#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    5
    Rep Power
    0

    Page showing HTML source code


    I am working on a project for a class in which I need to have login functionality. The following is the PHP code for my login page:

    PHP Code:
    <?php
        session_start
    ();
        
        require_once(
    'NMM_Lib.php');
         require_once(
    'Page.class.php');
        require_once(
    './svcLayer/game/gameSvc.php');
        
        if(isset(
    $_SESSION['login'])) {
            
    header("Location:index.php");
        } else {
            if(isset(
    $_POST['login']) && $_POST['user_token'] === $_SESSION['user_token']) {
                if(
    $_POST['user'] === '' || $_POST['password'] === '') {
                    
    $message 'Missing User ID or Password';
                } else {
                    
    $username $_POST['user'];
                    
    $password sha1($_POST['password']);
                    
    $results checkLogin($_POST['user_token'] . "|" $username "|" $password);
                    
                    if(
    $results === 'null') {
                        
    $message 'Incorrect User ID or Password';
                        
    $token sha1(uniqid(mt_rand(), true));
                        
    $_SESSION['user_token'] = $token;
                    } else {
                        
    $resultsDecoded json_decode($results);
                        
    $_SESSION['userID'] = $resultsDecoded[0];
                        
    header("Location:index.php");
                    }
                }
            } else {
                
    $token sha1(uniqid(mt_rand(), true));
                
    $_SESSION['user_token'] = $token;
            }
        }
        
        echo 
    Page::header("Login");
        
        if(isset(
    $message)) {
            echo 
    "<h2>$message</h2>";
        }
        
        echo 
    loginForm();
        
        echo 
    Page::footer();
    ?>
    When I enter a correct username and password, I am brought to index.php perfectly fine. When I enter an incorrect username or password, it reloads login.php, but displays the page as HTML code (including the "Incorrect User ID or Password" message). Any ideas on why this would happen?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    before you do anything, you first need to fix the redirects. You must stop the script after the header() call (with exit). Otherwise, it will happily keep running, which is most certainly not what you want.

    My teacher also would have killed me for that laughably weak SHA-1 stuff, but I guess nowadays it's all fine as long as "it works".

    The HTML source code thing makes no sense to me. What does the page source say? (I mean the one you get when you right click and choose "Show page source")
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    5
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    before you do anything, you first need to fix the redirects. You must stop the script after the header() call (with exit). Otherwise, it will happily keep running, which is most certainly not what you want.

    My teacher also would have killed me for that laughably weak SHA-1 stuff, but I guess nowadays it's all fine as long as "it works".

    The HTML source code thing makes no sense to me. What does the page source say? (I mean the one you get when you right click and choose "Show page source")
    Ok, added the exits. Yeah, I just added the SHA-1 to start with, I'll probably change that later. But for this project I don't think it matters.

    This is the page source before the submit:
    Code:
    <!DOCTYPE html>
    <html lang="en">
    <head>
    	<meta charset="utf-8" />
    	<title>Login</title>
    </head>
    <body>			<form action="login.php" method="POST">
    				User ID: <input type="text" name="user" />
    				Password: <input type="password" name="password" />
    				<input type="hidden" name="user_token" value="5f6a4ae8c28569e0f0127715b047a796fd2dc86e" />
    				<button type="submit" name="login">Log In</button>
    			</form></body>
    </html>
    The page source after submitting invalid login credentials is identical to the above, but this is what is displayed on the page:
    Code:
    <!DOCTYPE html>
    <html lang="en">
    <head>
    	<meta charset="utf-8" />
    	<title>Login</title>
    </head>
    <body><h2>Incorrect User ID or Password</h2>			<form action="login.php" method="POST">
    				User ID: <input type="text" name="user" />
    				Password: <input type="password" name="password" />
    				<input type="hidden" name="user_token" value="543c16d53e5010becde7d1621aaa6dea7f8120a3" />
    				<button type="submit" name="login">Log In</button>
    			</form></body>
    </html>
    I know putting the token in the hidden input probably isn't good, but again, I'm just getting started on this.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by Firebert
    The page source after submitting invalid login credentials is identical to the above, but this is what is displayed on the page:
    Strange. Then the document seems to be served with the wrong MIME type. Check the response headers with the developer tools of your browser (usually F12 -> Network). What does it say in the Content-Type header?



    Originally Posted by Firebert
    I know putting the token in the hidden input probably isn't good
    No, that's perfectly fine.

    I'm actually impressed that you employ CSRF protection in a school project. Many "professional" programmers don't do that their entire life.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    5
    Rep Power
    0
    Originally Posted by Jacques1
    Strange. Then the document seems to be served with the wrong MIME type. Check the response headers with the developer tools of your browser (usually F12 -> Network). What does it say in the Content-Type header?





    No, that's perfectly fine.

    I'm actually impressed that you employ CSRF protection in a school project. Many "professional" programmers don't do that their entire life.
    It's reporting the content type as text/plain. I added this:

    Code:
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    to my <head>, and it's still not working. Is that not sufficient?
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by Firebert
    Is that not sufficient?
    No, there's definitely a bug somewhere. The code overrides the standard MIME type, which is text/html.

    Look for header() calls in the application, especially in the external libraries. Does one of them set the Content-Type header to text/plain? Otherwise, use trial-and-error: Stop the script with exit; at different locations to see when the header gets set. Start early in the script and then move your way down.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    Sydney Australia
    Posts
    186
    Rep Power
    84
    Originally Posted by Jacques1
    No, there's definitely a bug somewhere. The code overrides the standard MIME type, which is text/html.
    What character set is your php file saved as?

    I've seen what looked like a plain ascii html file, with meta charset set to utf8 in the code, but the browser was rendering chinese characters!!!
    The file had somehow been saved as ucs-2 by someone doodling with FrontPage. I changed it to UTF-8 and uploaded to the server. It was then delivered with the correct mime header.

    So, check the character set of your php file.

IMN logo majestic logo threadwatch logo seochat tools logo