Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming ErkanaAuth (v2.0) - blank username gets authorised??
ErkanaAuth (v2.0) - blank username gets authorised??
  • El Forum
    Guest
  •  
#1
03-06-2008, 11:26 AM

[eluser]nevsie[/eluser]
Hi All, i am playing with ErkanaAuth from the Dev Kit and am currently having a little bit of confusion with what it appears to be checking...

I use a callback on my function:
Code:
function check_username($username)
    {
        $this->load->helper('security');
        $password = dohash($this->input->post('password'));
        if ($this->auth->try_login(array('username' => $username, 'password' => $password)))
        {
            return TRUE;
        }
        else
        {
            $this->validation->set_message('check_username', 'Incorrect login info.');
            return FALSE;
        }
    }

and then use the auth function try_login
Code:
function try_login($condition = array()) {
        $this->CI->db->select('id');
        $query = $this->CI->db->get_where('users', $condition, 1, 0);
        if ($query->num_rows != 1) {
            return FALSE;
        } else {
            $row = $query->row();
            $this->CI->session->set_userdata(array('user_id'=>$row->id));
            return TRUE;
        }
    }

However, my problem lies in two places.
Firstly when the "get_where" is applied on the username and password array it appears to do two queries on the database rather than doing them in one like i would have assumed? Is this right?
Secondly, (and i know i am not doing any other validation on username) when i send a blank username to the get_where with any thing in the password it returns as TRUE. Now my assumption is that a blank username is finding the first row of the database and returnnig that hence the success... The password does not matter as it is being run in a second query not together in one. Am i assuming correct, or is this a minor hole that i am missing?

i can easily set require validation on the username along with the callback, but i am still lost on the get_where running as two queries.

Any help appreciated. N
  • El Forum
    Guest
  •  
#2
03-06-2008, 11:34 AM

[eluser]nevsie[/eluser]
Sorry... i think this is my fault for not killing the session properly during testing... I cannot replicate the above results now!!!
and the query is running as a single quuery not two... confusing, but must be somehting i was doing...
  • El Forum
    Guest
  •  
#3
03-06-2008, 01:46 PM

[eluser]Michael Wales[/eluser]
Yeah - definitely something on your end. You would really have to destroy the library to make it run 2 independent queries to verify username and password. Big Grin
  • El Forum
    Guest
  •  
#4
03-06-2008, 02:56 PM

[eluser]nevsie[/eluser]
yes basically is was a faulty (old) session causing a loop and geting messy. on running logout, and doing a few other bits it resolved.
The only thing i notice about your script which i am still learning with by the way... is that in the Admin_Controller you refer to == "admin" yet understandably this is not set anywhere. How do you advise utilising this? Another field in the user table, pulling out that value and storing in session? or sepeate table linking to user ids, etc?
I want to keep this simple, hence no roles, to task, to users (ACL style) but was not sure on your preferred methods? Also i am running into a few issues with exact use for PHP which i am mulling my way through...

In a perfect world, where you had nothing better to do than help people like me learn CI and your auth methods... Have you considered an idiots guide to setting up and using your dev kit? A tutorial like that would have taught me a great deal, although by working it out myself i probably understand it alot better!!!
  • El Forum
    Guest
  •  
#5
03-07-2008, 09:33 AM

[eluser]Michael Wales[/eluser]
Yeah - it's designed to simply have a field in the users table that is a user's role. It's simple enough to modify for whatever your needs are.

I may work on a tutorial tonight. I have a few things I need to get taken care of tonight (like the Blog Challenge someone else posted), so no promises.
  • El Forum
    Guest
  •  
#6
03-07-2008, 10:29 AM

[eluser]nevsie[/eluser]
Hi Michael,
Please do not rush anything out for me... i have thumbed my way through and have a fair idea of how it all works and the learning experience was great. However, from a newbie point of view i kind of started with the Heuristic Blog walk through of Erkana V1.0 and this is a little out of date.
I think you will get a lot of traffic if you do somehting like a tutorial for it though!!!

As a side note also... the next step for me is the forgotten pass / registration functions. Do you have any tips for these?
On the forgotten pass side of things i was thinking of checking username or email address, and then sending an email out with a link to a verification page. The link back would go to a verification function which would pass back the email address and a hash of email adress plus the sites salt key and id, or similar. Therefore i can check the hashed string against my results again and permit them to change the pass. Is this reasonable or do you / others know of better methods or practises?




Theme © iAndrew 2016 - Forum software by © MyBB