Script logging in with whatever put in username and password field

Sorry, but once again I return with a long post for those that can spend a little of their time helping out a troubled noob.

I've been having some difficulties and asked here previously for any guidance on how to draw any users first and last name from the database, when only given the username and password at login.

When my code was edited now it seems anyone can login with whatever they desire.

Login.php script as follows:

<?php
session_start();

require_once 'classes/membership.php';
$membership = new Membership();

// If the user clicks the "Log Out" link on the index page.
if(isset($_GET['status']) && $_GET['status'] == 'loggedout') {
    $membership->log_User_Out();
}

// Did the user enter a password/username and click submit?
if($_POST && !empty($_POST['username']) && !empty($_POST['pwd'])) {
    $response = $membership->validate_User($_POST['username'], $_POST['pwd']);
}
?>

This points to Membership.php first:

<?php

require 'mysql.php';

class Membership {

function validate_user($un, $pwd) {
    $mysql = New Mysql();
    $ensure_credentials = $mysql->verify_Username_and_Pass($un, md5($pwd));

    list($ensureCredentials, $data) = $mysql->verify_Username_and_Pass($un, md5($pwd));
if($ensure_credentials) {
    $_SESSION['status'] = 'authorized';
    $_SESSION['fname'] = $data['fname'];
    $_SESSION['lname'] = $data['lname'];
    header("location: medlem.php");
} else return "Please enter correct username and password";

} 

function log_User_Out() {
    if(isset($_SESSION['status'])) {
        unset($_SESSION['status']);

        if(isset($_COOKIE[session_name()])) 
            setcookie(session_name(), '', time() - 1000);
            session_destroy();
    }
}
function confirm_Member() {
    session_start();
    if($_SESSION['status'] !='authorized') header("location: login.php");
}
}

Which then again points forward to mysql.php:

<?php

require_once 'includes/constants.php';

class Mysql {
private $conn;

function __construct() {
    $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or 
                  die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

$query = "SELECT *
        FROM users
        WHERE username = ? AND password = ?
        LIMIT 1";

if($stmt = $this->conn->prepare($query)) {
    $stmt->bind_param('ss', $un, $pwd);
    $stmt->execute();
    // UPDATE : I added correct usage of the stmt here.    
    $result = $stmt->get_result();
    if($row = $result->fetch_array()) {
       $stmt->free_result();
       $stmt->close();                
        // returning an array the first item is the validation the second is the data. 
        return array(true, $row);
    }
}
// if there is no just return empty data, and false for validation.
return array(false, array());
}
}

For the sake of re-usability I've used constants for this project:

<?php

// Define constants here

define('DB_SERVER', 'localhost');
define('DB_USER', 'myusername');
define('DB_PASSWORD', 'mypassword');
define('DB_NAME', 'sameige_membership');

With this current script set, it will login with whatever I set in the username and password field. The webpages are also supposed to post first and lastname to tell the user who and if he is logged in posted by $_SESSION('fname/lname').

The login works as it's supposed to when I revert to what I had in the beginning. Before adding to query part for drawing first and lastname from DB.

Here is the original one:

<?php

require_once 'includes/constants.php';

class Mysql {
private $conn;

function __construct() {
    $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or 
                  die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

    $query = "SELECT *
            FROM users
            WHERE username = ? AND password = ?
            LIMIT 1";

    if($stmt = $this->conn->prepare($query)) {
        $stmt->bind_param('ss', $un, $pwd);
        $stmt->execute();

        if($stmt->fetch()) {
            $stmt->close();
            return true;
        }
    }
    }
}

To my understanding this scirpt should compare $_POST['username']/['password'] to the selected username and password fields in the database. And if they are correct it should comeback with a login and redirect to the medlem.php page. If else it should return to enter correct username and password.

This however logs in and redirect nonetheless.

Any answer to what I am doing worng would be greatly appriciated, as I am a total noob on the subject.

Regards, Josh

Answers


First of all your code about checking the user input is wrong... You should check if isset($_POST['username'] && isset($_POST['password']) and not if($_POST) like you do.

Second you say : $response = $membership->validate_User($_POST['username'], $_POST['pwd']); and your class is : validate_user.... It's case sensitive (use Dreamweaver if you can, it warns you about mistakes like these)

3rd solve them and check again.


<?php
session_start();

require_once 'classes/membership.php';
$membership = new Membership();

// If the user clicks the "Log Out" link on the index page.
if(isset($_GET['status']) && $_GET['status'] == 'loggedout') {
    $membership->log_User_Out();
}

// Did the user enter a password/username and click submit? 

Use isset($_POST['submit']) in place of just $_POST and note methods are case sensitive. So it would be validate_user not validate_User

if(isset($_POST['submit']) && !empty($_POST['username']) && !empty($_POST['pwd'])) {
    $response = $membership->validate_user($_POST['username'], $_POST['pwd']);
}
?>

Now in your mysql.php, I would do it like this:

<?php

require_once 'includes/constants.php';

class Mysql {
private $conn;

function __construct() {
    $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or 
                  die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

$query = "SELECT *
        FROM users
        WHERE username = ? AND password = ?
        LIMIT 1";

if($stmt = $this->conn->prepare($query)) {
$stmt->bind_param('ss', $un, $pwd);
$stmt->execute();
// UPDATE : I added correct usage of the stmt here.    
$result = $stmt->get_result();
if($row = $result->fetch_assoc()) {
   $stmt->free_result();
   $stmt->close();                       
        // returning an array the first item is the validation the second is the data. 

     $result['data']=$row;
     $result['validation']=true;

        return $result;

    }
}
// if there is no just return empty data, and false for validation.
$result['data']=array();
$result['validation']=false;
return $result;
}
}

Now I will have the following changes in Membership.php

function validate_user($un, $pwd) {
    $mysql = New Mysql();
    $ensure_credentials = $mysql->verify_Username_and_Pass($un, md5($pwd));
    $data=$ensure_credentials['data'];
    $validation=$ensure_credentials['validation'];

if($validation) {
    $_SESSION['status'] = 'authorized';
    $_SESSION['fname'] = $data['fname'];
    $_SESSION['lname'] = $data['lname'];
    header("location: medlem.php");
} else return "Please enter correct username and password";

Hope this works for you....:)


Need Your Help

Maven automatically removes trailing zeroes in dependency version (javax.servlet-api)

java maven servlets dependencies servlet-3.0

I am trying to add the javax.servlet-api project to my Maven Java project (see this link for more information about versions for this dependency). I want to add version 3.1.0 to my project. So natu...

How to stream video OR send a video file

html5 node.js video streaming live-streaming

I am developing a web app which will be able to live stream or at least send video files which both user can access at same time.