Jump to content

Class Problem

MrGeezer

By MrGeezer
in PHP Coding Help

 Share

Recommended Posts

MrGeezer Newbie

MrGeezer

Posted
Posted

Hey guys!

 

I have spent the last 5 and a half hours banging my head up against the wall trying to fix this to no avail so I guess its time to ask the experts!!!

 

I am having a problem with my membership class.

 

Basically, it works perfectly if a user logs in using sessions and not cookies. But when remember is set to 1 (they ticked the remember me checkbox), the mysql query fails on this line when we run $member_class->member_class();

 

$result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC) or DIE ($this->query_error);

 

Everything matches up except for the $token value.

 

Basicly I believe that a new token is updated in the mysql database, before the token value in the cookie is updated as when I print $token, it definitly matches up with the token value in the mysql database. But from reading through the code, it all looks perfectly fine to me which is why i am so confused.

 

 

If i change $newtoken = $this->token(); // generate a new token to $newtoken = '1234'; the script also works perfectly fine without errors (though not very secure so would like the token to change values!

 

 

Really appreciate any input! Cheers

 

 

 

 

 

 

<?php
     // member class
     // handlers member logon
     class member_class   {
         var $message = '';
      var $query_error = 'ERROR: something went wrong when accessing the database. Please consult your webmaster';
  
         function member_class()   {   //constructor
             if (!$_SESSION['member_id'])   {   //fills session with empty values 
                 $this->set_session_defaults();;
             }
  
             if ($_SESSION['logged_in'])   {    //already logged in
                 $this->check_session();
             }
  
             if ($_COOKIE['remember'])   {  
                 $this->check_remembered($_COOKIE['remember']);
             }
         }    
     


         function check_login($email,$password,$remember,$redirect)   {
             $email = mysql_escape_string($email);
		 $salt='s+(_v';
             $password = mysql_escape_string(hash('sha512', $salt . $password));
     
          $result=mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND password = '{$password}'"), MYSQL_ASSOC);
             if ($result)   {
                 $this->set_session($result,$remember,true);
                 return true;
             } else {
                 $this->failed = true;
                 $this->logout();
			 //create error message telling user that either the email address does not exist, or they have entered the wrong password associated with the email address
			$result=mysql_fetch_array(mysql_query("SELECT email FROM members WHERE email = '{$email}'"));
			if($result) { $this->message .= 'Incorrect Password. Please try again'; }
		    else { $this->message .= 'The email address '.$email.' does not exist. Please try again or <a href="/register.php" class=" cboxElement">create a new account</a>.'; }
                 return false;
             }
         }
     
         function logout()   {
             // blowup cookie
             setcookie('remember',time()-3600);
             $this->set_session_defaults();
         }
     
         function set_session($result,$remember,$init = true)   {
             $member_id=$result['member_id'];
             if ($init)   {
                 $session = mysql_escape_string(session_id());
                 $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']);
              $newtoken = $this->token(); // generate a new token
		  			  
		  // generate a random token
		  
		  
              $update = mysql_query("UPDATE members SET session='{$session}', token='{$newtoken}', ip_address='{$ip_address}' WHERE member_id='{$member_id}'") or DIE ($this->query_error);
		}
     
             $_SESSION['member_id'] = $result['member_id'];
              $_SESSION['email'] = htmlspecialchars($result['email']);
              $_SESSION['fullname'] = $result['fullname'];
             $_SESSION['token'] = $newtoken;
             $_SESSION['logged_in'] = true;
     
            if ($remember)   {
                 $this->update_cookie($newtoken);
             }
     
