH_PW']))
{
   $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']);
   $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']);

   $query = "SELECT * FROM users WHERE username='$un_temp'";
   $result = mysql_query($query);
   if (!$result) die("Database access failed: " . mysql_error());
   elseif (mysql_num_rows($result))
   {
      $row = mysql_fetch_row($result);
      $salt1 = "qm&h*";
      $salt2 = "pg!@";
      $token = md5("$salt1$pw_temp$salt2");

      if ($token == $row[3])
                    echo "$row[0] $row[1] :
         Hi $row[0], you are now logged in as '$row[2]'";

      else die("Invalid username/password combination");
   }
   else die("Invalid username/password combination");
}
else
{
   header('WWW-Authenticate: Basic realm="Restricted Section"');
   header('HTTP/1.0 401 Unauthorized');
   die ("Please enter your username and password");
}

function mysql_entities_fix_string($string)
{
   return htmlentities(mysql_fix_string($string));
}

function mysql_fix_string($string)
{
   if (get_magic_quotes_gpc()) $string = stripslashes($string);
   return mysql_real_escape_string($string);
}


?>


[Shining Arcanine]

Assuming that it is looping, have you tried modifying the script with things like echo "probe 1" to see what sections are executing, what sections are looping and what sections are not executing? Perhaps it is something in login.php, as I see no loops in that script.

[StefanVonS]

I may have figured out the problem. Tell me if I'm right or wrong here. It appears this only works on an apache server and I get back CGI/FAST CGI back from phpinfo(). Could this be the problem?

[morphine]

Can we take a look at login.php? I don't see anything inherently wrong with your script as well.

As for your CGI question, per the PHP manual:

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

I did find something odd: it appears that you're double-checking the user/pw through mysql *after* they authenticated? Isn't it redundant, or am I missing something?

[balzi]

I did find something odd: it appears that you're double-checking the user/pw through mysql *after* they authenticated? Isn't it redundant, or am I missing something?

perhaps $db_username and $db_password are a fixed set (maybe root and ??? ) that will let the script access mysql to check the username and pwd provided by the browsing person?

of course, its still simpler to just try and login with the user provided user/pwd pair.. could be an even more obtuse table permission thing that Stefan is trying to get around.

[Shining Arcanine]

Can we take a look at login.php? I don't see anything inherently wrong with your script as well.

As for your CGI question, per the PHP manual:

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

I did find something odd: it appears that you're double-checking the user/pw through mysql *after* they authenticated? Isn't it redundant, or am I missing something?

http://en.wikipedia.org/wiki/Basic_acce ... entication

Programmers need to write their own authentication mechanisms to verify that the HTTP authorization information is correct. PHP has no way of knowing how to do that for them.

Unfortunately, I think that the way that this script is implemented would mean that an incorrect username and password would force a user to start a new session before he could try again. It would be better to use the same code for the unset state and the invalid username/password states.

[morphine]

Programmers need to write their own authentication mechanisms to verify that the HTTP authorization information is correct. PHP has no way of knowing how to do that for them.

That's not correct. You can have a bog-standard HTTP authentication set on a directory, and PHP scripts inside that directory that can read the set username/password after the user has authenticated via plain HTTP auth. That's what the PHP_AUTH_USER and PHP_AUTH_PW server variables are for.

Having said that, it appears that I misread the script, as its intent seems to be doing the HTTP auth itself, and not just checking if it's already been done via other means.

[StefanVonS]

I'm posting the login.php page. For obvious security reasons, some data is redacted and will be show as # signs.

Code: Select all

        <?php //login.php
        $db_hostname = '###.178.146.##';
        $db_database = 'publications';
        $db_username = '########';
        $db_password = '#########';
        ?>


I'm fairly certain there is nothing wrong here as I have other SQL scripts, including one that writes user names and passwords, that work properly.

[morphine]

Several things you want to check/change:

- "SELECT *" is bad, bad mojo, because when you change your database schema and add or remove a field, you're going to end up with more or less columns in your result row, some of them probably useless and just wasting memory. Always do your SELECTs specifying exactly which fields you want.
- Also, I noticed that you're using numerical indexes for fetching rows with MySQL. Also not ideal because you have to remember and work with row indexes. Instead use mysql_fetch_assoc() instead of mysql_fetch_row() so that you're returned an associative array with the column names. Example:

Code: Select all

$result= mysql_query("SELECT user_id FROM users WHERE password='awesome'");
$row = mysql_fetch_assoc($result);
echo "Your password is correct, your user ID is: $row[user_id]";

- You should use the mysqli_* functions instead of the regular mysql_* functions. The mysqli functions are the new versions, and they'll eventually replace the old ones.
- Even better, you should use a database abstraction class like PDO or ADODB. But keep it simple for now, you can change this later.

[StefanVonS]

Are the new mysqli commands version dependent? Using version 5. Thanks for the assoc command, hadn't learned that one yet.

[morphine]

Are the new mysqli commands version dependent? Using version 5. Thanks for the assoc command, hadn't learned that one yet.

Yeah, but they're available in version 5.0.x at earliest, and I think even back on 4.3. It shouldn't be a concern, it's not cutting-edge stuff.

[StefanVonS]

I was able to work around the problem by using forms rather than HTTP authentication.

Code: Select all

<?php // authenticate.php
require_once 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
   or die("Unable to select database: " . mysql_error());

if (isset($_POST['user']) && isset($_POST['pass']))
{

    $un_temp = mysql_entities_fix_string($_POST['user']);
   $pw_temp = mysql_entities_fix_string($_POST['pass']);

   $query = "SELECT * FROM users WHERE username='$un_temp'";
   $result = mysql_query($query);
   if (!$result) die("Database access failed: " . mysql_error());
   elseif (mysql_num_rows($result))
   {
      $row = mysql_fetch_row($result);
      $salt1 = "qm&h*";
      $salt2 = "pg!@";
      $token = md5("$salt1$pw_temp$salt2");
         
      if ($token == $row[3])
                    echo "$row[0] $row[1] :
         Hi $row[0], you are now logged in as '$row[2]'";

      else die("Invalid username/password combination");
   }
   else die("Invalid username/password combination");
}
else
{
   echo <<<_END
    <form method="post" action="authenticate.php"><pre>
    Username: <input type="text" name="user" />
    Password: <input type="text" name="pass" />
    <input type="submit" />
    </pre>
    </form>
_END;
}

function mysql_entities_fix_string($string)
{
   return htmlentities(mysql_fix_string($string));
}

function mysql_fix_string($string)
{
   if (get_magic_quotes_gpc()) $string = stripslashes($string);
   return mysql_real_escape_string($string);
}


?>