1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: PHP - can you help please?

Discussion in 'Web Design & Development' started by colinsp, Jan 26, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. colinsp

    colinsp Thread Starter

    Joined:
    Sep 5, 2007
    Messages:
    2,272
    First Name:
    Colin
    I have a php page written by someone else that I need to remove the login stuff from. The reason being that I want to move the table to another database where the users with access to this page have already logged in to the site using different credentials. I do need to keep the database connection settings though. Basically I suppose that if you access this page youa re already successfully logged in so maybe I could just hard code a user id and password rather than deleting the code? WDYT? My knowledge of PHP is not that great so any help is most welcome.

    This is the code

    PHP:
    <?php function login()
    {
      global 
    $_POST;
      global 
    $_SESSION;

      global 
    $_GET;
      if (isset(
    $_GET["a"]) && ($_GET["a"] == 'logout')) $_SESSION["logged_in"] = false;
      if (!isset(
    $_SESSION["logged_in"])) $_SESSION["logged_in"] = false;
      if (!
    $_SESSION["logged_in"]) {
        
    $login "";
        
    $password "";
        if (isset(
    $_POST["login"])) $login = @$_POST["login"];
        if (isset(
    $_POST["password"])) $password = @$_POST["password"];

        if ((
    $login != "") && ($password != "")) {
          
    $conn mysql_connect("localhost""*********""**********");
          
    mysql_select_db("********");
          
    $sql "select `password` from `users` where `login` = '" .$login ."'";
          
    $res mysql_query($sql$conn) or die(mysql_error());
          
    $row mysql_fetch_assoc($res) or $row = array(=> "");;
          if (isset(
    $row)) reset($row);

          if (isset(
    $password) && ($password == trim(current($row)))) {
            
    $_SESSION["logged_in"] = true;
        }
        else {
    ?>
    <p><b><font color="-1">Sorry, the login/password combination you've entered is invalid</font></b></p>
    <?php } } }if (isset($_SESSION["logged_in"]) && (!$_SESSION["logged_in"])) { ?>
    I suspect that it is as simple as deleting a few lines but which ones I don't want to screw the whole form up.

    TIA
     
  2. ehymel

    ehymel

    Joined:
    Aug 12, 2007
    Messages:
    696
    Just replace this line:

    PHP:
    if (!isset($_SESSION["logged_in"])) $_SESSION["logged_in"] = false;
    With this:

    PHP:
    $_SESSION["logged_in"] = true;
    and you're set.
     
  3. DrP

    DrP

    Joined:
    Jul 23, 2005
    Messages:
    739
    But won't anyone guessing/knowing the URL be able to access the page without being logged in?

    And also, that code looks insecure to me? You're passing unfiltered POST variables in a database query.
     
  4. ehymel

    ehymel

    Joined:
    Aug 12, 2007
    Messages:
    696
    From a security standpoint, there are lots of problems with this script. The unfiltered $_POST['login'] variable passed via the SELECT command is bad news, and it looks like passwords are being stored unencoded. Bad news!!!

    Also, $_POST, $_GET, and $_SESSION are superglobals, so no need to declare these as global. This original script was probably written a *long* time ago!
     
  5. colinsp

    colinsp Thread Starter

    Joined:
    Sep 5, 2007
    Messages:
    2,272
    First Name:
    Colin
    Thanks guys for the comments.

    My PHP skills are virtually zero that is why I was asking for help here. This was written about 5 years ago apparently.

    What I actually want to do is to drop this whole page (the above is just a snippet from the whole pages code) into a child theme of Wordpress and move the table from its own database into the Wordpress database. So WP will handle the login etc as this page will be controlled by WP admin panel to take care of security. What I need is the ability in WP to add delete and edit records in this table and this seemed to be the easiest way to go about it as this was written and working BUT I am open to any better suggestions.
     
  6. ehymel

    ehymel

    Joined:
    Aug 12, 2007
    Messages:
    696
    The snippet of code you posted is a stand-alone function that would be called from somewhere else in the code. You could just drop the entire function (delete it), but then you'd have to find all the places the function gets called and delete those calls as well. You did not give the post the entire function here, so it's hard to know what else happens in the function, and what gets returned to the calling code. So, the *simplest* thing to do is to just use what I wrote above and nothing will break. The question about security is a bigger one and would need to know a lot more about the code to answer more fully. If you will be relying on Wordpress for login functions, that should be just fine, although I don't know whether Wordpress uses a similar mechanism for login. Depending on what sort of information you're dealing with, it might be worthwhile to hire someone to look things over.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/977054

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice