On Tuesday 28 Mar 2006 19:46, Robin Bowes wrote:
> Bob Hutchinson wrote:
> > On Sunday 26 Mar 2006 19:42, Robin Bowes wrote:
> >>Bill Shupp wrote:
> >>>Perhaps it's missing in the form. Can you verify that? If so, I'm
> >>>surprised this has not been reported before.
> >>
> >>Bill,
> >>
> >>I've done some more checking. I've turned on the mysql query log, and
> >>the query that is being sent when I try to login with [email protected]/test
> >>is:
> >>
> >> Email='[email protected]' and
> >> Password='543e1d35c7c833e578709d2baabdc79c' and
> >> Status='active' LIMIT 1
> >>
> >>Looking in the accounts table, this is not the md5 hash of "test":
> >>
> >>mysql> select md5('test'), password from accounts;
> >>+----------------------------------+----------------------------------+
> >>
> >>| md5('test') | password |
> >>
> >>+----------------------------------+----------------------------------+
> >>
> >>| 098f6bcd4621d373cade4e832627b4f6 | 098f6bcd4621d373cade4e832627b4f6 |
> >>
> >>+----------------------------------+----------------------------------+
> >>1 row in set (0.00 sec)
> >>
> >>Also, looking in index.php, I see this block of code:
> >>
> >>} else if($_REQUEST['state'] == "login_screen") {
> >>
> >> // LOGIN SCREEN
> >>
> >> $smarty->display('header.tpl');
> >> require('src/login_screen.php');
> >> $smarty->display('footer.tpl');
> >> exit;
> >>
> >>The file 'login_screen.php' does not exist:
> >>
> >>[EMAIL PROTECTED] vegadns-0.9.9.1]# pwd
> >>/var/www/vegadns/vegadns-0.9.9.1
> >>[EMAIL PROTECTED] vegadns-0.9.9.1]# find . -name login_screen.php
> >>
> >>Does that shed any light on the issue?
> >
> > looks to me like you have found a piece of leftover code, you could try
> > replacing the
> > require('src/login_screen.php');
> > with
> > $smarty->display('login_screen.tpl');
> >
> > I have to admit I have never stumbled across this bug, probably because
> >
> > $_REQUEST['state'] == "login_screen" is never called AFAICT
> >
> > vegadns-0.9.9.1 > grep -rni 'login_screen' *
> > index.php:112: $smarty->display('login_screen.tpl');
> > index.php:128:} else if($_REQUEST['state'] == "login_screen") {
> > index.php:133: require('src/login_screen.php');
> >
> > Are you managing to log in at all?
> > Have a look at the db with phpmyadmin or somesuch, it might help you
> > resolve this
>
> When I first connect after a clean install I am logged in automatically.
Well I decided to install a virgin copy of vegadns-0.9.9.1 and see what
happened. The copy of vegadns that I use in production has lots of changes so
I need to see what happens 'out-of-the-box'
before running it, I put the following in to index.php, immediately after the
other ini_set commands
//ini_set('error_reporting', E_ALL ^ E_NOTICE);
ini_set('error_reporting', E_ALL);
The database was empty, so create_tables.php would run. This resulted in a
nasty Notice:
Notice: Use of undefined constant test - assumed 'test'
in /home/hutch/www/html/vegadns-0.9.9.1/src/create_tables.php on line 43
Warning: Cannot modify header information - headers already sent by (output
started at /home/hutch/www/html/vegadns-0.9.9.1/src/create_tables.php:43)
in /home/hutch/www/html/vegadns-0.9.9.1/index.php on line 108
so I edited create_tables.php on line 43
replaced md5(test) with md5('test')
BTW I realise that I could have avoided this by setting
ini_set('error_reporting', E_ALL ^ E_NOTICE);
but then you don't find the bugs, that's how I set production boxes, not the
development box I'm doing this on.
cleared the database and ran again, closing the browser in between (just in
case)
much better, straight into the edit account page where I changed a few things
and hit the edit button and it saved successfully, and left me logged in, I
clicked around a bit, logged out and logged in again, no problem, it accepted
the new password.
This is the point that yours has been stumbling on, right?
I'm using MySQL - 4.0.24
You are using MySQL 5.0.18 right?
does it support mysql_escape_string()
see line 95 and on src/users.php
do you see
'update accounts set First_Name=' and so on in your mysql log?
The initial edit account page should have a hidden field for 'cid', it is set
in index.php line 203 or thereabouts
I'm just wondering if the refusal to save has to do with MySQL 5.x.xx ....
I'm rather conservative about upgrading, this is just the kind of thing I
dread, and the hords of angry customers...
but it would be good to know in any event
> It appears that I can use most of the functionality but checking the
> logs reveals that several variables are not being passed between forms
> (cid being one example that prevent login).
>
> If I log out I am unable to log back in again even with the original
> password.
>
> I've checked with phpmyadmin (and mysql command line) and the
> username/password remains unchanged.
>
> The MySQL query log actually shows that the app. is submitting the wrong
> md5 hashed password (see above).
>
> I'm sure there's a logical explanation for all this but I can't put my
> finger on it just at the moment...
>
> R.
--
-----------------
Bob Hutchinson
Midwales dot com
-----------------
