Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Will this line of code ever be executed?
Options
-
20-08-2010 2:40pm...and if so, when?
Line 43 (see my comments)<?php // authenticate.php //include login details require_once 'login.php'; //connect to mysql $db_server = mysql_connect($db_hostname, $db_username, $db_password); if (!$db_server) die("Unable to connect to MySQL: " . mysql_error()); mysql_select_db($db_database) or die("Unable to select database: " . mysql_error()); //check if username and password already given in by user if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { //if so, retrieve and sanitise both $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']); $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']); //build mysql query string to retrieve a user's data given a username $query = "SELECT * FROM users WHERE username='$un_temp'"; //run query $result = mysql_query($query); //if query failed die on error if (!$result) die("Database access failed: " . mysql_error()); //..otherwise get the number of rows from the result set elseif (mysql_num_rows($result)) { //...and fetch a full row at a time $row = mysql_fetch_row($result); //define salts (same as those originally applied to passwords before they were stored in db) $salt1 = "qm&h*"; $salt2 = "pg!@"; //create new md5 token with supplied pw and given salts $token = md5("$salt1$pw_temp$salt2"); //compare new token to current row field 4 (salted password field) //and if match echo name, welcome etc. to user. If no match, die with error. if ($token == $row[3]) echo "$row[0] $row[1] : Hi $row[0], you are now logged in as '$row[2]'"; else die("Invalid username/password combination"); } //die if no db access succeeded but credentials could not be validated after checking all users //with the supplied username (not sure if this code will ever be executed? else die("Invalid username/password combination"); } else //user has not entered any credentials, so display the authentication challenge.. { header('WWW-Authenticate: Basic realm="Restricted Section"'); header('HTTP/1.0 401 Unauthorized'); die ("Please enter your username and password"); } //sanitisation functions as before function mysql_entities_fix_string($string) { return htmlentities(mysql_fix_string($string)); } function mysql_fix_string($string) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string); } ?>
The username field should be unique (created with this code:)$query = "CREATE TABLE users ( forename VARCHAR(32) NOT NULL, surname VARCHAR(32) NOT NULL, username VARCHAR(32) NOT NULL UNIQUE, password VARCHAR(32) NOT NULL )";
(btw, I switched books to something with a few less errors in it, so presuming this isn't one and I'm just not seeing the obvious! Btw, all the comments are mine (I try to comment all the example code to make me actually read and understand it, rather than cutting and pasting
Edit: scratch that...I see how it will be executed (user enters an incorrect username, db will be queried and return empty set, not null, so output of mysql_num_rows() will be 0 and it will skip that elseif block and execute the else die on line 43. I think lol.0
Comments
-
Yep, it will execute if the SQL runs correctly, but does not return any rows.0
-
...and if so, when?
Line 43 (see my comments)<?php // authenticate.php //include login details require_once 'login.php'; //connect to mysql $db_server = mysql_connect($db_hostname, $db_username, $db_password); if (!$db_server) die("Unable to connect to MySQL: " . mysql_error()); mysql_select_db($db_database) or die("Unable to select database: " . mysql_error()); //check if username and password already given in by user if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { //if so, retrieve and sanitise both $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']); $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']); //build mysql query string to retrieve a user's data given a username $query = "SELECT * FROM users WHERE username='$un_temp'"; //run query $result = mysql_query($query); //if query failed die on error if (!$result) die("Database access failed: " . mysql_error()); //..otherwise get the number of rows from the result set elseif (mysql_num_rows($result)) { //...and fetch a full row at a time $row = mysql_fetch_row($result); //define salts (same as those originally applied to passwords before they were stored in db) $salt1 = "qm&h*"; $salt2 = "pg!@"; //create new md5 token with supplied pw and given salts $token = md5("$salt1$pw_temp$salt2"); //compare new token to current row field 4 (salted password field) //and if match echo name, welcome etc. to user. If no match, die with error. if ($token == $row[3]) echo "$row[0] $row[1] : Hi $row[0], you are now logged in as '$row[2]'"; else die("Invalid username/password combination"); } //die if no db access succeeded but credentials could not be validated after checking all users //with the supplied username (not sure if this code will ever be executed? else die("Invalid username/password combination"); } else //user has not entered any credentials, so display the authentication challenge.. { header('WWW-Authenticate: Basic realm="Restricted Section"'); header('HTTP/1.0 401 Unauthorized'); die ("Please enter your username and password"); } //sanitisation functions as before function mysql_entities_fix_string($string) { return htmlentities(mysql_fix_string($string)); } function mysql_fix_string($string) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string); } ?>
The username field should be unique (created with this code:)$query = "CREATE TABLE users ( forename VARCHAR(32) NOT NULL, surname VARCHAR(32) NOT NULL, username VARCHAR(32) NOT NULL UNIQUE, password VARCHAR(32) NOT NULL )";
(btw, I switched books to something with a few less errors in it, so presuming this isn't one and I'm just not seeing the obvious! Btw, all the comments are mine (I try to comment all the example code to make me actually read and understand it, rather than cutting and pasting
Edit: scratch that...I see how it will be executed (user enters an incorrect username, db will be queried and return empty set, not null, so output of mysql_num_rows() will be 0 and it will skip that elseif block and execute the else die on line 43. I think lol.
Can I offer one piece of suggestion to improve this code? .... I think, you should pass the input variables for the username and the password through a regexp to ensure that the inputs are indeed correct, sanitizing it even more...call this paranoid but it would help!0
Advertisement