PHP Help discussion on Kongregate

Nov 6, 2009 11:50am

SavageWolf 766 posts

Flag Post

I am trying to make a login code with PHP, this is what I got on the login page:


<?php
    require("../_cookie.php");
	
	$name = $_POST["name"];
	$password = $_POST['password'];
	
	//Connect;

$con = mysql_connect("localhost:Database","savagew_savagew","...");
if (!$con){
    die('Could not connect: ' . mysql_error());
}

//Select the db;

mysql_select_db("savagew_Database", $con);

$result = mysql_query("SELECT * FROM Users WHERE Name = '$name'");

//Store in arrays;

while($row = mysql_fetch_array($result)){
	if(---($password) == $row['Password']){
		$loginSuccess = true;
	}else{
		$fail[] = "Error 1: Wrong Password";
	};
};

if($loginSuccess){
	session_name($ip);
	session_start();
	$_SESSION['login'] = ''.$name.'';
// 	echo $_SESSION['login'];
};

$i = 0;
$failMessage = "Errors:";
while(true){
    if($fail[$i] == null){
	  break;
    };
    $failMessage .= "+".$fail[$i];
    $i ++;
};
if($failMessage == "Errors:"){
	//header('Location: '.$_SERVER["HTTP_REFERER"]);
}else{
    passToJS("from", $_SERVER["HTTP_REFERER"]);
    passToJS("fail", $failMessage);
};

var_dump($_SESSION); // Dumps "array(1) { ["login"]=>  string(10) "SavageWolf" } " in my testing;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<?php require("../_head.php")?>
<title>[LOGIN]</title>
</head>

<body>

<script language="JavaScript">
	if(fail != "Errors:"){
		fail = fail.split("+");
		totalFail = ""
		for(var i in fail){
			totalFail += "\n" + fail[i];
		};
		alert(totalFail);
    };
    if(from == ""){
		window.location = "http://www.wolfthatissavage.com/home.php";
    }else{
		window.location = from;
    };
</script>
</body>

</html>

And on the pages:


<?php
session_name($ip);
session_start();
if(isset($_SESSION['login'])){
	$userName = $_SESSION['login'];
	$loggedIn = true;
	//Connect;

	$con = mysql_connect("localhost:Database","savagew_savagew","...");
	if (!$con){
		die('Could not connect: ' . mysql_error());
	}

	//Select the db;

	mysql_select_db("savagew_Database", $con);

	$result = mysql_query("SELECT * FROM Users WHERE Name = '$userName'");

	//Store in arrays;

	while($row = mysql_fetch_array($result)){
		//Boring stuff
	};
}else{
	$loggedIn = false;
};
echo $_SESSION['login'];
?>

With another dump at the bottom of the page, returning “NULL” or "array(0) { } "

Help?

Nov 7, 2009 7:56am

BillysGames 25 posts

Flag Post

if(—-($password) == $row[‘Password’]){

What’s with the 3 dashes? That would appear to be the problem, assuming that’s actually in the code you’re running. Since this will fail to evaluate to true (I’m not even sure what will be interpreted as – a negative followed by a pre-decrement? Is that even valid?), loginSuccess won’t get set, and therefore $_SESSION[‘login’] will never get set either

Nov 7, 2009 11:21am

SavageWolf 766 posts

Flag Post

The 3 dashes are so you don’t know what function I use to encrypt :P

Nov 7, 2009 5:03pm

Draco18s 2341 posts

Flag Post

Originally posted by SavageWolf:
The 3 dashes are so you don’t know what function I use to encrypt :P

It doesn’t really matter. Even knowing the encryption algorithm in detail won’t let you hack passwords. As you should be using a one directional algorithm (a hash function), which makes it hard (i.e. computationally complex and time consuming) to find m, while knowing h, where h = hash(m)

Nov 8, 2009 6:04am

BillysGames 25 posts

Flag Post

Originally posted by Draco18s:
Originally posted by SavageWolf:
The 3 dashes are so you don’t know what function I use to encrypt :P

It doesn’t really matter. Even knowing the encryption algorithm in detail won’t let you hack passwords. As you should be using a one directional algorithm (a hash function), which makes it hard (i.e. computationally complex and time consuming) to find m, while knowing h, where h = hash(m)

Yeah, it seems silly to me too. It’s either md5() or sha1(). It should be, anyway. If you’re not hashing, you need a scolding!

But, oh well, proceed with the silliness. We just need to know which parts of the code are edited like that. After all, people write some crazy things, and some funny looking, unconventional code is valid (for example, you could theoretically use a long line of exclamation points. An arbitrarily long sequence of negations would be perfectly valid)

Back on topic, I just can’t see what’s wrong with the session handling code. It’s a long shot, but maybe you don’t have cookies enabled for session handling, so it’s not propagated through different pages? You could find out by doing

echo session_id()

on each page and make sure they match

But I’m just guessing at a possible configuration-related issue now, because I don’t see a code problem.

