check password function

ucbones

I need to do the following thing every time a users-only function is carried out. I gather I can do this with functions, for which I guess the arguments would be $username, $password and perhaps $status (have to have certain level of authorisation). Is there anyway of doing this?

Many thanks,

ucbones

<?
$con = @mysql_connect("localhost", "mysqlusername", "mysqlpwd");
if (!$con) {
echo "<p>Unable to connect to the database server at this time.</p>";
}
$seldb = @mysql_select_db("mysqldb", $con);
if (!$seldb) {
echo "<p>Unable to log user access at this time.</p>";
}
$sql = "SELECT * FROM staff WHERE
userid = '$uid' AND password = ('$pwd')";
$verifyuser = mysql_query($sql);
if (!$verifyuser) {
echo "A database error occurred while checking your login details.\nIf this error persists, please contact webmaster@oxygen-online.org.";
}
if (mysql_num_rows($result) == 0) {
echo "Sorry, you are not authorised to use this section";
}
?>

michael

You could use a function to do so.
Also, use MD5 hashes, they are much more secure.

<?
function checkUser($username, $password, $requiredseclevel) {
// True returned indicates success.

$result = sql_query ('select * from userstable where username='.$username.' and password=' .md5(password).' and userlevel >= '.$requiredsecuritylevel);

if mysql_num_rows($result) {
Return 1;
}
Return 0;
}
?>

Just sort of threw that together. Hope it helps.

Vitruvius

Heres what I have used:

<?php
ini_set("include_path",".:/home/httpd/html/www/Training/Bank/");
include ('Form_Auth.php');
if (form_authenticate() == true) {
global $username;
global $password;
session_start();
} else {
exit;
}
?>

Form_Auth.php

<?php
global $username;
global $password;
session_start();

function show_auth_form ($err = '')
{
global $HTTP_POST_VARS;
$login = <<<EOT
<html>
<head>
<title>Login</title>
<body>
<font face="Arial, Helvetica, sans-serif" size="4"><b>Please Enter your Username and Password to access the Test Bank Editor</b><br><br></font>
<form name="Login" method="POST" action="
EOT;
$login1 = <<<EOU
">
<font face="Arial, Helvetica, sans-serif">
<table border="0">
<tr>
<td>Username: </td>
<td><input type="text" name="username" value=""></td>
</tr>
<tr>
<td>Password: </td>
<td><input type="password" name="password" value=""></td>
</tr>
</table>
<br><br>
<table border="0">
<tr>
<td><input type="submit" value="Submit"></td>
<td><input type="reset" value="Reset"></td>
</tr>
</table>
</font><br><br><font color="red"><b>
EOU;
$login2 = <<<EOV
</b></font>
</form>
</body>
</html>
EOV;
print($login);
print($PHP_SELF);
print ($login1);
print ($err);
print ($login2);
}
function authorize_user ()
{
global $HTTP_POST_VARS;
session_register("username");
session_register("password");

    $usr = "username"; 
    $pwd = "password"; 
    $db = "database"; 
    $host = "host";
    $cid = mysql_connect($host,$usr,$pwd); 
    if (!$cid) { echo("ERROR: " . mysql_error() . "\n"); }
    $cdb = (int) mysql_select_db($db);
    if (!$cdb) { echo("ERROR: " . mysql_error() . "\n"); } 

  $username = $HTTP_POST_VARS['username'];
  $password = $HTTP_POST_VARS['password'];   
  $SQL = "SELECT username, password FROM testbank WHERE username = '$username';";
  $result = mysql_query($SQL);
  if (!$result) { echo("ERROR: " . mysql_error() . "\n"); }
  if (mysql_num_rows($result) == 1)
  { 
    $row = mysql_fetch_row($result);
    $user = $row[0];
    $pass = $row[1];    
    if (!strnatcasecmp($password, $pass)) {        
      return true;
    } else {
      return false;
    }
  } else {
    return false;
  }

}
function form_authenticate ()
{
global $HTTP_POST_VARS;
$username = $HTTP_POST_VARS['username'];
$password = $HTTP_POST_VARS['password'];

//start the authorization sequence
if (count ($HTTP_POST_VARS) == 0) {
show_auth_form ();
return false;
} else
{
if (empty ($username) || empty ($password))
{
show_auth_form ('Please enter your username and password');
return false;
} else
{
if (authorize_user () !== true)
{
show_auth_form ('Login failed, please try again!');
return false;
} elseif (authorize_user ($username, $password) == true)
{
return true;
}

}}
return true;
}
?>

then just use this statment at the top of your secure pages:

global $username;
global $password;
session_start();
if (!isset($username)) {
ini_set("include_path",".:/home/httpd/html/www/Training/Bank/");
include_once('Login.php');
}

you'll have to specify your own include_path(), and it also can be changed to use cookie based authentication if you'd like.

Hope this helps

michael

Grrr

grumble... grumble...MD5 or encryption grumble...grumble...grumble...