"Not active" in Login Admin file allowing access

[trenoweth]

Hello,

I am using the login script and have just realised that instead of going to the error page, a "Not active" login is allowing access in the same way as an "Active" one. I've puzzled over this for ages, please tell me where I'm going wrong.

I have copied the existing files across to a dummy login, which is at http://www.trenoweth.co.uk/Test/Login/login.php

file name : login.php

User name is: Logintest and p/w is: test
************************************************************************************************************************

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['form_name']) && $_POST['form_name'] == 'loginform')
{
$success_page = 'http://www.trenoweth.co.uk/Test/logintest.html';
$error_page = 'http://www.trenoweth.co.uk/Test/Login/loginfail.php';
$database = '../usersdb.php';
$crypt_pass = md5($_POST['password']);
$found = false;
$fullname = '';
$session_timeout = 600;
if(filesize($database) > 0)
{
$items = file($database, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach($items as $line)
{
list($username, $password, $email, $name, $active) = explode('|', trim($line));
if ($username == $_POST['username'] && $active != "0" && $password == $crypt_pass)
{
$found = true;
$fullname = $name;
}
}
}
if($found == false)
{
header('Location: '.$error_page);
exit;
}
else
{
if (session_id() == "")
{
session_start();
}
$_SESSION['username'] = $_POST['username'];
$_SESSION['fullname'] = $fullname;
$_SESSION['expires_by'] = time() + $session_timeout;
$_SESSION['expires_timeout'] = $session_timeout;
header('Location: '.$success_page);
exit;
}
}
$username = isset($_COOKIE['username']) ? $_COOKIE['username'] : '';
$password = isset($_COOKIE['password']) ? $_COOKIE['password'] : '';
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>-</title>
<link href="login.css" rel="stylesheet">
</head>
<body>
<blockquote>
<p>Please remember that your user name and password are case sensitive - if a character is in the
incorrect case you&#39;ll simply be returned to this screen.</p>

</blockquote>
<div id="wb_Login1" style="position:absolute;left:150px;top:200px;width:300px;height:214px;z-index:0;">
<form name="loginform" method="post" accept-charset="UTF-8" action="<?php echo basename(__FILE__); ?>" id="loginform">
<input type="hidden" name="form_name" value="loginform">
<table id="Login1">
<tr>
<td class="header">Log In</td>
</tr>
<tr>
<td class="label"><label for="username">User Name</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="username" type="text" id="username" value="<?php echo $username; ?>"></td>
</tr>
<tr>
<td class="label"><label for="password">Password</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="password" type="password" id="password" value="<?php echo $password; ?>"></td>
</tr>
<tr>
<td style="text-align:center;vertical-align:bottom"><input class="button" type="submit" name="login" value="Log In" id="login"></td>
</tr>
</table>
</form>
</div>
</body>
</html>
************************************************************************************************************************
file name: loginfail.php

The same as above but with a message that either User name or Password was incorrect. This ought to show when the Login is set to "not active" (as it is at present) but instead it goes the the success file, logintest.html
************************************************************************************************************************
file name: http://www.trenoweth.co.uk/Test/logintest.html

A basic file advising successful login.
************************************************************************************************************************
admin file: http://www.trenoweth.co.uk/Test/LoginAdmin.php

P/w for this is: test2018
************************************************************************************************************************

[Pablo]

There is a problem with the database. It has one '|' too many.
How was this database created?

[trenoweth]

Hello Pablo,

Many thanks for the reply, which I really struggled to find but can now see.

Right, but which '|' is the additional one please?

I have just created fictitious logins using the "Create new user" link on the Admin page which has exactly the same problem. I haven't edited the script at all, this is exactly as it is on the server:

usersdb.php file is:

Logintest|098f6bcd4621d373cade4e832627b4f6||||0|NA
Freddie|098f6bcd4621d373cade4e832627b4f6|fred@hisemail.com|Fred|Flintstone|0|NA
Barney|098f6bcd4621d373cade4e832627b4f6|barney@hisemail.com|Barney|Rubble|0|NA

Login is at: http://www.trenoweth.co.uk/Test/Login/login.php
All passwords are test
Admin is at: http://www.trenoweth.co.uk/Test/LoginAdmin.php
Password is test2018

[trenoweth]

I have just spent quite some time removing a '|' one at a time, testing, then restoring it when it didn't help, but I always found a non active login went through to the success page.

[Pablo]

Your admin looks different than the standard script. There is an extra column 'surname'.
Did you add this yourself?

[trenoweth]

Yes, I added it so that the database may be sorted into alphabetical order by surname.

I've also been trying to set up a completely new login script starting from scratch using WB14 (the previous one above was originally written on WB11) but I don't seem to be able to get anywhere with LoginAdmin.

