Login script werkt niet. Waarom werkt hij niet?
Wat doe ik fout?
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
session_start();
$con = mysql_connect("*****", "*****", "*****") or die('Kan niet verbinden met de server.' );
mysql_select_db("*****", $con) or die('Kan de database niet selecteren.' );
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
if ($_POST['submit'])
{
$username = $_POST['username'];
$password = $_POST['password'];
$sha1_password = (sha1($password));
$check_aantal = mysql_query("Select Count(username) From users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
if (mysql_result($check_aantal, 0))
{
$_SESSION['id'] = $fetchusers['id'];
}
else
{
echo "<br>Gebruikersnaam of wachtwoord incorrect.";
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='http://www.robinvandervliet.hostoi.com/myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="username" size="15"> ';
echo 'Wachtwoord: <input type="password" name="password" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
session_start();
$con = mysql_connect("*****", "*****", "*****") or die('Kan niet verbinden met de server.' );
mysql_select_db("*****", $con) or die('Kan de database niet selecteren.' );
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
if ($_POST['submit'])
{
$username = $_POST['username'];
$password = $_POST['password'];
$sha1_password = (sha1($password));
$check_aantal = mysql_query("Select Count(username) From users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
if (mysql_result($check_aantal, 0))
{
$_SESSION['id'] = $fetchusers['id'];
}
else
{
echo "<br>Gebruikersnaam of wachtwoord incorrect.";
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='http://www.robinvandervliet.hostoi.com/myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="username" size="15"> ';
echo 'Wachtwoord: <input type="password" name="password" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
Je hebt in je DB het wachtwoord niet geëncrypteerd naar SHA1?
Bram Boos op 10/06/2010 18:07:53:
Raad de fout:
Je hebt in je DB het wachtwoord niet geëncrypteerd naar SHA1?
Je hebt in je DB het wachtwoord niet geëncrypteerd naar SHA1?
De wachtwoorden staan wel geëncrypteerd in de database.
Bouw nette foutafhandeling in.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php
session_start();
$con = mysql_connect("*****", "*****", "*****") or die('Kan niet verbinden met de server.' );
mysql_select_db("*****", $con) or die('Kan de database niet selecteren.' );
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
if ($_POST['submit'])
{
$username = $_POST['username'];
$password = $_POST['password'];
$sha1_password = (sha1($password));
$check_aantal = mysql_query("Select Count(username) From users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
if (mysql_result($check_aantal, 0))
{
echo "Je bent ingelogd"; // Dit bericht word wel zichtbaar.
$_SESSION['id'] = $fetchusers['id']; // Maar dit word denk ik niet goed in de sessie gezet.
}
else
{
echo "<br>Gebruikersnaam of wachtwoord incorrect.";
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='http://www.robinvandervliet.hostoi.com/myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="username" size="15"> ';
echo 'Wachtwoord: <input type="password" name="password" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
session_start();
$con = mysql_connect("*****", "*****", "*****") or die('Kan niet verbinden met de server.' );
mysql_select_db("*****", $con) or die('Kan de database niet selecteren.' );
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
if ($_POST['submit'])
{
$username = $_POST['username'];
$password = $_POST['password'];
$sha1_password = (sha1($password));
$check_aantal = mysql_query("Select Count(username) From users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
if (mysql_result($check_aantal, 0))
{
echo "Je bent ingelogd"; // Dit bericht word wel zichtbaar.
$_SESSION['id'] = $fetchusers['id']; // Maar dit word denk ik niet goed in de sessie gezet.
}
else
{
echo "<br>Gebruikersnaam of wachtwoord incorrect.";
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='http://www.robinvandervliet.hostoi.com/myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="username" size="15"> ';
echo 'Wachtwoord: <input type="password" name="password" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
Gewijzigd op 10/06/2010 20:07:43 door Robin van der Vliet
echo "Je bent ingelogd"; // Dit bericht word wel zichtbaar.
session_start();
$_SESSION['id'] = $fetchusers['id'];
en dan mischien je sessie bovenaan weghalen...
denk niet dat maarja :P
proberen kan nooit kwaad toch?
