NEed help asap with PHP

[reinoreiska]

Hi, i'am trying to make a login script without mysql and i am using this code on the security.php file that i found on this site.
<?php
session_start();

$user["admin1"] = "password";
$user["admin2"] = "password";
$user["admin3"] = "password";

if (!isset($_SESSION['logged_in']))
{
echo '<h1>Login</h1>';
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if (empty($_POST['username']) || empty($_POST['password']))
{
echo '<span style="color:red; font-weight: bold">Please fill in all fields!</span>';
}
elseif ($user[$_POST['username']] != $_POST['password'])
{
echo '<span style="color:red; font-weight: bold">Your username/password is wrong!</span>';
}
else
{
header("Refresh: 1");
$_SESSION['ingelogd'] = true;
echo '<span style="color:green; font-weight: bold">You are now logged in!</span>';
}
}
else
{
exit('You need to log-in to view this page.<br /><br />
<form method="POST" action=""><p>
Username:<br />
<input type="text" name="username" /><br /><br />
Password:<br />
<input type="password" name="password" /><br /><br />
<input type="submit" value="Login" /> <input type="reset" value="Empty fields" />
</form>');
}
}
?>

but everytime i log in with wrong account details it still lets me to view the contet, so how do i fix it ?

 

[Ecko]

elseif ($user[$_POST['username']] != $_POST['password'])

Um...

 

[reinoreiska]

elseif ($user[$_POST['username']] != $_POST['password'])

Um...

sorry umm ? i'am completely noob when it comes to php
 

elseif ($user[$_POST['username']] != $_POST['password'])

Um...

please help

 

[Ecko]

Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:

$user["admin1"] = "password";

Then change:

elseif ($user[$_POST['username']] != $_POST['password'])

To:

elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:

$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:

  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.

 

[reinoreiska]

Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:

$user["admin1"] = "password";

Then change:

elseif ($user[$_POST['username']] != $_POST['password'])

To:

elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:

$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:

  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.

Thank you alot, yet i still don't know where cookie thing, as i said i'am i complete newbie when it comes to php.
 

Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:

$user["admin1"] = "password";

Then change:

elseif ($user[$_POST['username']] != $_POST['password'])

To:

elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:

$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:

  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.

please, i really dont't understand this "sigh" :/

 

[BIOS]

Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:

$user["admin1"] = "password";

Then change:

elseif ($user[$_POST['username']] != $_POST['password'])

To:

elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:

$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:

  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.

Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.

 

[reinoreiska]

Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.

i researched sessions little bit further and i just found a way how to do it. and scrapped the old security.php thing, too bad i canno't use the mysql for this project.
But allnall thank you all for you'r help , much apprisiaided

 

[Rain]

How interested in PHP are you? i'd be keen to teach you a few things

 

[BIOS]

i researched sessions little bit further and i just found a way how to do it. and scrapped the old security.php thing, too bad i canno't use the mysql for this project.
But allnall thank you all for you'r help , much apprisiaided

Made you a quick example, use it if you like. Not sure if it's 100% functional, haven't really checked it but should do the job.

Just change header("Location: /adminpage"); to the page which has administrative functions on/you only want these specific users to view.

<?php

    session_start();

    $admins = array(
        'reinoreiska' => 'yourpassword'
    );

    if(!isset($_SESSION['logged_in'])){
    
        if(isset($_POST['login'])){
        
            $username = isset($_POST['username']) ? stripslashes(trim($_POST['username'])) : '';
            $password = isset($_POST['password']) ? stripslashes(trim($_POST['password'])) : '';
        
            if(empty($username) || empty($password)){
                $error = 'You left a field empty';
            }

            if(!isset($error)){

                if(array_key_exists($username, $admins)){

                    if($admins[$username] == $password){

                        $_SESSION['logged_in'] = true;

                    }else{
                        $error = 'We couldn\'t find a record with those details';
                    }

                }else{
                    #$error = 'User doesn\'t exist'
                    // uncomment this if you really want it, however it would allow users to find out the usernames of admins..
                }

            }

        }
?>
        <h1>Login page</h1>
        <p>
        <?php
            if(isset($error)){
                echo $error;
            }else{
                echo 'You need to log-in to view this page.';
            }
        ?>
        </p>

        <form method="POST">
            Username: <input type="text" name="username" /><br />
            Password: <input type="text" name="password" /><br />
            <input type="submit" name="login"/>
        </form>
<?php
    }else{
        header("Location: /adminpage");
        exit();
    }
?>

Then on /adminpage (your admin only page):

<?php
session_start();

if(!isset($_SESSION['logged_in'])){
    header("Location: /");
    exit();
}else{
?>

Admin page:
Page content here...

<?php } ?>

 

[Ecko]

Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.

1. Just because cookies are stored client side doesn't mean "anyone" can gain access.
2. You would need to either be specifically targeted for the above to happen, or have insecure code on your site where XSS is possible. If your code is secure, then your reasons for not using cookies are invalid.
3. You can still hijack sessions even if cookies are not being used (MITM).

 

[brsy]

Made you a quick example, use it if you like. Not sure if it's 100% functional, haven't really checked it but should do the job.

Just change header("Location: /adminpage"); to the page which has administrative functions on/you only want these specific users to view.

<?php

    session_start();

    $admins = array(
        'reinoreiska' => 'yourpassword'
    );

    if(!isset($_SESSION['logged_in'])){
   
        if(isset($_POST['login'])){
       
            $username = isset($_POST['username']) ? stripslashes(trim($_POST['username'])) : '';
            $password = isset($_POST['password']) ? stripslashes(trim($_POST['password'])) : '';
       
            if(empty($username) || empty($password)){
                $error = 'You left a field empty';
            }

            if(!isset($error)){

                if(array_key_exists($username, $admins)){

                    if($admins[$username] == $password){

                        $_SESSION['logged_in'] = true;

                    }else{
                        $error = 'We couldn\'t find a record with those details';
                    }

                }else{
                    #$error = 'User doesn\'t exist'
                    // uncomment this if you really want it, however it would allow users to find out the usernames of admins..
                }

            }

        }
?>
        <h1>Login page</h1>
        <p>
        <?php
            if(isset($error)){
                echo $error;
            }else{
                echo 'You need to log-in to view this page.';
            }
        ?>
        </p>

        <form method="POST">
            Username: <input type="text" name="username" /><br />
            Password: <input type="text" name="password" /><br />
            <input type="submit" name="login"/>
        </form>
<?php
    }else{
        header("Location: /adminpage");
        exit();
    }
?>

Then on /adminpage (your admin only page):

<?php
session_start();

if(!isset($_SESSION['logged_in'])){
    header("Location: /");
    exit();
}else{
?>

Admin page:
Page content here...

<?php } ?>

If you're going to store the password inside of the script, at least use some sort of encryption. I honestly don't suggest storing the password in the file itself either, because it isn't very user friendly.

 

[BIOS]

1. Just because cookies are stored client side doesn't mean "anyone" can gain access.
2. You would need to either be specifically targeted for the above to happen, or have insecure code on your site where XSS is possible. If your code is secure, then your reasons for not using cookies are invalid.
3. You can still hijack sessions even if cookies are not being used (MITM).

Yes, I'm strictly speaking of the OP's request.

There's a lot of other factors involved, like you stated XSS/MITM attacks if the OP doesn't properly sanitize output and such however that'd be a different story rather than "how am I able to create this function" which the OP asked.

If you're going to store the password inside of the script, at least use some sort of encryption. I honestly don't suggest storing the password in the file itself either, because it isn't very user friendly.

I did not personally choose this option, the OP did. They have stated they didn't want to use databases and would prefer a hard coded variable, my input to this thread was simply showing the poster how they could achieve this, not how I would've done it.

I guess they could also use the password_hash function or something alike to hash the passwords stored in the $admins array then verify them with password_verify, yet again that'd be more than the OP is asking.

 

[LeChris]

Just saying, a switch statement would be cleaner for login, or even an array to store the usernames and passwords.

 

[Rain]

Flatfile database, with an htaccess to protect the dir it's in

 

[LeChris]

Let's just use JSON as his database

 

[BIOS]

Just saying, a switch statement would be cleaner for login, or even an array to store the usernames and passwords.

The usernames and passwords are stored in an array in the above example

 

[TesoMayn]

Using unhashed passwords is foolish and using flat file is just as foolish and lazy.

If you don't know how to properly code a login script, use one that someone else has (there are thousands if not millions of them) or use htpasswd