NEed help asap with PHP

reinoreiska

New Member
Mar 22, 2016
4
0
Hi, i'am trying to make a login script without mysql and i am using this code on the security.php file that i found on this site.
<?php
session_start();

$user["admin1"] = "password";
$user["admin2"] = "password";
$user["admin3"] = "password";

if (!isset($_SESSION['logged_in']))
{
echo '<h1>Login</h1>';
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if (empty($_POST['username']) || empty($_POST['password']))
{
echo '<span style="color:red; font-weight: bold">Please fill in all fields!</span>';
}
elseif ($user[$_POST['username']] != $_POST['password'])
{
echo '<span style="color:red; font-weight: bold">Your username/password is wrong!</span>';
}
else
{
header("Refresh: 1");
$_SESSION['ingelogd'] = true;
echo '<span style="color:green; font-weight: bold">You are now logged in!</span>';
}
}
else
{
exit('You need to log-in to view this page.<br /><br />
<form method="POST" action=""><p>
Username:<br />
<input type="text" name="username" /><br /><br />
Password:<br />
<input type="password" name="password" /><br /><br />
<input type="submit" value="Login" /> <input type="reset" value="Empty fields" />
</form>');
}
}
?>

but everytime i log in with wrong account details it still lets me to view the contet, so how do i fix it ?
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,397
961
Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:
PHP:
$user["admin1"] = "password";

Then change:
PHP:
elseif ($user[$_POST['username']] != $_POST['password'])

To:
PHP:
elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:
PHP:
$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:
PHP:
  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.
 

reinoreiska

New Member
Mar 22, 2016
4
0
Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:
PHP:
$user["admin1"] = "password";

Then change:
PHP:
elseif ($user[$_POST['username']] != $_POST['password'])

To:
PHP:
elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:
PHP:
$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:
PHP:
  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.
Thank you alot, yet i still don't know where cookie thing, as i said i'am i complete newbie when it comes to php.
 
Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:
PHP:
$user["admin1"] = "password";

Then change:
PHP:
elseif ($user[$_POST['username']] != $_POST['password'])

To:
PHP:
elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:
PHP:
$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:
PHP:
  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.
please, i really dont't understand this "sigh" :/
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Your script allows for login if following two conditions are met:

User/pass fields are not empty
Username is the same as the password

If this is where you are storing admin information:
PHP:
$user["admin1"] = "password";

Then change:
PHP:
elseif ($user[$_POST['username']] != $_POST['password'])

To:
PHP:
elseif ($user["admin1"] != $_POST['password'])

In my opinion it is better if you store admins in an array:
PHP:
$VALID_USERS = array(
        'devbest' => 'demo123',
        'ecko' => 'adminpass',
    );

Then check password and set cookie:
PHP:
  if($act == 'login' && $_POST['form_sent'] == '1'){
        $user = stripslashes(trim($_POST['login_user']));
        $pass = stripslashes(trim($_POST['login_pass']));
        foreach($VALID_USERS as $u => $p){
            if(strtolower($u) == strtolower($user) && strtolower($p) == strtolower($pass)){
                setcookie('security', serialize(array($u, $p)), time() + 31536000, '/', '', 0);
                header('Location: security.php');
                exit;
            }
        }
        message('Invalid username or password', 'Login Error');
    }elseif($act == 'logout'){
        setcookie('security', serialize(array('', '')), time() - 1, '/', '', 0);
        header('Location: security.php');
        exit;
    }

Then you can just check cookie to see if they are logged in.

Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.
 

reinoreiska

New Member
Mar 22, 2016
4
0
Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.
i researched sessions little bit further and i just found a way how to do it. and scrapped the old security.php thing, too bad i canno't use the mysql for this project.
But allnall thank you all for you'r help :), much apprisiaided
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
i researched sessions little bit further and i just found a way how to do it. and scrapped the old security.php thing, too bad i canno't use the mysql for this project.
But allnall thank you all for you'r help :), much apprisiaided
Made you a quick example, use it if you like. Not sure if it's 100% functional, haven't really checked it but should do the job.

Just change header("Location: /adminpage"); to the page which has administrative functions on/you only want these specific users to view.