Nee, het werkt niet. :(
heel veel spaties staan. Staat die er in de echte code ook? Zo jah, die moeten weg. Voor de session_start() mag er niets naar de cliënt gestuurd worden, ook deze spaties niet.
En wat doet die bovenste
Daar? Je controleert heel niet of $_SESSION['id'] wel bestaat. De hele constructie klopt zoiezo al geen moer van. Het zou zoiets moet zijn:
Code (php)
1
2
3
4
5
6
7
2
3
4
5
6
7
$check = mysql_query("Select id From users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
if (mysql_num_rows($check))
{
$result = mysql_fetch_row($check);
$_SESSION['id'] = $result[0];
}
else
if (mysql_num_rows($check))
{
$result = mysql_fetch_row($check);
$_SESSION['id'] = $result[0];
}
else
Gewijzigd op 10/06/2010 23:41:45 door Piet Verhagen
salemander in the house :P
ik heb het opgelost
enjoy :)
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
if(!strcmp($password, $row['password'])) {
} else {
echo'er ging iets fout';
}
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
if(!strcmp($password, $row['password'])) {
} else {
echo'er ging iets fout';
}
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
Sander salemander op 11/06/2010 00:40:36:
YOYOYO
salemander in the house :P
ik heb het opgelost
enjoy :)
salemander in the house :P
ik heb het opgelost
enjoy :)
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
require("config.php");
session_start();
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
if(!strcmp($password, $row['password'])) {
} else {
echo'er ging iets fout';
}
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
error_reporting(E_ALL);
ini_set("display_errors", 1);
require("config.php");
session_start();
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
if(!strcmp($password, $row['password'])) {
} else {
echo'er ging iets fout';
}
}
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
Wat is het nut van regel 19?
De $_SESSION['id'] in regel 39 wordt nergens geset.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
require("config.php");
session_start();
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password,ip From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
}
$_SESSION['id'] = $row['id'];
}
else
{
echo'er ging iets fout';
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
error_reporting(E_ALL);
ini_set("display_errors", 1);
require("config.php");
session_start();
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$check_aantal = mysql_query("Select id,username,password,ip From users Where username= '".mysql_escape_string($username)."' AND password = '".$password."'") or die(mysql_error());
if (mysql_num_rows($check_aantal) > 0) {
$row = mysql_fetch_assoc($check_aantal);
}
$_SESSION['id'] = $row['id'];
}
else
{
echo'er ging iets fout';
}
if (!isset($_SESSION['ip']))
{
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR'])
{
trigger_error("<br>Session Hijacking gedetecteerd!", E_USER_WARNING);
}
if (isset($_SESSION['id']))
{
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
echo "<br>Ingelogd als: ".$fetchusers['username'].". | <a href='myaccount.php?url=".$_SERVER['PHP_SELF']."'>Mijn account</a>. | <a href='http://www.robinvandervliet.hostoi.com/logout.php?url=".$_SERVER['PHP_SELF']."'>Uitloggen</a>.";
}
else
{
echo '<form method="post">';
echo 'Gebruikersnaam: <input type="text" name="gebruikersnaam" size="15"> ';
echo 'Wachtwoord: <input type="password" name="wachtwoord" size="15"> ';
echo '<input name="submit" type="submit" value="Inloggen">';
echo '</form>';
}
?>
Code (php)
1
2
2
$fetchusers = mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'");
$fetchusers = mysql_fetch_assoc($fetchusers);
$fetchusers = mysql_fetch_assoc($fetchusers);
En het moest dit zijn.
Code (php)
1
2
2
$fetchusers = mysql_query("SELECT * FROM users Where username = '".mysql_escape_string($username)."' AND sha1_password = '".$sha1_password."'") or die(mysql_error());
$fetchusers = mysql_fetch_assoc($fetchusers);
$fetchusers = mysql_fetch_assoc($fetchusers);
*opgelost*
Gewijzigd op 11/06/2010 09:03:32 door Robin van der Vliet