Password Syntax Help Please 2

[jimlee]

I have a page that I have protected using a simple PHP. It also emails me if an incorrect password is entered. Although the Password works as expected, I still get an email notification. It is as if this line of code isn't working as expected:

if(stristr($alert,"@")!==false)

I fully accept I haven't written or understood this code, but everyone has to start somewhere!

Please could you tell me where this is falling down, and how I can rectify the problem.

Thanks!

Code:

<?

session_start();

//--------------------------
// user definable variables:
//--------------------------

// maximum number of seconds user can remain idle without having to re-login:
// use a value of zero for no timeout
$max_session_time = 0;

// type of alert to give on incorrect password:
// $alert = ""; If no alert
$alert = "me@email.com";

// acceptable passwords:
// $cmp_pass = Array();
// $cmp_pass[] = md5("default");
// add as many as you like
$cmp_pass[] = "password";

// maximum number of bad logins before user locked out
// use a value of zero for no hammering protection
$max_attempts = 3;

// url to go to if ok
$formurl = "

http://www.somewebsite.com"

;

//-----------------------------
// end user definable variables
//-----------------------------


// save session expiry time for later comparision
$session_expires = $_SESSION['mpass_session_expires'];

// have to do this otherwise max_attempts is actually one less than what you specify.
$max_attempts++;

if(!empty($_POST['mpass_pass']))
{
// store md5'ed password
$_SESSION['mpass_pass'] = md5($_POST['mpass_pass']);
}

if(empty($_SESSION['mpass_attempts']))
{
$_SESSION['mpass_attempts'] = 0;
}

// if the session has expired, or the password is incorrect, show login page:
if(($max_session_time>0 && !empty($session_expires) && mktime()>$session_expires) || empty($_SESSION['mpass_pass']) || !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
// user has submitted incorrect password
// generate alert:

$_SESSION['mpass_attempts']++;

$alert_str = $_SERVER['REMOTE_ADDR']." entered ".htmlspecialchars($_POST['mpass_pass'])." on page ".$_SERVER['PHP_SELF']." on ".date("l dS of F Y h:i:s A")."\r\n";

if(stristr($alert,"@")!==false)
{
// email alert
@mail($alert,"Bad Login on ".$_SERVER['PHP_SELF'],$alert_str,"From: ".$alert);
} else {
// textfile alert
$handle = @fopen($alert,'a');
if($handle)
{
fwrite($handle,$alert_str);
fclose($handle);
}
}
}
// if hammering protection is enabled, lock user out if they've reached the maximum
if($max_attempts>1 && $_SESSION['mpass_attempts']>=$max_attempts)
{
exit("Too many login failures.");
}


// clear session expiry time
$_SESSION['mpass_session_expires'] = "";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body>

WEBPAGE!

</body>
</html>

<?

// and exit
exit();
}

// if they've got this far, they've entered the correct password:

// reset attempts
$_SESSION['mpass_attempts'] = 0;

// update session expiry time
$_SESSION['mpass_session_expires'] = mktime()+$max_session_time;

// end password protection code

header( "Location: $formurl" );

exit;
?>





jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[jpadie]

you are not entering the right password (i'll bet you are trying to enter "password".

change this line

$cmp_pass[] = "password";

to

$cmp_pass[] = md5("password");

and things should work as expected.

 

[sleipnir214]

The code is working as it should.

This expression:

[tt]stristr($alert,"@")[/tt]

will evaluate to FALSE if the "@"-character is NOT found in $alert. Otherwise it will return an integer that tells at what position the character was found.

Near the top of the script I find the statement:

[tt]$alert = "me@email.com";[/tt]

which is a string that contains an "@", and as far as I can see the variable's value is never changed. So:

[tt]stristr($alert,"@")[/tt]

will always return a non-false value. So the expression:

[tt]stristr($alert,"@")!==false[/tt]

will always evaluate to TRUE.


So the email is always sent.





Want the best answers? Ask the best questions! TANSTAAFL!

 

[jimlee]

Wow, that was fast, thanks!

jpadie - I did try what you suggested as I had been messing around with the passwords on numerous occassions, but unfortunately I still get an email notification.

I changed

$cmp_pass[] = "password";

to

$cmp_pass[] = md5("password");

sleipnir - Thanks for the explanation. I can't argue it, although it raises the question for my as to why that if statement is there in the first place? If I always keep the value of $alert as $alert = "me@email.com"; could I simply remove the if statement?
I still like the idea of an email notification if the incorrect password is entered.

Again many thanks!

jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[jpadie]

an alert is only sent if the password is entered incorrectly because the alert code is inside this conditional :

if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))

i.e. there is no alert if the password stored in $_SESSION['mpass_pass'] is not in the array called $cmp_pass then the code will trigger. else it will not.

ergo: it is working as you specified.

so i suspect the problem is in your password entry form. can you post that code?