Code:
<?php

    session_start();

    $admins = array(
        'reinoreiska' => 'yourpassword'
    );

    if(!isset($_SESSION['logged_in'])){
    
        if(isset($_POST['login'])){
        
            $username = isset($_POST['username']) ? stripslashes(trim($_POST['username'])) : '';
            $password = isset($_POST['password']) ? stripslashes(trim($_POST['password'])) : '';
        
            if(empty($username) || empty($password)){
                $error = 'You left a field empty';
            }

            if(!isset($error)){

                if(array_key_exists($username, $admins)){

                    if($admins[$username] == $password){

                        $_SESSION['logged_in'] = true;

                    }else{
                        $error = 'We couldn\'t find a record with those details';
                    }

                }else{
                    #$error = 'User doesn\'t exist'
                    // uncomment this if you really want it, however it would allow users to find out the usernames of admins..
                }

            }

        }
?>
        <h1>Login page</h1>
        <p>
        <?php
            if(isset($error)){
                echo $error;
            }else{
                echo 'You need to log-in to view this page.';
            }
        ?>
        </p>

        <form method="POST">
            Username: <input type="text" name="username" /><br />
            Password: <input type="text" name="password" /><br />
            <input type="submit" name="login"/>
        </form>
<?php
    }else{
        header("Location: /adminpage");
        exit();
    }
?>

Then on /adminpage (your admin only page):
Code:
<?php
session_start();

if(!isset($_SESSION['logged_in'])){
    header("Location: /");
    exit();
}else{
?>

Admin page:
Page content here...

<?php } ?>
 
Last edited:

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,397
961
Please don't rely on cookies to define layers of authentication, cookies are stored on the client side meaning anyone could gain access to your "secure" area.

Use sessions instead since they're stored on the server and cannot be directly modified by the user unlike cookies.
1. Just because cookies are stored client side doesn't mean "anyone" can gain access.
2. You would need to either be specifically targeted for the above to happen, or have insecure code on your site where XSS is possible. If your code is secure, then your reasons for not using cookies are invalid.
3. You can still hijack sessions even if cookies are not being used (MITM).
 

brsy

nah mang
May 12, 2011
1,530
272
Made you a quick example, use it if you like. Not sure if it's 100% functional, haven't really checked it but should do the job.

Just change header("Location: /adminpage"); to the page which has administrative functions on/you only want these specific users to view.

Code:
<?php

    session_start();

    $admins = array(
        'reinoreiska' => 'yourpassword'
    );

    if(!isset($_SESSION['logged_in'])){
   
        if(isset($_POST['login'])){
       
            $username = isset($_POST['username']) ? stripslashes(trim($_POST['username'])) : '';
            $password = isset($_POST['password']) ? stripslashes(trim($_POST['password'])) : '';
       
            if(empty($username) || empty($password)){
                $error = 'You left a field empty';
            }

            if(!isset($error)){

                if(array_key_exists($username, $admins)){

                    if($admins[$username] == $password){

                        $_SESSION['logged_in'] = true;

                    }else{
                        $error = 'We couldn\'t find a record with those details';
                    }

                }else{
                    #$error = 'User doesn\'t exist'
                    // uncomment this if you really want it, however it would allow users to find out the usernames of admins..
                }

            }

        }
?>
        <h1>Login page</h1>
        <p>
        <?php
            if(isset($error)){
                echo $error;
            }else{
                echo 'You need to log-in to view this page.';
            }
        ?>
        </p>

        <form method="POST">
            Username: <input type="text" name="username" /><br />
            Password: <input type="text" name="password" /><br />
            <input type="submit" name="login"/>
        </form>
<?php
    }else{
        header("Location: /adminpage");
        exit();
    }
?>

Then on /adminpage (your admin only page):
Code:
<?php
session_start();

if(!isset($_SESSION['logged_in'])){
    header("Location: /");
    exit();
}else{
?>

Admin page:
Page content here...

<?php } ?>
If you're going to store the password inside of the script, at least use some sort of encryption. I honestly don't suggest storing the password in the file itself either, because it isn't very user friendly.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
1. Just because cookies are stored client side doesn't mean "anyone" can gain access.
2. You would need to either be specifically targeted for the above to happen, or have insecure code on your site where XSS is possible. If your code is secure, then your reasons for not using cookies are invalid.
3. You can still hijack sessions even if cookies are not being used (MITM).
Yes, I'm strictly speaking of the OP's request.

There's a lot of other factors involved, like you stated XSS/MITM attacks if the OP doesn't properly sanitize output and such however that'd be a different story rather than "how am I able to create this function" which the OP asked.

If you're going to store the password inside of the script, at least use some sort of encryption. I honestly don't suggest storing the password in the file itself either, because it isn't very user friendly.
I did not personally choose this option, the OP did. They have stated they didn't want to use databases and would prefer a hard coded variable, my input to this thread was simply showing the poster how they could achieve this, not how I would've done it.

I guess they could also use the password_hash function or something alike to hash the passwords stored in the $admins array then verify them with password_verify, yet again that'd be more than the OP is asking.
 

TesoMayn

Boredom, it vexes me.
Oct 30, 2011
1,482
1,482
Using unhashed passwords is foolish and using flat file is just as foolish and lazy.

If you don't know how to properly code a login script, use one that someone else has (there are thousands if not millions of them) or use htpasswd
 

Users who are viewing this thread

Top