1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help: "authorization" script...

Discussion in 'General PHP and MySQL Discussions' started by Mr. Goodie2Shoes, Jan 18, 2012.

  1. Mr. Goodie2Shoes

    Mr. Goodie2Shoes Well-Known Member

    Hello there, I am just trying to create a script and users need to log-in with the details in "login.php" and the info will be forwarded to "./lib/authorize.php" using the "POST" method and here's the code snippet for the "authorize.php" file:
    PHP:
    <?php
    if(!isset($_GET['do'])){
        die();
    }else{
        switch (    $_GET['do']){
            case     logout:
                    setcookie('ooht-session-start'''time()-3600"/"$_SERVER['HTTP_HOST']);
                    setcookie('ooht-session-ip'''time()-3600"/"$_SERVER['HTTP_HOST']);
                    setcookie('ooht-authorize-id'''time()-3600"/"$_SERVER['HTTP_HOST']);
                    header('Location: ../login.php');
            break;
            
            case     login:
                    $user_login_request $_POST['name'];
                    $pass_login_request $_POST['authorize_code'];
                
                include(    'config.php');
                    $DB_connect_zero mysql_connect($xenCODE_OOHT_DB_server$xenCODE_OOHT_DB_user$xenCODE_OOHT_DB_pass);
                    $DB_connect mysql_select_db($xenCODE_OOHT_DB_name$DB_connect_zero);
                    $DB_query mysql_query("SELECT * FROM ooht_users WHERE users_name = `$user_login_request`");
                    $DB_field mysql_fetch_array($DB_query);
                
                if(    $user_login_request != $DB_field['users_name']){
                    echo     "There's no such username!";
                }else{
                    if(    $DB_field['users_password'] != sha1(sha1($pass_login_request).$DB_field['users_salt'])){
                        echo     "Username and password doesn't match!";
                    }else{
                        if(    $_POST['remember'] == "on"){
                                $cookie_life 60*60*24*30;
                        }else{
                                $cookie_life 60*60*1;
                        }
                            $session_start_time time();
                        
                            setcookie('ooht-name'$user_login_requesttime()+60*60*24*30"/"$_SERVER['HTTP_HOST']);
                            setcookie('ooht-session-start'$session_start_timetime()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                            setcookie('ooht-session-ip'sha1($_SERVER["REMOTE_ADDR"]), time()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                            setcookie('ooht-authorize-id'md5(sha1($user_login_request).$session_start_time.sha1($_SERVER['REMOTE_ADDR'])), time()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                        
                            header('Location: ../index.php');
                    }
                }
            break;
        }
    ?>
    I tried debugging the code but no result, only a blank page :|
    Mr. Goodie2Shoes, Jan 18, 2012
    #1
  2. Robbo

    Robbo Well-Known Member

    That isn't even sanitized. Adding `;DROP TABLE ooht_users would drop that table for example. Surely there is a library you can include to use instead? If it is to do with XenForo you could use Zend_Db. And also Zend_Request_Http. Those are from memory so might be wrong.
    Robbo, Feb 5, 2012
    #2

Share This Page

Pre-Sales Questions Buy XenForo Now! Customer Area
License Validation
XenForo Ltd. is registered in England and Wales with company number 07294282.