 

[jimlee]

jpadie - Unless I've misunderstood you, I'd just like to clarify that an email is sent, even when I enter the correct password. This is my issue, and where I have a lack of understanding of PHP to solve this.

This is the form coded that is embedded within the HTML on the same file (I hope that is not the problem!). It's very simple...at the moment.

<div class="paras">
<h4>Password</h4>
<form action="<?=$_SERVER['misc/PHP_SELF']?>" method="post">
<input type="password" name="mpass_pass">
<input type="submit" value="login">
</div>

Thanks again!

jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[jpadie]

I think the form is wrong.

instead of

<div class="paras">
<h4>Password</h4>
<form action="<?=$_SERVER['misc/PHP_SELF']?>" method="post">
<input type="password" name="mpass_pass">
<input type="submit" value="login">
</div>

try this

<form action="misc/<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="password" name="mpass_pass">
<input type="submit" value="login">
</div>

because you had got the $_SERVER element wrong the form was resubmitting to itself. is this intended? even better than the above, hard code the full internet url into the action so that nothing can go wrong.

i would also footprint your code. there is nothing obviously wrong with it and there is no way that an email can get sent if you have correctly entered the password.

so something else is going wrong that causes the code to believe that you have not entered the password properly.

fixing the form action may help.

for a start at footprinting dump the $_POST superglobal to screen just after the session_start();

print_r($_POST);

 

[jimlee]

jpadie - Sorry for the delay, I've been playing, but haven't got very far! I assumed the PHP file has to be resubmitted for it to load the targeted URL at the bottom of the code?

I changed the line you mentioned to:
<form action="pass.php" method="post">
Is this wrong?

I also added the footprint as you stated and went through the process again.

1. Enter URL

http://www.website/pass.php

Footprint = Array ( )
2. Enter password of "password"
Footprint = Array ( [mpass_pass] => password )
Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\swelldesigns.co.uk\httpdocs\pass.php:4) in C:\Inetpub\vhosts\swelldesigns.co.uk\httpdocs\pass.php on line 177
BTW line 177 = header( "Location: $formurl" );
3. No email arrived

From your experience, have I overcomplicated things if all I want is a simple PHP password, with email notification if entered incorrect?

Thanks!

jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[jpadie]

tell you what...

let's take a step back: can you post the code you are using (as currently modified) within

tags and i will take a proper look. pls post the password form and the code.

alternatively i've posted a login/user management solution a number of times on this forum and you are absolutely welcome to use that as you like. i'm in the process of rehashing it to use OOP if you'd rather wait a few days.

but, as said, i'm delighted to take a proper look at where you are with you code.

 

[jimlee]

I appreciate your help, but I'd rather you didn't waste any further time on this. I think I've overcomplicated things.

I am very interested in you PHP solution. I'll do a search.

Thanks for you time!

jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[jpadie]

actually, it looks rather as if we cracked it with the form action.

remove the footprinting and test again (the errors were being created by the footprint).

let me know if you can't find the log in code i posted. i will try and dig it out on my side.

 

[jimlee]

I removed the footprint and kept the form code as is. I retested with the correct password and I got another email!

Sod it, I don't care. I just wanted to know if someone was hammering the page.

I'm still very interested in your PHP password as this one's been overcomplicated. Unfortunately, as you've been so helpful on here with over 1500 posts, I cannot find it. Would you be able to guide me further? Or email me at si77hayward [at] googlemail [dot] com?

Thanks

jimlad

"There's this thing called being so open-minded your brains drop out." - Richard Dawkins

 

[edelwater]

I would be interested in the password-username code too.

I´m looking for a solution in which the user can either login or register themselves by a form, then gets an e-mail where he has to verify he is really him.

Then some include code which checks on each page (or via session) if the user has the rights to see this particulair page and then somewhere a div with " login / LOGOUT / register"

I would like to use PEAR for this and possible embedded in some framework like ZOOP e.g. on of these:

http://www.phpit.net/article/ten-different-php-frameworks/1/

And i would like the login-registration form to popup via ibox (

http://www.ibegin.com/blog/p_ibox.html)

Is there somewhere some readymade code that is also best practices according to security?








--

http://leau.net

 

[jpadie]

i'm working on a beta version of some code with jimlee at the moment. should have something to post in few days.

it does not currently do registration and verification but i'll consider this as a feature request.

currently it is just a page/site protection mechanism with the * following features:
* optionally supports sha1 and md5 encryption
* password reset
* optional rememberme functionality
* optional login expiry
* optional lockout functionality to prevent machine hammering
* optional email alerts to admins
* prevents use of back-button/refresh to spoof login

i wrote it on sunday afternoon altogether too quickly so, although it is an encapsulated class, it does not adhere to PEAR coding standards. i had to downgrade it to php4 compliance too, so the class does not benefit from robust internal protection, but does have a very simple API.