Page 1 of 1

Adding Users to Simple Login

Posted: Mon Jan 30, 2006 11:24 am
by nickman013
Hello,

I need help adding users to my simple login script.

The script is

Code: Select all

<?
session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
die('GO AWAY'); 
if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass') 
{ 
$_SESSION['log'] = true; 
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
header('Location:/pages/login/loginw.php');
?>
very basic.

Thank You!

Re: Adding Users to Simple Login

Posted: Mon Jan 30, 2006 11:59 am
by pickle

Code: Select all

<?
session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
die('GO AWAY'); 

//rather than checking for a particular user, check if the user exists in a database
$query = "SELECT * FROM users where username = '$_POST[user]' AND password = password('$_POST[pass]')";
$result = mysql_query($query);
if(mysql_num_rows($result) < 0)

//if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass') 
{ 
$_SESSION['log'] = true; 
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
header('Location:/pages/login/loginw.php');
?>
That query also eludes to the fact that you shouldn't store your passwords in plain text. You can use the built-in MySQL function password(), or MD5(), or you could encrypt the password with PHP before sending it to the DB.

Posted: Mon Jan 30, 2006 12:01 pm
by nickman013
very weird. It didnt tell me that you replied to this.

Thank You for replying.

I am going to try and use mySQL for this. If not, how would I do it in plain text.

Thank you!

Posted: Mon Jan 30, 2006 12:04 pm
by pickle
Well, you could store it in a text file - probably comma delimited would be easiest. Just make sure that text file isn't in the web root or it would be possible for someone to view all the pretty accounts and encrypted passwords from their web browser.

Posted: Mon Jan 30, 2006 12:18 pm
by nickman013
Alright, now If I did it that way and lets say I named the file users.txt
and it was

users.txt

Code: Select all

nicky,nickyspassword
tom,tomspassword
bob,bobspassword
How would i get my dolog.php to see if that in there

dolog.php

Code: Select all

<? 
session_start();  
if (empty($_POST['user']) || empty($_POST['pass']))  
die('GO AWAY');  
if ($_POST['user'] == 'nicky' && $_POST['pass'] == 'nickypass')  
{  
$_SESSION['log'] = true;  
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';  
}  
else  
header('Location:/pages/login/loginw.php'); 
?>
Thank you!

Posted: Mon Jan 30, 2006 12:21 pm
by pickle
fgetcsv() is gonna work best.

Posted: Mon Jan 30, 2006 12:30 pm
by nickman013
pickle wrote:fgetcsv() is gonna work best.

Code: Select all

$handle = fopen("/path/to/users.txt", "r");
fgetcsv($handle [, int length [, string delimiter [, string enclosure]]] )
I cant figure out how it to read the file to see if the username and password is correct?

Posted: Mon Jan 30, 2006 12:37 pm
by pickle
Open the file and read in all the data - probably into an array will work best. I'd put usernames as keys and passwords as values. Then,

Code: Select all

<?php
if($filevalues[$_POST['user']] == md5($_POST['password']))
?>
...assuming you're encrypting the passwords with md5()

Posted: Mon Jan 30, 2006 12:48 pm
by nickman013
I am sorry, I cant seem to figure this out. What seems easy for your, is a headache and a half for me.
Is there anyway I can just add to my original script?

Thank You!

Posted: Mon Jan 30, 2006 1:40 pm
by pickle
Read the documentation on fgetcsv() and you'll see how it reads in data. You can modify that to put data into an array, then carry on from there.

Posted: Mon Jan 30, 2006 1:43 pm
by nickman013
I did read it , serveral times when you sent it to me first.

Posted: Mon Jan 30, 2006 2:48 pm
by alex.barylski
Instead of using a text file, you could store your user/pass inside a PHP script...

Code: Select all

$GLOBALS['users'] = array('username1' => 'password', 'username2' => 'password2');
Check permissions like this:

Code: Select all

//
// Get FORM data
$usr = $_POST['user'];
$pwd = $_POST['pass'];

if(array_key_exists($usr, $GLOBALS['users']) && ($GLOBALS['users'][$usr] == md5($pwd)))
  echo 'Allow access';
else
  echo 'Un-Authorized';
Haven't tested this code, but it demonstrates the idea - I think anyways :)

Using this approach has two advantages:
1) Security isn't as big of an issue so long as Apache is configured properly...the code (in this case arrays) is parsed and executed returning very little in the sense of passwords, etc...
2) Because passwords are stored in Native PHP arrays, it's easy and fast to authenticate, authorize, etc...

You should still hash your passwords, incase you have a script which could allow attackers to read your actual PHP code - in which case they would gain access to your passwords...

HTH

Cheers :)

Posted: Mon Jan 30, 2006 3:04 pm
by nickman013
Alright thanks.