Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Torrent Trader (http://www.bvlist.com/forumdisplay.php?f=29)
-   -   account-login (http://www.bvlist.com/showthread.php?t=11650)

BamBam0077 14th June 2018 03:28

account-login
 
hey guys I am just fiddling with code with a helping hand from https://www.w3schools.com/php/php_form_validation.asp


here is what I got so far ( not tested yet )
Code:

//
//  TorrentTrader v2.x
//      $LastChangedDate: 2012-09-19 19:13:35 +0100 (Wed, 19 Sep 2012) $
//      $LastChangedBy: torrenttrader $
//
//      http://www.torrenttrader.org
//
//
require_once("backend/functions.php");
dbconn();



 function spesh_input($data) {
 $data = trim($data);
 $data = stripslashes($data);
 $data = htmlspecialchars($data);
 return $data;
}

if($_SERVER["REQUEST_METHOD"] == "POST") {
 $username = spesh_input($_POST["username"]);
 $password = spesh_input($_POST["password"]);
}

$password = passhash($password);

if(!empty($username) && !epmty($password)) {
   
$res = mysqli_query("SELECT id,password,secret,status,enabled
                    FROM users
                    WHERE username=".mysqli_real_escape_string($username)."") or mysqli_error(__FILE__,__LINE__);
$row = mysqli_fetch_assoc($res);

if(!$row || $row["password"] != $password){
  $message = T_("LOGIN_INCORRECT");   
} elseif($row["status"] == "pending"){
  $message = T_("ACCOUNT_PENDING"); 
} elseif($row["enabled"]) == "no"){
    $message = T_("ACCOUNT_DISABLED");
} else {
 $message = T_("NO_EMPTY_FIELDS");   
}

if(!$message) {
logincookie($row["id"},$row["password"],$row["secret"]);   
 if(!empty($_POST["returnto"])){
  header("Refresh:0;url=".$_POST["returnto"]);
  die(); 
 } else {
  header("Refresh:0;url=index.php");
  die(); 
 }   
} else {
  show_error_msg(T_("ACCESS_DENIED"), $message, 1);
 }
}
logoutcookie();

:ok:

joeroberts 14th June 2018 03:37

ok kinda confused on this one. :sad:
So first off you did not include any of the needed files (config, data base)
second off you log them in then log them right back out?
also you want to make sure that the server is using
Code:

get_magic_quotes_gpc()
before running
Code:

stripslashes(

BamBam0077 14th June 2018 03:55

I updated the original post after I relized I left out the db and functions.php
if you check it again you will see I secured the:
Code:


Code:

">
used mysqli also if you need the mysqli_connect();
Code:

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'MagicCues90');
define('DB_DATABASE', 'shop');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>

change password and database :friend:


Extra Note:
Code:

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}



https://www.w3schools.com/php/showph...ion_escapechar

joeroberts 14th June 2018 04:15

MySqli needs the connection ID on all
Code:

mysqli_query
like so
Code:

$res = mysqli_query($db, "SELECT id,password,secret,status,enabled
                    FROM users
                    WHERE username=".mysqli_real_escape_string($username)."") or mysqli_error(__FILE__,__LINE__);


BamBam0077 14th June 2018 04:40

now that makes more sense now how the new db style approach explains alot of other issues :drink:


All times are GMT +2. The time now is 10:49.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.