AS3 PHP mysql login and session

So I will remove this PHP code.

foreach ($_POST as $key => $value) {

$$key = $value;

$$key = mysql_real_escape_string($$key);

I understand the second $$key was posting the SQL string.

I found that my actionscript was not looking for a pass credentials and will work on anything that is entered. Will the removal of the $$key values impact my AS3 code?

Thank you for your help, I want to try add in the user/pass/err. I have no idea what to add to the php, do you have an example please?

I changed the AS3 to read

import flash.events.*;

import flash.net.URLLoader;

import flash.net.URLRequest;

import flash.net.URLVariables;

import flash.net.URLRequestMethod;

logbtn.addEventListener(MouseEvent.CLICK, login)

function login($e:MouseEvent){

  var myVariables:URLVariables = new URLVariables();

  var myRequest:URLRequest = new URLRequest("login.php");

  myRequest.method = URLRequestMethod.POST;

  myRequest.data = myVariables;

  var myLoader:URLLoader = new URLLoader;

  myLoader.dataFormat = URLLoaderDataFormat.VARIABLES;

  myLoader.addEventListener(Event.COMPLETE, completeHandler);

  myVariables.user = loguser.text;

  myVariables.pass = logpass.text;

  myLoader.load(myRequest);

//action script on success / failure 

if((myVariables.user = loguser.text)&&(myVariables.pass = logpass.text));
navigateToURL(new URLRequest("http://www.canyon.tv/index.html"), "_self");
              
function completeHandler(event:Event):void{

    trace(event.target.data.user);

    trace(event.target.data.pass);

    trace(event.target.data.err);

  }
};

It seems to still load the navigateToURL page if incorrect credentials are entered. Is this because of the PHP not passing back the user/pass/err ?

This derails off the topic a bit but I'd come up with a better login scheme where you keep a table of current sessions with an expire and a key for any validly logged in user (id, key, expire, any other info (IP, etc)). I'd send the key back to the user rather than sending any kind of plain text username and password that can be sniffed by a variety of methods.

When using URLLoaderDataFormat.VARIABLES you want to pass back an URL encoded string of key/value pairs, just like an URL in your address bar, beyond the ?: somevar=somevalue&someOtherVar=some+other+value .. etc).

You can get your string together and let PHP encode it for you, e.g.:

print 'myVar=' . urlencode('Leggo my Eggos©') . '&myOtherVar=' . urlencode('this is some text');

Prints:

myVar=Leggo+my+Eggos%C2%A9&myOtherVar=this+is+some+text

After your complete handler returns you can turn the data into variables easily with the URLVariables class:

http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLVariables.html

I put a text file on my server with exactly what I have above. Here's a quick example of reading that file via URLLoader using VARIABLES while tracing both values (note: I am not including error checking for shortness). Open a new AS3 document, paste in actions on frame 1:

import flash.net.URLLoader; import flash.events.Event; import flash.net.URLRequest; import flash.net.URLVariables; var ul:URLLoader = new URLLoader(); ul.dataFormat = URLLoaderDataFormat.VARIABLES; ul.addEventListener(Event.COMPLETE, onCF); ul.load(new URLRequest('http://www.ertp.com/tmp/exresult.txt')); function onCF(e:Event):void {           var uv:URLVariables = new URLVariables(e.target.data);           trace(uv.myVar);      trace(uv.myOtherVar); }

Traces:

Leggo my Eggos© this is some text

Hi,

I tried the example you gave, it doesnt seem to have traced anything.