…

Kongregate

Welcome #{username}! Sign out

PHP Help

Voices

Nov 6, 2009 11:50am SavageWolf 766 posts Flag Post	I am trying to make a login code with PHP, this is what I got on the login page: <?php require("../_cookie.php"); $name = $_POST["name"]; $password = $_POST['password']; //Connect; $con = mysql_connect("localhost:Database","savagew_savagew","..."); if (!$con){ die('Could not connect: ' . mysql_error()); } //Select the db; mysql_select_db("savagew_Database", $con); $result = mysql_query("SELECT * FROM Users WHERE Name = '$name'"); //Store in arrays; while($row = mysql_fetch_array($result)){ if(---($password) == $row['Password']){ $loginSuccess = true; }else{ $fail[] = "Error 1: Wrong Password"; }; }; if($loginSuccess){ session_name($ip); session_start(); $_SESSION['login'] = ''.$name.''; // echo $_SESSION['login']; }; $i = 0; $failMessage = "Errors:"; while(true){ if($fail[$i] == null){ break; }; $failMessage .= "+".$fail[$i]; $i ++; }; if($failMessage == "Errors:"){ //header('Location: '.$_SERVER["HTTP_REFERER"]); }else{ passToJS("from", $_SERVER["HTTP_REFERER"]); passToJS("fail", $failMessage); }; var_dump($_SESSION); // Dumps "array(1) { ["login"]=> string(10) "SavageWolf" } " in my testing; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <?php require("../_head.php")?> <title>[LOGIN]</title> </head> <body> <script language="JavaScript"> if(fail != "Errors:"){ fail = fail.split("+"); totalFail = "" for(var i in fail){ totalFail += "\n" + fail[i]; }; alert(totalFail); }; if(from == ""){ window.location = "http://www.wolfthatissavage.com/home.php"; }else{ window.location = from; }; </script> </body> </html> And on the pages: <?php session_name($ip); session_start(); if(isset($_SESSION['login'])){ $userName = $_SESSION['login']; $loggedIn = true; //Connect; $con = mysql_connect("localhost:Database","savagew_savagew","..."); if (!$con){ die('Could not connect: ' . mysql_error()); } //Select the db; mysql_select_db("savagew_Database", $con); $result = mysql_query("SELECT * FROM Users WHERE Name = '$userName'"); //Store in arrays; while($row = mysql_fetch_array($result)){ //Boring stuff }; }else{ $loggedIn = false; }; echo $_SESSION['login']; ?> With another dump at the bottom of the page, returning “NULL” or "array(0) { } " Help?

Nov 7, 2009 7:56am BillysGames 25 posts Flag Post	if(—-($password) == $row[‘Password’]){ What’s with the 3 dashes? That would appear to be the problem, assuming that’s actually in the code you’re running. Since this will fail to evaluate to true (I’m not even sure what will be interpreted as – a negative followed by a pre-decrement? Is that even valid?), loginSuccess won’t get set, and therefore $_SESSION[‘login’] will never get set either

Nov 7, 2009 11:21am SavageWolf 766 posts Flag Post	The 3 dashes are so you don’t know what function I use to encrypt :P

Nov 7, 2009 5:03pm Draco18s 2341 posts Flag Post	Originally posted by SavageWolf: The 3 dashes are so you don’t know what function I use to encrypt :P It doesn’t really matter. Even knowing the encryption algorithm in detail won’t let you hack passwords. As you should be using a one directional algorithm (a hash function), which makes it hard (i.e. computationally complex and time consuming) to find m, while knowing h, where h = hash(m)

Nov 8, 2009 6:04am BillysGames 25 posts Flag Post	Originally posted by Draco18s: Originally posted by SavageWolf: The 3 dashes are so you don’t know what function I use to encrypt :P It doesn’t really matter. Even knowing the encryption algorithm in detail won’t let you hack passwords. As you should be using a one directional algorithm (a hash function), which makes it hard (i.e. computationally complex and time consuming) to find m, while knowing h, where h = hash(m) Yeah, it seems silly to me too. It’s either md5() or sha1(). It should be, anyway. If you’re not hashing, you need a scolding! But, oh well, proceed with the silliness. We just need to know which parts of the code are edited like that. After all, people write some crazy things, and some funny looking, unconventional code is valid (for example, you could theoretically use a long line of exclamation points. An arbitrarily long sequence of negations would be perfectly valid) Back on topic, I just can’t see what’s wrong with the session handling code. It’s a long shot, but maybe you don’t have cookies enabled for session handling, so it’s not propagated through different pages? You could find out by doing echo session_id() on each page and make sure they match But I’m just guessing at a possible configuration-related issue now, because I don’t see a code problem.