By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,278 Members | 1,358 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,278 IT Pros & Developers. It's quick & easy.

Authorization code for access to administration - Dialog ask for login and password three times then the authorization failed although I entered correct pw and login

P: n/a
I tried many things for several hours to repair this code but I didn't
get success:-(
The code below is from some learning site which is little old. I
didn't change anything in there, I know it's old-style. Could somebody
copy and repair just only the short part of that code just the
function mysql_query(...); to the new style to let me see the
difference between new-style and old-style?

In addition, I tried it like this:
$sql = mysql_query("SELECT * FROM autori
WHERE login = \"".
$_SERVER['PHP_AUTH_USER']."\"
AND pass =
\"".md5($_SERVER['PHP_AUTH_PW'])."\"
AND stav = \"a\";");
Without success:-(

And this is the code from the learning site (unchanged, I only marked
the problem part):

<?

if (!IsSet($PHP_AUTH_USER))
{
Header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"RS - Admin Center\"");
echo "Neautorizovaný přístup";
exit;
}

// pokud uživatel vyplnil formulář pokračujeme ověřením dat vdatabázi
else
{
// připojíme se k databázi
include "../conn.php";
// hledáme záznam s loginem a heslem zadaným v autorizačním
// formuláři. Hledáme jen aktivní uživatele.

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@$sql = mysql_query("SELECT * FROM
autori //problem part//
WHERE login LIKE
'$PHP_AUTH_USER' //problem part//
AND pass =
'".md5($PHP_AUTH_PW)."' //problem part//
AND stav =
'a'"); //problem part//
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// pokud žádného takového uživatele nenajdeme
// rozloučíme se s ním
if (mysql_num_rows($sql) == 0)
{
Header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"RS - Admin Center\"");
echo "Neautorizovaný přístup";
mysql_close($conn);
exit;
}
// spojení s databází již nepotřebujeme, proto jej uzavřeme
mysql_close($conn);
}
// následuje rozdělení okna prohlížeče na rámy
?>
<HTML>
<HEAD>
<TITLE>RS - Admin Center</TITLE>
</HEAD>

<FRAMESET COLS="180,*">
<FRAME SRC="menu.php" NAME="menu" SCROLLING=AUTO>
<FRAME SRC="main.php" NAME="main" SCROLLING=AUTO>
</FRAMESET>

<NOFRAMES>
<BODY>
K použití administrační sekce potřebujete prohlížeč s podporou
rámů.
</BODY>
</NOFRAMES>

</HTML>

Thanks in advance!

Ragards Michael

Apr 29 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
On Apr 29, 3:38 pm, MIUSS <m...@seznam.czwrote:
I tried many things for several hours to repair this code but I didn't
get success:-(
The code below is from some learning site which is little old. I
didn't change anything in there, I know it's old-style. Could somebody
copy and repair just only the short part of that code just the
function mysql_query(...); to the new style to let me see the
difference between new-style and old-style?

In addition, I tried it like this:
$sql = mysql_query("SELECT * FROM autori
WHERE login = \"".
$_SERVER['PHP_AUTH_USER']."\"
AND pass =
\"".md5($_SERVER['PHP_AUTH_PW'])."\"
AND stav = \"a\";");
Without success:-(

And this is the code from the learning site (unchanged, I only marked
the problem part):

<?

if (!IsSet($PHP_AUTH_USER))
{
Header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"RS - Admin Center\"");
echo "Neautorizovaný přístup";
exit;

}

// pokud uživatel vyplnil formulář pokračujeme ověřením datv databázi
else
{
// připojíme se k databázi
include "../conn.php";
// hledáme záznam s loginem a heslem zadaným v autorizačním
// formuláři. Hledáme jen aktivní uživatele.

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@$sql = mysql_query("SELECT * FROM
autori //problem part//
WHERE login LIKE
'$PHP_AUTH_USER' //problem part//
AND pass =
'".md5($PHP_AUTH_PW)."' //problem part//
AND stav =
'a'"); //problem part//
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

// pokud žádného takového uživatele nenajdeme
// rozloučíme se s ním
if (mysql_num_rows($sql) == 0)
{
Header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"RS - Admin Center\"");
echo "Neautorizovaný přístup";
mysql_close($conn);
exit;
}
// spojení s databází již nepotřebujeme, proto jej uzavřeme
mysql_close($conn);}

// následuje rozdělení okna prohlížeče na rámy
?>
<HTML>
<HEAD>
<TITLE>RS - Admin Center</TITLE>
</HEAD>

<FRAMESET COLS="180,*">
<FRAME SRC="menu.php" NAME="menu" SCROLLING=AUTO>
<FRAME SRC="main.php" NAME="main" SCROLLING=AUTO>
</FRAMESET>

<NOFRAMES>
<BODY>
K použití administrační sekce potřebujete prohlížeč spodporou
rámů.
</BODY>
</NOFRAMES>

</HTML>

Thanks in advance!

