I am not a professional programmer. Some might say that I know enough to be dangerous. So forgive me if I appear to be struggling.
I live on a road where all of the property owners are responsible for the road's maintenance. To accomplish this a road association was formed long ago. Several years ago it was agreed that all balloting for elections or fee changes should be done on line. I put together a login page, ballot page, and mysql database.
Each property owner is assigned a unique username and password. They access the ballot by first logging in. Then they are redirected to the ballot. When they vote their responses along with their username are stored in the database.
Recently, during voting a response was recorded but the username field was blank.
I had two thoughts. One this was some sort of random glitch where the username became lost. The other thought was that someone had circumvented the login process to avoid allowing the username to be captured. Below is my login code:
If this was simply a freak case of data getting lost then I will accept that. But if someone is deliberately messing with the login I would like to modify the code to make that more difficult.
Any help, comments, or suggestion?
I live on a road where all of the property owners are responsible for the road's maintenance. To accomplish this a road association was formed long ago. Several years ago it was agreed that all balloting for elections or fee changes should be done on line. I put together a login page, ballot page, and mysql database.
Each property owner is assigned a unique username and password. They access the ballot by first logging in. Then they are redirected to the ballot. When they vote their responses along with their username are stored in the database.
Recently, during voting a response was recorded but the username field was blank.
I had two thoughts. One this was some sort of random glitch where the username became lost. The other thought was that someone had circumvented the login process to avoid allowing the username to be captured. Below is my login code:
<?php require_once('../Connections/connsunnygrove.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['textfield'])) {
$loginUsername=$_POST['textfield'];
$password=$_POST['textfield2'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "ballot-dues.php";
//$MM_redirectLoginSuccess = "voting-ended.html";
$MM_redirectLoginFailed = "failed.html";
$MM_redirecttoReferrer = false;
mysql_select_db($database_sunnygrove, $sunnygrove);
$LoginRS__query=sprintf("SELECT id, username, password FROM owners WHERE username='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $sunnygrove) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $password;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<style type="text/css">
body{ font: 14px sans-serif; }
.wrapper{ width: 350px; padding: 20px; }
</style>
<div id="logo">
<h1>Sunnygrove Avenue Road Association</h1>
</div>
</head>
<body>
<div class="wrapper">
<h2>Login</h2>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<div class="form-group <?php echo (!empty($username_err)) ? 'has-error' : ''; ?>">
<label>Username</label>
<input type="text" name="textfield" class="form-control" value="<?php echo $username; ?>">
<span class="help-block"><?php echo $username_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($password_err)) ? 'has-error' : ''; ?>">
<label>Password</label>
<input type="text" name="textfield2" class="form-control">
<span class="help-block"><?php echo $password_err; ?></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Login">
</div>
</form>
</div>
</body>
</html>
If this was simply a freak case of data getting lost then I will accept that. But if someone is deliberately messing with the login I would like to modify the code to make that more difficult.
Any help, comments, or suggestion?