PHP - User Authentication - PHPBuilder Forums

PHP - User Authentication

orebic

😕
Hi all,
I am rather new at PHP and setting up a web page requiring user authentication.

I currently have worked out how to put a .htaccess file in the folder I want to protect and I get the little log in box pop up. (By the way is this .htaccess combined with PHP the best or easiest way??) What I am having problems understanding is how to use PHP with a password file with which I can validate and also easily add another membership number and so on. I want to validate against a membership number only. No username involved.

If I do use PHP code in anyway how do you use it? Can I include PHP code in a MS Frontpage webpage by inserting it amongst already present HTML code? Do you need PHP loaded locally on your machine to work with PHP code?
Is there a way to bypass the username or make the username default so that users only need to enter their membership number?

Regards
Orebic

bastien

1.easiest way is to use a db table and verify against it like a mysql table, makes it much easier to add users and validate them too. Get MYSQL from www.mysql.com

you can include php in FP, but you should install php on your development machine (www.php.net) and develop that way...makes it easier to test you scripts...might even want to find dedicated php ides(integrated design environments) like (phpcoder (hard to find) or context(supports asp,php,jscript etc) good tool free too(don't have a url for you, sorry)) also dreamweaver supports php

3.to log in only by membership number, is trickier, I would suggest using a cookie with the username in it. then read the cookie when the login page starts to load, (if there then read the username into the form, if not (happens when new users join (no cookie set yet) or if users don't allow cookies(will require the user to entire all details))

hope this all makes sense...

piersk

It's possible (if you are running an Apache server) to use PHP combined with HTTP authentication. PHP can read the usernames and passwords entered by the users by using the variables $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] (btw, if these variables are wrong, then please tell me. I cant remember them off the top of my head 🙂)

(If you use the .htaccess file to authenticate users then you are using basic authentication and so can use these variables)

hand

More about authentication: http://www.php.net/manual/en/features.http-auth.php

orebic

I have tried installing php on my PC and when I try running a simple php script from frontpage nothings happens. Here is the script I am entering.
<html>
<body>

<?php
print "Hello, world.";
?>

</body>
</html>

I installed PHP 4.2.2 for windows and have set it up to run through PWS and modified some dll's etc. Is this correct? Do I need to install Apache? Do I need to save the page as .php or can that script be entered directly into a Frontpage page as above?

chinni_77

yes of course!when you want to run a PHP script, you must save it as .php

well, if you are a beginner and getting confused in configuring PHP and Apache, i would suggest you to check out Easy PHP.

This is indeed really good,it has PHP, Apache and mysql.

HTH

blender_frog

If you're using FP, just make sure you click the HTML tag and enter the PHP code, then save the file as a .php file, otherwise, MS will default to .html

Then next time you need to open the file you'll have to do Open With --> MS FP or it'll default to open in notepad.

jordy

hmz the idea of a http-auth is okay but the .htaccess thing is really crap. Some bad configured webservers have leaks in this type of security and it will be quite easy for everyone with shell access on the server to read the .htpasswd file. Encryption is a quite easy second step then..

Why not use a combination of sessions/mysql/md5 hashes? just start a session on successfull login and store all the md5 hashes or the passwords in a mysql db. write a little script that can be included in all the "secured" scripts and it will pass the security if there is logged in and it will die if there are trouble loggin in..

mypage.php:
<?php include('security.php');
echo "blah";
?>

for the creative ppl this way will keep all the options open to use userlevels ed..

Jordy Querner

Phantazm

Ive got to agree with jordy on this one. Unless a customer specifically requests to use the .htaccess / .htpasswd files, I almost always let php/mysql/md5 hashes do the work for me. It's quite easy to write a script to include in your secure pages to validate the user.

Here's the way I usually do it. . . Note that there are several ways to do it, this is just mine.

<?php
  // This is the script that performs the initial authentication
  $userstats = auth($user, $password);
  // If userstats=1 then the username - password combination was found... Look up any additional credentials and create a session
  if ($userstats == 1)
  {
    $query = "SELECT UserFirst,UserLast,UserAccessBits from users WHERE UserHandle='$user'";
    $result = mysql_query($query) or die("Fatal Error: mySQL Query ($query) Failed");
    $data = mysql_fetch_array($result);
    $firstname = $data['UserFirst'];
    $lastname = $data['UserLast'];
    $accesslevel = $data['UserAccessBits'];
    // Make sure this is not a banned user
    if ($accesslevel != -1)
    {
      session_start();
      session_register("SESSION");
      session_register("SESSION_UNAME");
      session_register("SESSION_FULLNAME");
      session_register("SESSION_USERACCESS");
      $SESSION_UNAME = $user;
      $SESSION_FULLNAME = "$firstname $lastname";
      $SESSION_USERACCESS = "$accesslevel";
    }
    header("Location: http://www.*******.com");
    exit;
  }
  else
  {
    // If code gets here, username/password combo not found in db
    header("Location: http://www.*******.com");
    exit;
  }
  // Authentication Function
  function auth($auser, $apass)
  {
    $result = -1;
    include ("global.php");
    $link = mysql_connect("localhost","dbusername","secret") or die("Fatal Error: Unable to connect to mySQL!");
    mysql_select_db("eba") or die("Fatal Error: Unable to open eba database!");
    $query = "SELECT UserHandle,UserPassword from users WHERE UserHandle='$auser' AND UserPassword='$apass'";
    $result = mysql_query($query) or die("Fatal Error: mySQL Query ($query) Failed");
    if (mysql_num_rows($result) == 1)
    {
      // found user/pass
      return 1;
    }
    else
    {
      // dod not find user/pass
      return 0;
    }
  }

