[Jheroll]

Hi, There a problem with my login code. When you enter the correct username and password your supposed to be directed to a new page. It was working before but for some reasons which I cant debug, It doesnt now.

here is the code for index.php

<?php	session_start();

require_once 'functions\\cleaners.php';
require_once "functions\PRIMI_login.php";

define ( 'LOGOUT_LOC','logout.php' );
define ( 'MENU','users/index.php' );

if (isset($_POST['ace_username'])){
	$_POST['ace_username'] = clean_username($_POST['ace_username']);
}

if (isset($_POST['ace_password'])){
	$_POST['ace_password'] = clean_password($_POST['ace_password']);
	
}

if ( isset($_POST['ace_password']) && isset($_POST['ace_username']) ){
	if (login ( $_POST['ace_username'], $_POST['ace_password'])){
		header( 'Location: users/index.php' );
	}
}

?>

<!DOCTYPE html>
<html>
<head>

<script type="text/javascript" src="javascripts/jquery_1_8_3.js"></script>

<script>
function validateForm( form ){

	if ( 	form.ace_username.value == '' || 
			form.ace_password.value == '' ){
		
		document.getElementById("login_message").innerHTML = "Pakikumpleto!";
	}	
	else {
	
		document.getElementById("login_message").innerHTML = "";
		document.login_f1.submit();
	}
}

function pasuser( form ) {
	validateForm( form );
}
</script>

<script type="text/javascript" language="javascript">
    function convertEnterToTab() {
      if(event.keyCode==13) {
	     pasuser( form );
         event.keyCode = 9;
      }
    }
    document.onkeydown = convertEnterToTab;    
</script>

<link rel="stylesheet" type="text/css" href="styles/front_page.css">
<script type="text/javascript" src="javascripts/gui.js"></script>
<link rel="stylesheet" type="text/css" href="styles/modal.css">

</head>

<body>

<div>
	<div class='header'>
		<?php 
		if ( isset($_SESSION['person']['username']) ){ 
			?>
			<span class='con_login'>
			<a href='<?php echo MENU; ?>' class='r_font'>Menu&nbsp;</a>
			<img src='line.png' style='height:15px;'/>
			<a class='activate_modal r_font' name='login_form' href="#" style='text-decoration: none'>&nbsp;Logout</a>
		
			<div id='mask' class='close_modal'></div> 
			<div id='login_form' class='modal_window'>
				<center>
				  <form method='post' action='<?php echo LOGOUT_LOC; ?>' >
					<center>
						<tr><td>Are you sure?</td></tr>
					</center>
						<tr>
						<td><input style="float:right; margin-right:40px; margin-top:20px; height:24px; width:60px;" name="yes" type="submit" value="Yes"/></td>
					</form>
						<td><input style="float:right;  margin-top:20px; margin-right:4px; height:24px; width:60px;" name="no" type="submit" value="No" class="close_modal"/></td>
						</tr>
					</center>
			</div>
			</span>
			
			<span><?php echo $_SESSION['person']['username']?></span>
			<?php
		}else{
			?>
			<span class='con_login'>
				<a class='activate_modal s_font' name='login_form' href='#' style='text-decoration: none' >Login</a>
				<div id='mask' class='close_modal'></div>
				<div id='login_form' class='modal_window'>
				
					<img src='x.png' class='btn1_close close_modal'/>
					<img src='ace.jpg' style='height:60px; margin-left:95px;'/>	 
			
					<div><form action="<?php echo $_SERVER['PHP_SELF']; ?>" name='login_f1' method='post' >
						<div><label for="ace_username" ><span id="login_username_label" >Username:</span></label><input class='add' name='ace_username' id='ace_username' type='text' placeholder='Type here'/></div>
						<div><label for="ace_password" ><span id="login_password_label" >Password:</span></label><input class='add' name='ace_password' id="ace_password" type='password' placeholder='Type here'/></div>
						<div>
							<input size="20" name="submit_login" style='margin-left:80px; margin-top:20px; height:26px; width:60px;' type='button' onclick="pasuser( form )" value='Login'/>
							<input size="20" style='margin-top:20px; height:26px; width:60px;' type='Reset'/>
						</div>
					</form></div>
					<center><div id="login_message" style='margin-top:20px'></div></center>
				</div>
			</span><?php
		}
	?></div>
	
	<div class='welcome_banner'><center><h1>Welcome Visitors</h1></center>
	</div>
	<div class='welcome_banner'><center><h1>Place active links for visitors here.</h1></center>
	
<?php

	echo sha1('v');
	