         }
     
         function update_cookie($token)   {
             $cookie = serialize(array($_SESSION['email'],$token));
		 //print $token;
             setcookie('remember',$cookie, time()+12099600);
         }
     
         function check_remembered($cookie)   {
     
             $serializedArray=$cookie;
             $serializedArray = stripslashes($serializedArray);
             list($email,$token) = unserialize($serializedArray);
     
             if(empty($email) or empty($token))   {
                 return;
             } else {
                 $email = mysql_escape_string($email);
                 $token = mysql_escape_string($token);
                 $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']);
			 //changed  from = '{ip_address} to like '{ipaddress}% so we are not strict in ip address we only limit to  first 3 charactors of ip
				$ip_address = substr($ip_address, 0, 3);
				$query = "SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'";
				print $query;
          $result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC) or DIE ($this->query_error);
			  
			  
                 if (!$result)   {
         //            $this->set_session($result,false,false);
                 }else{ 
                     $this->set_session($result,true,true);
                 }
             }
         }
     
         function token()   {
             // generate a random token
             for($i=1;$i<33;$i++)   {
                 $seed .= chr(rand(0,255));
             }
             return md5($seed);
         }
     
         function check_session()  {
             $email = mysql_escape_string($_SESSION['email']);
             $token = mysql_escape_string($_SESSION['token']);
             $session = mysql_escape_string(session_id());
		 //if ip address changes it will fail POSSIBLY DO NOT NEED THIS!
             $ip_address = mysql_escape_string($_SERVER['REMOTE_ADDR']);
		 //check only the first 4 charactors of ip address incase user changes ip in corporate workplace etc ALSO CHANGED = TO LIKE IN MYSQL QUERY AND ADDEED % TO THE END AS WILDCARD
		 $ip_address = substr($ip_address, 0, 3);
          $result = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE email='{$email}' AND token='{$token}' AND session='{$session}' AND ip_address LIKE '{$ip_address}%'"), MYSQL_ASSOC or DIE ($this->query_error));
  
             if ($result != false){
             }else{
                 $this->logout();
             }
         }
     
     }?>

Link to comment
Share on other sites
Zurev Newbie

Zurev

Posted
Posted

First question, why are you passing MYSQL_ASSOC as a second argument to mysql_query(). mysql_query() takes the query, and an optional second argument as the link identifier, which that is not. If you're looking to fetch it as an associative array, it's already doing that with mysql_fetch_array, though you could switch it to mysql_fetch_assoc. Though that most likely isn't the issue, I wonder if it's causing any problems.

Link to comment
Share on other sites
MrGeezer Newbie

MrGeezer

Posted
  • Author
Posted

Hi Zurev,

 

Thanks for the suggestion, I am modifying a login class that was given to me from a friend, though there has been many bugs in it that I have fixed up, I didnt know what it did so didnt want to touch it.

 

I have echoed the query  "SELECT * FROM members WHERE email = '{$email}' AND token ='{$token}' AND ip_address LIKE '{$ip_address}%'"; and the UPDATE query under set_session

 

SELECT * FROM members WHERE email = 'ryan@myemail.com' AND token ='ff84793a1ae2076bca5ed721374105c1' AND ip_address LIKE '118%'        SUCCESS

UPDATE members SET session='c7a3beded5bb3c5b907ece2b496f27d6', token='10b91a8cb9ef510c8ccd9bb39ce4a7e9', ip_address='118.93.xx.xx' WHERE member_id='23'

 

SELECT * FROM members WHERE email = 'ryan@myemail.com' AND token ='ff84793a1ae2076bca5ed721374105c1' AND ip_address LIKE '118%'    FAIL

 

As you can see, the first time it runs check remembered, it works fine, the cookie matches the token value in the database. But after it runs set_session and updates the token value in mysql and the cookie, check remembered is run again and the token value has not updated to 10b91a8cb9ef510c8ccd9bb39ce4a7e9. it is using the original token value of ff84793a1ae2076bca5ed721374105c1 which fails.

Link to comment
Share on other sites
MrGeezer Newbie

MrGeezer

Posted
  • Author
Posted

Hi anupamsaha,

 

Sorry didnt see your post until now. As above, it seems to update the token value in the mysql database, the cookie is also updated (i have tested this) but when check_remembered is run again, it runs the select query using the older token

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.