Member Avatar for nathanpacker

I don't understand what happened, I hadn't made any changes to this script, and all of the sudden, it's giving this error:

Notice: Use of undefined constant ID_my_site - assumed 'ID_my_site' in /path/to/my/script/changed/forsafety.com/login.php on line 90

As you can tell from this error, I am trying to run a login script. In the script, if everything goes ok, then this bit of script sets the cookie on the users machine. I am just assuming that this is causing the error, as it is on line 90.
This is line 89-91:

$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);

Anyway, as I said before, the login script has been working fine for days, and it just started doing this on it's own, I didn't touch the script, honest!

It's a bit long, but here's the entire login.php script in case you want to point out any other flaws for a newbie php man. I've changed a couple things to protect my security.

<?php

// connect to database
include 'db_config.php';


//Checks if a login cookie already exists
if(isset($_COOKIE['ID_my_site']))


//if there is, it skips the login page and takes user directly to admin area
{
	$username = $_COOKIE['ID_my_site'];
	$pass = $_COOKIE['Key_my_site'];

	$check = mysql_query("SELECT * FROM mytable WHERE username = '$username'")or die(mysql_error());

	while($info = mysql_fetch_array( $check ))
		{

		if ($pass != $info['password'])
			{

			}

		else
			{
			header("Location: admin.php");

			}

		}

}

//if there is no cookie, load the login page
 else{

//if the login form is submitted
if (isset($_POST['submit'])) {


// makes sure they filled it in

	if(!$_POST['username'] | !$_POST['pass']) {
		die('You did not fill in all the required fields.');
	}

	// checks it against the database
	if (!get_magic_quotes_gpc()) {
		$_POST['email'] = addslashes($_POST['email']);
	}

	$check = mysql_query("SELECT * FROM mytable WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist

$check2 = mysql_num_rows($check);
if ($check2 == 0) {
		die('That user does not exist in our database. <a href=registration.php>Click Here to add a user.</a>');
				}


while($info = mysql_fetch_array( $check ))
{

$_POST['pass'] = stripslashes($_POST['pass']);
	$info['password'] = stripslashes($info['password']);
	$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong

	if ($_POST['pass'] != $info['password']) {
		die('Incorrect password, please try again.');
	}

else
{

//check to see if the suer is required to change their password.  if so, supply link to change pass script
$_POST['username'] = stripslashes($_POST['username']);
if ($info['changepass'] == 1){
die("<center>You are required to change your password at this time.<br>
Please click <a href='changepass.php'>here</a> to change your password.");
}
else{
// if login is ok then we add a cookie
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);

//then redirect them to the members area
header("Location: admin.php");
}

}


}
}
else {

// if they are not logged in
?>
<html><head><title>Import Auto Clinic Administrator Login</title></head><body>
<center>
<table><tr>&nbsp</tr><tr>&nbsp</tr><tr>&nbsp</tr><tr>&nbsp</tr></table>
<h1>Administrator Login</h1>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post" name=login>
<table border="1" cellspacing="1" cellpadding="1">
<tr><td><img src="images/auto2.png"></td><td align=center><font size=+1>Login</font></td></tr>
<tr><td align="right">Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td align="right">Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="center">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>

<a href="forgotpass.php"><font size="-1">Can't remember your password?</font></a></center>
</body>
</html>

<?php
}
}

?>
  • 11 Contributors
  • 13 Replies
  • 2K Views
  • 5 Years Discussion Span
  • Latest Post Latest Post by deceptikon
Member Avatar for stymiee

Try adding quotes"

setcookie("ID_my_site", $_POST, $hour);

setcookie("Key_my_site", $_POST, $hour);

Member Avatar for nathanpacker

Thanks. That seemed to do the trick. I'm confused then as to why it broke all of the sudden, when it was working before without the quotes. Perhaps a user was created that had a space in the password or something? Curious.

Member Avatar for stymiee

That is a good question. Might be a configuration change on the server as well.

Member Avatar for devdan

Thanks. That seemed to do the trick. I'm confused then as to why it broke all of the sudden, when it was working before without the quotes. Perhaps a user was created that had a space in the password or something? Curious.

Just a comment on the code structure.

Your code as it is could be prone to hacking.

You should escape any values passed to a query with sqlesc or any1 who is that way inclined could hack your login script and bypass the login process. by manipulating either cookie information or the POST values.

You should also sanitise your POST and the variables they use also.

The following lines are HIGHLY unsafe and need sorting.

$check = mysql_query("SELECT * FROM mytable WHERE username = '$username'")or die(mysql_error())

$check = mysql_query("SELECT * FROM mytable WHERE username = '".$_POST['username']."'")or die(mysql_error());

I recommend reading up on php and database security and go through all your code checking for things like the above. Its better to be safe than sorry as they say

Member Avatar for nathanpacker

Thanks for the tips, but it's taken a lot of reading up on PHP just to get scripts like this to work. I'm a long way from making my scripts totally secure. Just getting them to work is a bonus for me. I promise I'll look into security later on. Besides, none of the scripts I write are business critical or anything, they're all just personal stuff.

Member Avatar for leelee

Mission critical or not, it's actually possible to delete your entire database with one carefully formed query.

Unless you want to lose all your hard work it might be an idea to read up, as Devdan mentioned. It's not a big job, at all.

Member Avatar for codezilla

quotes works for me too ! ! ! ! THANKS!!!!!!

Member Avatar for daydah

Quotes did the trick! Thanks guys! You rock!

Member Avatar for patmaherjfm

I know this is a old thread but their is a receint post..

I suspect the reason you find the site breaks for no reson, is that php has been updated, Newer versions are trying to prevent you from using unsecure code.


Their are really easy things you can do to fix the security problems shown here, as stated, the script shown here would indeed alow any of us telling you its unsafe to mess with youre data base, steal / destroy your data, and bypass the log in.


BTW: the quotes worked for me too :)

Regards Pat.

Edited by patmaherjfm because: btw
Member Avatar for fasins

Hello am new too daniweb much more php coding but this 'quotes' thing worked for me too!! thanks guys.

Member Avatar for Art_95148

Yaaap. The quote works. Now, I'm ready to venture further into the world of PHP and MYsql. Thanks a lot,guys - Art

Member Avatar for ferycsaby

Hi guys.
I Have this problem... And I Can't doo nothing to working... Can U Help me? :)

Notice: Use of undefined constant musorv_uzi - assumed 'musorv_uzi' in C:\AppServ\www\diablo_admin\hallguzen_admin.php on line 382
Aktív!

mysql_connect($db_host="localhost",$db_user="root",$db_password="teszt") or die(mysql_error());

 mysql_select_db($db_name="diablo_admin") or die(mysql_error());


$res222 = mysql_query("SELECT musorv_uzi FROM opciok WHERE id='1'") or sqlerr();
$arr222 = mysql_fetch_assoc($res222);
if ($arr222[musorv_uzi] == 'b') 
{
print("<i>nincs engedélyezve!</i>");

}

else
{
print("<i>Aktív!</i>");
}

The problem is on if ($arr222[musorv_uzi] == 'b') .... why? :)

Member Avatar for deceptikon

What's musorv_uzi? If it's a variable then you probably intended to say $arr222[$musorv_uzi]. If it's a string, you need to quote it. Presumably it could be a constant as well, but it's clearly not defined in the current scope.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.