It generates an HTML file, has no link that I can see for the usersdb.php file, is already populated with a number of names starting with yours that cannot be edited nor deleted. Nor do the New User and Logout buttons work, so I presume this is just a demo page?

[Pablo]

Yes, I added it so that the database may be sorted into alphabetical order by surname.

That is what causing the extra '|' in the user database, which makes it invalid for the other scripts.

It generates an HTML file, has no link that I can see for the usersdb.php file, is already populated with a number of names starting with yours that cannot be edited nor deleted. Nor do the New User and Logout buttons work, so I presume this is just a demo page?

Are you using the latest update?

[trenoweth]

In my efforts to resolve the extra '|' problem I took the surnames right out of the equation so I was left with just the original five columns, but the problem was still there.

[trenoweth]

Are you using the latest update?

As I have mentioned, the script was originally written with WB11 though I think it has also been through WB12. I do now have the latest WB14 and haven't been able to produce a working LoginAdmin page from it. Just the HTML file with the pre-populated names that cannot be edited.

[Pablo]

Are you using the latest update: version 14.0.4?

[trenoweth]

I downloaded it on 4th June, which says it is Version 14 (May 7 2018)

[trenoweth]

But isn't this rather irrelevant? I should be able to add a new field providing it is added everywhere, in the sign-up and the admin scripts?

[Pablo]

But isn't this rather irrelevant?

It is very relevant, because the latest update has many improvements. Including fixes in the login admin.

I should be able to add a new field providing it is added everywhere, in the sign-up and the admin scripts?

No, you cannot just add new fields everywhere. The database has a defined structure, if you add extra fields then this will affect all login tools. So, if you modify the admin script then you also need to update the other scripts.

[trenoweth]

Which I did. The added file in the Admin page was also added to the sign-up page. I think I'm correct in saying that the other files (login, password reminder) are not affected as they don't use the additional field.

If I write new scripts for the main files will I be able to use the existing LoginAdmin? I wouldn't have thought so but as the presnt version doesn't seem to produce one how to go forward?

[Pablo]

Adding extra fields between the existing fields will affect the other tools.
For example, the login script expects the 5th parameter to be the 'active' field.

You will not have this problem if you use a MySQL database because then the field order does not matter.

but as the presnt version doesn't seem to produce one how to go forward?

Please make sure you have version 14.0.4, then the admin script will work the same as before.

[trenoweth]

So if I rearrange it so that the active field is number five, that should resolve things?

I do still have active as 5, though starting with 0 that probably means it is really 6

This is my amended coding:

$values = explode('|', trim($line));

$values[0] = $_POST['login'];

if (!empty($_POST['password']))

{

$values[1] = md5($_POST['password']);

}

$values[2] = $_POST['email'];

$values[3] = $_POST['firstname'];

$values[4] = $_POST['surname'];

$values[5] = $_POST['active'];

With corresponding amendment elsewhere.

Would simply moving the active field work so that, for example, I have (1) User name,(2) First name, (3) Surname, (4) Email, (5) Active with the hidden password field for the sixth one?

You have asked which version I have, but where is that shown? As I have said I downloaded it on 4th June, but these files were already in existence then. When I look at the About tab it just has Version 14 (May 7 2018), as here.


Anyway, these files were produced in an earlier version.

[Pablo]

So if I rearrange it so that the active field is number five, that should resolve things?

Correct

Would simply moving the active field work so that, for example, I have (1) User name,(2) First name, (3) Surname, (4) Email, (5) Active with the hidden password field for the sixth one?

All standard fields need to be in their original position, extra fields should be added at the end of the line.

When I look at the About tab it just has Version 14 (May 7 2018), as here.

This is not the most recent version. Please install the latest update.
https://www.wysiwygwebbuilder.com/forum ... um.php?f=1

[trenoweth]

This is not the most recent version

Well, it is what I downloaded this very week!

[trenoweth]

Is this 14.0.4 an update or a new paid-for program? It's only just over two months since I last paid you for an upgrade!

[Pablo]

If you have a license for version 14.x then all updates for this version are free.

[trenoweth]

I have, thank goodness!

[trenoweth]

Now I have another problem! Using v14.0.4 and writing completely new files without any additional field added the program works alright as far as signing-up and using the admin page are concerned, also the active/not active function. But when I click on edit I can see that a new sign-up is denoted as an Administrator. Changing that to 'Member' or 'Guest' and saving doesn't, in fact, have any effect as when checking the edit box again it is still showing 'Administrator'.

[Pablo]

User roles and avatars in WWB14 only work with MySQL database. This functionality was not designed to be used with flat database.

[trenoweth]

Ah, right, well ... I don't really require the roles so that's not a problem for me. Thanks.

Better have a look at MySQL when I have a moment though.