The above code is called via the following. . . And yes, it's straight HTML...

<HTML>
<HEAD>
<TITLE>Please Login</TITLE>
</HEAD>
<BODY>
<CENTER>
<TABLE BORDER="0" CELLSPACING="5" CELLPADDING="5">
<FORM ACTION="login.php" METHOD="POST">
<TR>
<TD>Username</TD>
<TD><INPUT TYPE="TEXT" SIZE="16" NAME="user"></TD>
</TR>
<TR>
<TD>Password</TD>
<TD><INPUT TYPE="PASSWORD" SIZE="16" NAME="pass"></TD>
</TR>
<TR>
<TD COLSPAN="2" ALIGN="CENTER"><INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Log In"></TD>
</TR>
</FORM>
</TABLE>
</CENTER>
</BODY>
</HTML>

As you can see, very basic 😉 This particular one doesn't even user md5 (hrmm... I guess I better update it... lol)

At any rate, something similar to this would probably do what you want with minimal changes. Once the user logs in, you just include a script in any "secured page" that checks the session to see if a valid user is present.

Hope this helps some..

jordy

for the complete code i use just mail me.. its quite to long to post in this forum.. but btw.. i c ppl talking about FP here.. hmz one last advice...... DONT USE IT! there are far better website GUIs on the market!

siwis

Originally posted by jordy
for the complete code i use just mail me.. its quite to long to post in this forum.. but btw.. i c ppl talking about FP here.. hmz one last advice...... DONT USE IT! there are far better website GUIs on the market!

Jordy, perhaps in your opinion there are better WYSIWYG editors out there, but to make the blanket statement you did without any form of corroborative evidence doesn't wash with me.

I have the choice of using Frontpage OR Dreamweaver for WYSIWYG work and yet I choose FP over DW any day. Once you get over the anti M$ issues and the snobbery that exists within web design against FP you will find that there isn't much that FP can't do that others can. Certainly there is a small issue with PHP in that you should not try to edit PHP within the FP editor (unless you have ASP Style tags) but then again why would you want to create php in a wysiwyg editor anyway. I use HomeSite for that.

To be honest I hear so much bull spouted about what FP does to peoples code that I begin to wonder if you lot are just playing a game of chinese whispers. I hear comments about FP creating bloated code. Simply not true. I hear comments of FP changing peoples html. Well its never done it to me. I hear comments of FP writing incompatible code. Again, it's the choices the operator makes that determine what FP will write.

So orebic, use whichever editor you feel most comfortable with. Don't try to use FP to edit any PHP (set up natepad as the default, or use a different text editor, OR change to ASP style tags <% %> altho this could limit you in server deployment.

ahajdar

Hey...I just have to ask why did you choose Orebic as your handle here? Did you have in mind Orebic, Croatia or something else?

orebic

Thanks for your reply everyone. Security not a major concern. Phantazm if I use the code above then all I need to do is setup a mySQL database with my membership no's and there is no need for md5. Can I remove any association with username in your code if I am only using a membership no to authenticate (no username)? Can mySQL be created from an access database.

Jordy I will e-mail you shortly.

Yes ahajdar you are correct in your assumption about Orebic. Absolutely beautiful. How is it you know??

ahajdar

Originally posted by orebic
Thanks for your reply everyone. Security not a major concern. Phantazm if I use the code above then all I need to do is setup a mySQL database with my membership no's and there is no need for md5. Can I remove any association with username in your code if I am only using a membership no to authenticate (no username)? Can mySQL be created from an access database.

Jordy I will e-mail you shortly.

Yes ahajdar you are correct in your assumption about Orebic. Absolutely beautiful. How is it you know??

Well, I actually bought a piece of land there and plan on building a house this fall/winter. (To explain...I have American/Bosnian citizenship.) And I agree, Orebic is fantastic...and let me know if you're ever again in the area (perhaps we can do some business or just flirt with all the pretty girls on the beach (oops, I hope you're old enough! 🙂. Take care...