Ragards Michael
if (!IsSet($PHP_AUTH_USER))

--->

if ( !isset($_SERVER['PHP_AUTH_USER']) )

Apr 29 '07 #2

P: n/a
Thank you very much, it works!

Have a cnice day!

Apr 29 '07 #3

P: n/a
On Apr 29, 8:51 pm, MIUSS <m...@seznam.czwrote:
Thank you very much, it works!

Have a cnice day!
if you want to use another perhaps more secure method, you could go
and try http_auth from pear.
heres the class and the "test" directory where the examples are:
http://cvs.php.net/viewvc.cgi/pear/Auth_HTTP/

exmple of basic authentiation using sqlite here:
http://cvs.php.net/viewvc.cgi/pear/A....1&view=markup

May 1 '07 #4

P: n/a

shimmyshack napsal:
On Apr 29, 8:51 pm, MIUSS <m...@seznam.czwrote:
Thank you very much, it works!

Have a cnice day!

if you want to use another perhaps more secure method, you could go
and try http_auth from pear.
heres the class and the "test" directory where the examples are:
http://cvs.php.net/viewvc.cgi/pear/Auth_HTTP/

exmple of basic authentiation using sqlite here:
http://cvs.php.net/viewvc.cgi/pear/A....1&view=markup
Hello,
As you wrote that if I want more secure code, I would ask, do you
think that the code I recently show up isn't secure enough? I'm
beginner and I think I better use some code I almost understand than
some else. The code I use is from some learning book, so I think it
should be secure... I wonder that it may be unsecure only when I use
some weak password. But I off-course won't. What exactly in that code
seems unsecure to you?

Thanks in advance for your repply:-)

May 3 '07 #5

P: n/a
On May 3, 10:59 am, MIUSS <m...@seznam.czwrote:
shimmyshack napsal:
On Apr 29, 8:51 pm, MIUSS <m...@seznam.czwrote:
Thank you very much, it works!
Have a cnice day!
if you want to use another perhaps more secure method, you could go
and try http_auth from pear.
heres the class and the "test" directory where the examples are:
http://cvs.php.net/viewvc.cgi/pear/Auth_HTTP/
exmple of basic authentiation using sqlite here:
http://cvs.php.net/viewvc.cgi/pear/A...t_basic_simple....

Hello,
As you wrote that if I want more secure code, I would ask, do you
think that the code I recently show up isn't secure enough? I'm
beginner and I think I better use some code I almost understand than
some else. The code I use is from some learning book, so I think it
should be secure... I wonder that it may be unsecure only when I use
some weak password. But I off-course won't. What exactly in that code
seems unsecure to you?

Thanks in advance for your repply:-)
well firstly the select statement selects * which might return more
than one row, this doesnt make sense in the context of selecting a
username password pair which should be unique.
username should be unique
so the query is too ambiguous for my taste.
It then uses a LIKE, which again seems ambiguous why use like when a
simple = would do, either the username is given or it is not, no need
to use a LIKE here.
Also the query does not escape $_SERVER['PHP_AUTH_USER'] which means
that a user name with some SQL inside would be injected straight into
the query, if your permissions for the php user on that table allow
altering/dropping then your table could be altered maliciously to
contain a false user and password/dropped
image is the user entered
you should therefore use mysql_real_escape_string on all php5, or take
steps to filter the character set you allow to be present in the
username.
Injection isnt possible into the AUTH_PASSWORD variable here, because
it is md5() so thats OK, however its good practise to escape
everything before it reaches the query, in this case a user could find
the md5 passwords from the table, and then log in as any uesr -
including admin - without the need for an offline dictionary attack.
The type of sql injection allowed here could mean that a few hundred
thousand fake queries could be performed in order to gather every bit
of data in your whole database, let alone the table, everything this
application user has access to on the database.

May 3 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.