1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
Welcome to XenForo 1.5!

For more information, click here.

Need help: "authorization" script...

Discussion in 'General PHP and MySQL Discussions' started by Mr. Goodie2Shoes, Jan 18, 2012.

  1. Mr. Goodie2Shoes

    Mr. Goodie2Shoes Well-Known Member

    Hello there, I am just trying to create a script and users need to log-in with the details in "login.php" and the info will be forwarded to "./lib/authorize.php" using the "POST" method and here's the code snippet for the "authorize.php" file:
    PHP:
    <?php
    if(!isset($_GET['do'])){
        die();
    }else{
        switch (
    $_GET['do']){
            case 
    logout:
                
    setcookie('ooht-session-start'''time()-3600"/"$_SERVER['HTTP_HOST']);
                
    setcookie('ooht-session-ip'''time()-3600"/"$_SERVER['HTTP_HOST']);
                
    setcookie('ooht-authorize-id'''time()-3600"/"$_SERVER['HTTP_HOST']);
                
    header('Location: ../login.php');
            break;
            
            case 
    login:
                
    $user_login_request $_POST['name'];
                
    $pass_login_request $_POST['authorize_code'];
                
                include(
    'config.php');
                
    $DB_connect_zero mysql_connect($xenCODE_OOHT_DB_server$xenCODE_OOHT_DB_user$xenCODE_OOHT_DB_pass);
                
    $DB_connect mysql_select_db($xenCODE_OOHT_DB_name$DB_connect_zero);
                
    $DB_query mysql_query("SELECT * FROM ooht_users WHERE users_name = `$user_login_request`");
                
    $DB_field mysql_fetch_array($DB_query);
                
                if(
    $user_login_request != $DB_field['users_name']){
                    echo 
    "There's no such username!";
                }else{
                    if(
    $DB_field['users_password'] != sha1(sha1($pass_login_request).$DB_field['users_salt'])){
                        echo 
    "Username and password doesn't match!";
                    }else{
                        if(
    $_POST['remember'] == "on"){
                            
    $cookie_life 60*60*24*30;
                        }else{
                            
    $cookie_life 60*60*1;
                        }
                        
    $session_start_time time();
                        
                        
    setcookie('ooht-name'$user_login_requesttime()+60*60*24*30"/"$_SERVER['HTTP_HOST']);
                        
    setcookie('ooht-session-start'$session_start_timetime()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                        
    setcookie('ooht-session-ip'sha1($_SERVER["REMOTE_ADDR"]), time()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                        
    setcookie('ooht-authorize-id'md5(sha1($user_login_request).$session_start_time.sha1($_SERVER['REMOTE_ADDR'])), time()+$cookie_life"/"$_SERVER['HTTP_HOST']);
                        
                        
    header('Location: ../index.php');
                    }
                }
            break;
        }
    ?>
    I tried debugging the code but no result, only a blank page :|
     
  2. Robbo

    Robbo Well-Known Member

    That isn't even sanitized. Adding `;DROP TABLE ooht_users would drop that table for example. Surely there is a library you can include to use instead? If it is to do with XenForo you could use Zend_Db. And also Zend_Request_Http. Those are from memory so might be wrong.
     

Share This Page