1

I have made a login page in PHP without using DB. But the code doesn't seem to generate an "incorrect login" message even though it is included in the code. Upon correct login details it is redirected to a different page. Both phplogin.php and phptest.php are given below. Help appreciated

phplogin.php

<?php
session_start();

$namearray = array("raphael", "sidharth", "sony");
$passwordarray = array('123', '1234', '12345');

$name = $_POST["username"];
$password = $_POST["password"];


  if (isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if (isset($_POST['username'])) 
    {
    if (in_array($name, $namearray)) {
        $key = array_search($name, $namearray);
        if ($password == $passwordarray[$key]) {

            function Redirect($url, $permanent = false) {
                if (headers_sent() === false) {
                    header('Location: ' . $url, true, ($permanent === true) ? 301 : 302);
                }

                exit();
            }

            Redirect('phptest.php', false);
        }
    }
} else {
    echo "Invalid Login";
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Login</title>
    </head>
    <body>
        <?php if($_SESSION['username']): ?>
            <p>You are logged in as <?=$_SESSION['username']?></p>
            <p><a href="?logout=1">Logout</a></p>
        <?php endif; ?>
        <form name="login" action="" method="post">
            Username:  <input type="text" name="username" value="" /><br />
            Password:  <input type="password" name="password" value="" /><br />
            <input type="submit" name="submit" value="Submit" />
        </form>
    </body>
</html>

phptest.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Untitled Document</title>
    </head>
    <body>
        <p>WELCOME!</p><br>
            <p>You have logged in</p><br>
        <a href="http://localhost/login3/phplogin.php">Logout</a>
    </body>
</html>
Improve this question
4
  • 2
    It's very insecure to have your passwords stored in the plaintext source for your site. Commented Jul 4, 2014 at 13:42
  • unless he's giving permission to download php files, i don't see why this should be a security issue? if the attacker could hack into php files, he could also get your db password and hack your db as well. Commented Jul 4, 2014 at 13:44
  • header('Location: ' . $_SERVER['PHP_SELF']); possible header injection vulnerability Commented Jul 4, 2014 at 13:44
  • @VolkanUlukut The point is if someone ever did get into the site this would not be very secure. Same reason you don't store plaintext passwords in a db even if theres no possible way to access it really. (In this case though its not really breaching any user security so it doesn't matter as much) Commented Jul 4, 2014 at 13:45

2 Answers 2

Reset to default
2

Add another ELSE statement to your code when checking for password:

if (isset($_POST['username'])) 
    {
    if (in_array($name, $namearray)) {
        $key = array_search($name, $namearray);
        if ($password == $passwordarray[$key]) {

            function Redirect($url, $permanent = false) {
                if (headers_sent() === false) {
                    header('Location: ' . $url, true, ($permanent === true) ? 301 : 302);
                }

                exit();
            }

            Redirect('phptest.php', false);
        } else {
           echo "Invalid Login";
        }
    } else {
       echo "Invalid Login";
    }
} else {
    echo "Invalid Login";
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You don't need those else... Just use echo "Invalid Login"; without an else structure at the end of your script. The user will either be logged in correctly, and then redirected, or he will be shown the "Invalid login" message.
0

You can store users and crypted password in good old .htpasswd files and get them from there for a login.

<?php
session_start();

if (isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

$users = load_htpasswd( '.htpasswd' );

if( !empty( $_POST["username"] ) && !empty( $_POST["password"] ) )
{
    if( isset( $users[$_POST["username"]] ) && test_htpasswd( $users[$_POST["username"]], $_POST["password"] ) )
    {
        header('Location: phptest.php', true, 302 );
    }
    else
    {
        echo "Invalid Login";
    }
}
else
{
    echo "No log in attempt";
}


// Loads htpasswd file into an array of form
// array( username => crypted_pass, ... )
function load_htpasswd( $htpasswd )
{
    if ( !file_exists($htpasswd))
        return array();

    $res = array();
    foreach(file($htpasswd) as $l)
    {
        $array = explode(':',$l);
        $user = $array[0];
        $pass = chop($array[1]);
        $res[$user] = $pass;
    }
    return $res;
}

// Returns true if the user exists and the password matches, false otherwise
function test_htpasswd( $crypted, $pass )
{
    // Determine the password type
    // TODO: Support for MD5 Passwords
    if ( substr($crypted, 0, 6) == "{SSHA}" )
    {
        $ohash = base64_decode(substr($crypted, 6));
        return substr($ohash, 0, 20) == pack("H*", sha1($pass . substr($ohash, 20)));
    }
    else if ( substr($crypted, 0, 5) == "{SHA}" )
    {
        $non_salted_sha1 = "{SHA}" . base64_encode(pack("H*", sha1($pass)));
        return $non_salted_sha1 == $crypted;
    }
    else
    {
        return crypt( $pass, substr($crypted,0,CRYPT_SALT_LENGTH) ) == $crypted;
    }
}

The last both functions are from http://elonen.iki.fi/code/misc-notes/htpasswd-php/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.