Authorization function does not work

Question

I do authorization on token'u and secret'ke. I can not find an error in logic, it still shows that the data is incorrect. When I do only by token, everything works, and when by 2 values - an error.

<?php function _auth() { session_start(); include 'connect.php'; $sql = "SELECT * FROM `users`"; $result = mysqli_query($mysqli,$sql); while($user = mysqli_fetch_assoc($result)) { $token=$user['token']; $secret=$user['secret']; if (isset($_POST['token'], $_POST['pass_btn'], $_POST['secret'])) { if ($token == $_POST['token'] and $secret == $_POST['secret']) { $_SESSION['unique_sdfcdrgbtrhbgfnb'] = true; } else { $_SESSION['sdfcdrgbtrhbgfnb'] = false; echo '<div>Failed token or secret</div>'; } } if ($_SESSION['unique_sdfcdrgbtrhbgfnb'] !== true) { echo '<form method="POST">'. '<div>Enter token:<br /><input type="text" name="token" size="50" /></div>'. '<div>Enter secret:<br /><input type="text" name="secret" size="50" /></div>'. '<div><input type="submit" value="Enter" name="pass_btn" /></div>'. '</form>'; die(); } } } _auth(); ?>

Well, debug and look for an error, you can now $user['secret'] is not the same as in $_POST['secret'] , that's why it does not work.
The easiest way to debug - inside each condition / branch else and outside the condition, you draw a conclusion of a unique value and see where exactly the logic broke, i.e.
Then see why it went on this thread, and not on the right one, etc.

Kirill Kirill 133 eight · Answer 1 · 2016-04-28T07:31:44

According to the description, if through token - everything is OK, then the secret in the database is not stored in an open form, but its hash, for example. You are likely to compare the hash with the password.

Another moment. I'm not sure that there needs to be a comparison with type checking, a string is stored in the session, if I'm not mistaken.

 $_SESSION['unique_sdfcdrgbtrhbgfnb'] !== true

Authorization function does not work

1 answer 1

More articles: