ivannovak / jpmaster77-s-login-system- Goto Github PK

I am unable to create accounts using the original Login System.

Hello,

I just downloaded this login system after reading an article on it and I installed it on our website's server but when I visit the main.php page, I get this error: Unknown MySQL server host 'DB_SERVER' (2)

Looked through the SQL file but couldn't see anything wrong with it: any suggestions? :)

Ivan, thanks for adding my suggested changes yesterday!

Sorry this is not an issue, but I wanted to make another suggestion for the project's roadmap and figured this was the best way to make this suggestion. I think the project's database calls should be using PDO instead of mysql_query calls. The main reason is that the mysql_ library has been obsolete for six years and less secure than PDO. This article inspired me to begin programming all my latest projects in PDO, you might be interested: http://webdevrefinery.com/forums/topic/1272-your-mysql-code-sucks

I was able to convert the database file to use PDO but got hung up with how it interacts with the session file. I would be willing to send you my converted database.php file if you are interested in pursing this..

Thanks again!

KB

Any registered user can see other logged in users mail. This is heaven for spammers.

Advice: hide the email addresses of users. Users can comunicate via internal messages.
Or add profiles where users can define if they wan't to share their email address with everyone.

greetings,
rainworm

Ivan-
In the adminprocess.php file, line 180 the code throws an error, the code should read:

 !preg_match("/^([0-9a-z])+$/i", $subuser) ||

Thanks for keeping this script going!

KB

There is another thing irritating my eyes (i hope I'm not too anoying. please let me know if I am). :)
If you look at the complete login system, you can see there is database.php for handling queries and to communicate with database. In case of internal messages, you have included communication with database into mail.php (it would really be polished and great school example if you leave DB communication to database.php).

greetings,
rainworm

By specifying the field list, it makes it easier to add additional fields to the users table and still have it working.

  $q = sprintf("INSERT INTO ".TBL_USERS." (username,password,userid,userlevel,email,timestamp,valid,name,hash,hash_generated) VALUES ('%s', '%s', '%s', '%s', '%s', $time, '0', '%s', '0', '0')",

In "to" fileld, you can write any recipient, even the one that is not in DB.

My advice on solving this one; instead of input type, use select-option and let user choose from available alphabetically ordered recipients.

greetings,
rainworm

The potencial attacker gets too much error information when trying to guess some login data.

For example; there are username and password input types. If I enter the wrong username, the system tells me that I entered the wrong username. I can guess username by using brute force method. When I know the username, I can move on to password (it's the same story).

Advice: don't exactly pin point the error when someone is trying to log in. Insted of "no such username" or "wrong password", return something like "username or password doesn't match". This way the attacker doesn't get the information if the username exists and it's much better protection as ge must guess two strings at once not just one.

greetings,
rainworm

composing and sending works fine. when I have multiple messages in my inbox and I view a single message I get (This is not your mail) Sometimes the delete function does not work.

In this internal mail system, you are taking raw input data and inserting it into a MySQL database. You have left yourself wide open for a security issue known as SQL Injection.

I strongly advise, to use MySql function "mysql_real_escape_string".

greetings,
rainworm

This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

greetings,
rainworm

where i can download the latest version? :( need that one..

I found an issue in internal mail system. It allowes cross site scripting (XSS).
Do I have to point out that this one is critical and should be fixed as soon as posible?

In your changes, you are refering to some links that don't exist.

Can you correct this?

greetings,
rainworm

I don't know if this project is still alive or not but anyway..
I checked this code and first thing I have noticed is that anyone (even not logged users) can delete any message as long as the right mail ID is guessed (one javascript for sentance and every message in system is gone permanently).

Advice: only recipient or sender should be able to delete message.
I would also recomend not physically delete the message from table but mark it as deleted. This way you can always restore it in case of "accident".

greetings,
rainworm

I spotted a problem with this entire process.

To reset the password of an account, all you need is that accounts username.

That's it.

Does that not seem ridiculous to anyone else?

Do I have an out dated version? I'm in the process of fixing this now but thought it might be worth mentioning to anyone else using this.

Hi,
I am trying out the latest version of the Login System and I can't make it work. I get the error message: Registration Failed
We're sorry, but an error has occurred and your registration for the username xxxx, could not be completed.
Please try again at a later time.
I checked the error.log and there is no error associated with running this code. I also use Login System version 2004 to register a user. That works. I was able to create a user and login with that version of Login System. Then, I change the valid field in users to 1 and then I was able to login with Login System version 2011. So, basically, I have a problem to register new users. I have made the appropriate changes into constant.php, i.e set DB_SERVER, DB_USER, DB_PASS, and DB_NAME and it seems the problem does not come from there since I was able to login with version 2011. I'd appreciate any suggestions you might have.

I'll try to write down how I got to this bug (I can't always reproduce it, so I can't quite pin point it).

1. logout of system (if logged in),
2. clear my cookies and sessions,
3. go to main.php and click to Sign-up link,
4. at register.php enter some data (enter wrong ones - too short username or something like that - you wan't to get an error! (it is possible that itworks with valid data too)),
5. click link to main page,
6. enter valid username and password,
7. logout,

Instead of system returning you to main page, it displays register.php and message that you are already registered. My guess is that error happend inside process.php and has something to do with session that wasn't destroyed in register.php.

greetings,
rainworm

Greetings,

i've been trying to add sql table sid into users but after i do, I can't register, unexpected error.
Any hints how to fix this?