	//$salt = '$2a$';
	//echo crypt('halo9665', $salt);
?>
</div>
</div>
</body>
</html>		

here is the code for the login

<?php
define('PEOPLE_DB','people');

require_once 'DBconnect.php';

function initialize_user ( $user_id ){
	session_unset();
	
	$_SESSION['person']['id'] = $user_id;

// query to get user data
	
	$link = primi_connect_mysql();
	mysql_select_db( PEOPLE_DB , $link );
	
	$input_query = ' SELECT users_account.USERNAME AS username , ';
	$input_query.= 		  ' users_account.ACCESS_RIGHT AS access , ';
	$input_query.= 		  ' users_summary.FIRSTNAME AS first_name , ';
	$input_query.=		  ' users_summary.LASTNAME AS last_name , ';
	$input_query.=		  ' users_summary.MIDDLENAME AS middle_name ';
	$input_query.= ' FROM   users_account , users_summary , access_right ';
	$input_query.= ' WHERE  users_summary.ID = users_account.USERS_SUMMARY AND ';
	$input_query.= 		  ' users_account.ACCESS_RIGHT = access_right.id   AND '; 
	$input_query.= 		  ' users_account.ID = "'.$user_id.'" 			   AND ';
	$input_query.= 		  ' users_account.SUSPENDED = "0" ; ';
	
	$query = mysql_query ( $input_query, $link);
	
// if error in query return error message
	if ( $query == null ){
		return 'Error: Can\'t execute query.';
	}
	
	$num_row = mysql_num_rows ( $query );
	
	if ($num_row < 1){
		return 'Error: User was not found, no longer exist, suspended or the access right was revoked.';
	}
	else if ($num_row > 1) {
		return 'Error: Invalid user. Please contact your system administrator.';
	}
	
// load into sessions;
	
	$row = mysql_fetch_array( $query );
	
	$_SESSION['person'] = $row;
	
// query access rights

	$input_query = ' SELECT * FROM access_right WHERE ID =  "'.$_SESSION['person']['access'].'" ; '; 
	$query = mysql_query ( $input_query , $link );
	
	$row = mysql_fetch_assoc( $query );
	$_SESSION['access'] = $row;
	
}

function login( $user, $password ){
	
	$link = primi_connect_mysql();
	mysql_select_db( PEOPLE_DB );
	
	echo $password;
	
	$password = sha1($password);
	
	echo $password;
	
	$query = mysql_query("	SELECT ID
							FROM users_account
							WHERE USERNAME = '$user'
								AND PASSWORD = '$password';	") or die( mysql_error() );
								
	$total = mysql_num_rows( $query );
		
	if ($total == 1){
		$user_id = mysql_fetch_row ( $query );
		echo initialize_user ($user_id[0]);
		return True;
	}
	else {
		return False;
	}
	
}

?>

can anyone review my code and direct me to the cause of the problem ... Thanks in advance

[NathanMullenax]

It might be some stray mark making it into one of your includes. A redirect header has to come before anything else. When you load the page in a browser and view source do you see any spaces at the before your DTD? Since the re-direct is actually part of the HTTP protocol rather than HTML, it has to come before a page sends any data.

PHP allows you to omit the end tag if your whole file is in PHP--this helps prevent this sort of problem. You could probably do that in your include files. This is really just a guess. Hope it helps.

[codeprada]

Hey, when you say it's not working now what do you mean? Is it a blank page or it does not redirect as expected? Do you see any output from your echo statements on the page?

You should also separate your PHP from your HTML. For instance your login code could be in 'login_process.php' and the HTML within a regular HTML file. This method of separation will make your code a lot easier to follow and debug.

I'm not sure what your clean_username and clean_password do but you should be very careful when filtering these things. An experienced hacker does not have to use quotes to inject code into your SQL queries. There are many ways of encoding data so that only the database will interpret them. I would suggest you consider using either PDO or MySQLi. These APIs offer prepared statements which will combat this issue.

When applying a hash to your password be sure to use a SALT. There are many hash lookup tables where you can find the plain text for hashes.

[macosxnerd101]

When debugging, always use log or print the result of the mysql_error() function so you can see if there is a SQL Problem.

[andrewsw]

Quote

It was working before but for some reasons which I cant debug, It doesnt now.

What has changed? It is extremely unlikely to just stop working (assuming it was working 100% before) unless something has changed. It may even be a change made on the server, such as a new version of PHP.

[DaneAU]

As mentined by there is more than likely going to be an error very early on within this script.

require_once 'functions\\cleaners.php';

I would be very surprised if it made it past the 2nd line of code without error.