Adding Users to Simple Login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Adding Users to Simple Login

Post by nickman013 »

Hello,

I need help adding users to my simple login script.

The script is

Code: Select all

<?
session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
die('GO AWAY'); 
if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass') 
{ 
$_SESSION['log'] = true; 
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
header('Location:/pages/login/loginw.php');
?>
very basic.

Thank You!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Adding Users to Simple Login

Post by pickle »

Code: Select all

<?
session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
die('GO AWAY'); 

//rather than checking for a particular user, check if the user exists in a database
$query = "SELECT * FROM users where username = '$_POST[user]' AND password = password('$_POST[pass]')";
$result = mysql_query($query);
if(mysql_num_rows($result) < 0)

//if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass') 
{ 
$_SESSION['log'] = true; 
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
header('Location:/pages/login/loginw.php');
?>
That query also eludes to the fact that you shouldn't store your passwords in plain text. You can use the built-in MySQL function password(), or MD5(), or you could encrypt the password with PHP before sending it to the DB.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

very weird. It didnt tell me that you replied to this.

Thank You for replying.

I am going to try and use mySQL for this. If not, how would I do it in plain text.

Thank you!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Well, you could store it in a text file - probably comma delimited would be easiest. Just make sure that text file isn't in the web root or it would be possible for someone to view all the pretty accounts and encrypted passwords from their web browser.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

Alright, now If I did it that way and lets say I named the file users.txt
and it was

users.txt

Code: Select all

nicky,nickyspassword
tom,tomspassword
bob,bobspassword
How would i get my dolog.php to see if that in there

dolog.php

Code: Select all

<? 
session_start();  
if (empty($_POST['user']) || empty($_POST['pass']))  
die('GO AWAY');  
if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass')  
{  
$_SESSION['log'] = true;  
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';  
}  
else  
header('Location:/pages/login/loginw.php'); 
?>
Thank you!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

fgetcsv() is gonna work best.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

pickle wrote:fgetcsv() is gonna work best.

Code: Select all

$handle = fopen("/path/to/users.txt", "r");
fgetcsv($handle [, int length [, string delimiter [, string enclosure]]] )
I cant figure out how it to read the file to see if the username and password is correct?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Open the file and read in all the data - probably into an array will work best. I'd put usernames as keys and passwords as values. Then,

Code: Select all

<?php
if($filevalues[$_POST['user']] == md5($_POST['password']))
?>
...assuming you're encrypting the passwords with md5()
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

I am sorry, I cant seem to figure this out. What seems easy for your, is a headache and a half for me.
Is there anyway I can just add to my original script?

Thank You!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Read the documentation on fgetcsv() and you'll see how it reads in data. You can modify that to put data into an array, then carry on from there.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

I did read it , serveral times when you sent it to me first.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Instead of using a text file, you could store your user/pass inside a PHP script...

Code: Select all

$GLOBALS['users'] = array('username1' => 'password', 'username2' => 'password2');
Check permissions like this:

Code: Select all

//
// Get FORM data
$usr = $_POST['user'];
$pwd = $_POST['pass'];

if(array_key_exists($usr, $GLOBALS['users']) && ($GLOBALS['users'][$usr] == md5($pwd)))
  echo 'Allow access';
else
  echo 'Un-Authorized';
Haven't tested this code, but it demonstrates the idea - I think anyways :)

Using this approach has two advantages:
1) Security isn't as big of an issue so long as Apache is configured properly...the code (in this case arrays) is parsed and executed returning very little in the sense of passwords, etc...
2) Because passwords are stored in Native PHP arrays, it's easy and fast to authenticate, authorize, etc...

You should still hash your passwords, incase you have a script which could allow attackers to read your actual PHP code - in which case they would gain access to your passwords...

HTH

Cheers :)
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

Alright thanks.
Post Reply