I have updated my php and AS3 code. I am now able to navigate to another page but the validation is not working when I try to verify if the username and password are valid. even if false credentials are entered, the user is still taken to the page

When I access the php code directly, i get an error

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/content/86/11737786/html/login.php on line 20

AS3 code

import flash.events.*;

import flash.net.URLLoader;

import flash.net.URLRequest;

import flash.net.URLVariables;

import flash.net.URLRequestMethod;

logbtn.addEventListener(MouseEvent.CLICK, login)

function login($e:MouseEvent){

  var myVariables:URLVariables = new URLVariables();

  var myRequest:URLRequest = new URLRequest("login.php");

  myRequest.method = URLRequestMethod.POST;

  myRequest.data = myVariables;

  var myLoader:URLLoader = new URLLoader;

  myLoader.dataFormat = URLLoaderDataFormat.VARIABLES;

  myLoader.addEventListener(Event.COMPLETE, completeHandler);

  myVariables.user = loguser.text;

  myVariables.pass = logpass.text;

//  myLoader.load(myRequest);

//action script on success / failure 

if((myVariables.user = loguser.text)&&(myVariables.pass = logpass.text));
navigateToURL(new URLRequest("http://www.canyon.tv/index.html"), "_self");
              
function completeHandler(event:Event):void{

    trace(event.target.data.user);

    trace(event.target.data.pass);

    trace(event.target.data.err);

//    getURL("http://www.canyon.tv/error.html");
  }
};

PHP Code

<?php

//Connect To Database
$hostname="XYZ";
$username="ABC";
$password="123";
$dbname="login";
$tableName="users";
$yourfield = "your_field";

mysql_connect($hostname,$username, $password) or die ("<html><script language='JavaScript'>alert('Unable to connect to database! Please try again later.'),history.go(-1)</script></html>");

  $user = $_POST['user'];

  $pass = $_POST['pass'];

  $sql = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'");

  $check = mysql_num_rows($sql);

  if($check > 0){

    $row = mysql_fetch_array($sql);

    $user = $row["user"];

    $pass = $row["pass"];

    $err = "Success!";

    $returnString = "user=$user&pass=$pass&err=$err";

    echo $returnString;

  }

?>

Lots of issues there, mostly out of order items. URLLoader is asynchronous so you fire it off and then you must wait for the response, which is sent to a handler. Only then will you know what the database sent back.

A re-ordering of things would look like this. I just did this quickly and no error checking but you should be able to discern what you need from it on your own:

AS3 example:

function login(e:MouseEvent) {           var myVariables:URLVariables = new URLVariables();           myVariables.user = loguser.text;           myVariables.pass = logpass.text;           var myRequest:URLRequest = new URLRequest("login.php");           myRequest.method = URLRequestMethod.POST;           myRequest.data = myVariables;           var myLoader:URLLoader = new URLLoader;           myLoader.dataFormat = URLLoaderDataFormat.VARIABLES;           myLoader.addEventListener(Event.COMPLETE, completeHandler);           myLoader.load(myRequest); } function completeHandler(event:Event):void {           var returnedVariables:URLVariables = new URLVariables(event.target.data);           trace(returnedVariables.result);           trace(returnedVariables.username);           if (returnedVariables.result == 'success')           {                     // success                     navigateToURL(new URLRequest("http://www.canyon.tv/index.html"), "_self");           }           else           {                     // fail, do what you want           } }

PHP (trimmed to the important part):

# ...connect / sanitization above # just returning a single usually indexed item for db stress relief $results = mysql_query("SELECT `id` FROM `users` WHERE `user`='" . $user . "' AND `pass`='" . $pass . "' LIMIT 1"); if (mysql_num_rows($results) > 0) {           # only tell flash the result and username (already passed from flash, no need to get the row)           print 'result=success&username=' . urlencode($user); } else {           print 'result=fail'; }

The AS3 complete handler is where you'll find the information returned from your request. Also as I'm trying to urge you, I only gave a quick example of querying and returning only the username and a result var and not the password. I really would stress in any public environment to refrain from passing cleartext logins. At least encode it if you're not willing to use sessions or a custom session table.

Thank you for your help, I tried the code and the code seems to work. I am however getting the else error where I redirect to an error page. I understand that the php select might be failing as I double checked the rows in the mysql database to make sure the record exists and it is still failing. Ive checked the table name and fields and they are correct.

The page can be seen at www.canyon.tv/index.html

I would like to use sessions / custom session table and I was planning on doing this as the next part of my project. Should I be making those changes now to facilitate sessions?

Thank you again for your help

Warren

I forgot to include the credentials username test and password test to see script in action.