flat file user authorization

generic

Hey all,

I'm really quite new to PHP (still... but anyway..) and I'm having a go at putting together a kind of user profile system, but I'm totally stuck on the authorization. In my system, the user registers and it writes a file with each variable on a new line and saves it as $username.dat (simple enough to figure out). Once I got to login though, it says I'm successfully logged in but doesn't actually check the password or maintain any of the variables... here's my authorization file

<?php

// username form field is used to select datafile (username.dat).
$fp = @fopen("users/$uname.dat", "r+");

// if the username exists (as the title of a .dat file), read the contents.
	if ($fp) {
		$data = fgets($fp, 1024); 

// explode the contents into an array and set value parameters (value[1] is the password).
		$values = explode("\r\n", $data); 
		$value[0] = $uname;
		$value[1] = $pass;
		$value[2] = $fname;
		$value[3] = $lname;
		$value[4] = $age;
		$value[5] = $sex;

// compare password from login form against the text file.
		if ($password == "$pass") {
			echo "You are successfully logged in! Click <a href=\"index.php\">here</a> to continue.";

// if the password doesn't match, stop the login.
		} else {
 			die("That username doesn't exist. Click <a href=\"login.php\">here</a> to try again or here to <a href=\"register.php\">register</a>.\n");
 		}

// if the username doesn't exist, stop the login.	
		} else {
 		die("That username doesn't exist. Click <a href=\"login.php\">here</a> to try again or here to <a href=\"register.php\">register</a>.\n");
 	}

?>

I'm sure it's a simple solution and I'm thinking it resides somewhere around the fgets() part of the code. This is all a learning process though so any help would be appreciated.

Thanks,

gen

kobmat

try using fread

<?php
$fp = fopen("file.dat", "r");
$file= fread($fp, filesize("file.dat"));

//do the splitting and exploding of the $file here

fclose($fp);
?>

generic

I had tried that before, different variations of fread, fget and fpassthru but still it doesn't work. It gives sends me through as if I input a proper user and pass but it should stop at the username if there is no username present - the idea is when a user registers, the register script saves a flat file with their details and names it (their username) $uname.dat. Thus, when the log in, it should search for a file with their uname and either stop if it doesn't exist or query the file to compare passwords if it does exist.

Any ideas?

kobmat

Can you post the contents of the username.dat file?

kobmat

I see the problem... you exploded the $data to the $values array

$values = explode("\r\n", $data);

but you are accessing the $value array, which is
empty. Try changing to $values;

$values[0] = $uname;
$values[1] = $pass;
$values[2] = $fname;
$values[3] = $lname;
$values[4] = $age;
$values[5] = $sex;

kobmat

Try this... Hope this works.

$fp = @fopen("users/$uname.dat", "r+"); 

if ($fp) 
	{ 
    $data = fread($fp, filesize("users/$uname.dat"));  

$values = explode("\r\n", $data);  
//Are you sure about the "\r\n" as the record?
//Let me check you username.dat if \r\n is really
//what separates the fields. 
//Just post the contents of the username.dat

$uname = $values[0]; 
$pass = $values[1]; 
$fname = $value[2];
$lname = $value[3]; 
$age = $value[4]; 
$sex = $value[5]; 

//Im assumming that the $password is the password variable passed from the login form
//This is a bad practice
//Try using $_POST['password'] if it is posted and
//$_REQUEST['password'] if get
//you may have a problem when register_globals is set to false on php.ini
if ($password == $pass) 
	{ 
    echo "You are successfully logged in! Click <a href=\"index.php\">here</a> to continue."; 
	} 
else 
	{ 
    die("That username doesn't exist. Click <a href=\"login.php\">here</a> to try again or here to <a href=\"register.php\">register</a>.\n"); 
    } 

fclose($fp);
} 
else 
	{ 
    die("That username doesn't exist. Click <a href=\"login.php\">here</a> to try again or here to <a href=\"register.php\">register</a>.\n"); 
    }

take note i reversed the $values[0] = $uname to $uname = $values[0].

just try let...and let me know if it works

generic

hmmm, I tried cleaning up my code as per suggested but it still gives me a successful login without actually checking for the password..

maybe you can elaborate on:

//Im assumming that the $password is the password variable passed from the login form
//This is a bad practice
//Try using $POST['password'] if it is posted and
//$REQUEST['password'] if get
//you may have a problem when register_globals is set to false on php.ini

Thanks,

Gen

kobmat

It goes like this.

If the method of your login form is POST all the variables or the data on input fields can be accessed on $_POST array. Use the name of the field as the index.

for example, you have the form:

once the submit button is clicked. the text inputted by the user is can be accessed on $POST["password"]. There are other arrays also like $GET, for forms with method get and variable passed on the URL. There is also $REQUEST which is a mixture of all $POST and $GET and even $FILES. $_FILES is an array which contain file uploads.

Now, if you have register_global on, you dont need to type $FILES, $POST, $GET or $REQUEST anything passed to the phpscript via GET or POST is automatically created a global variable. For example for the form above, you can access the password passed by just $password.

Now register_globals on is a very bad practice. It can create conflict between the variables you created and the globals that PHP created. so to be sure just use $FILES, $POST, $GET and $REQUEST to access the variable passed.

And also you may want to do this parse the contents of the user flat file.

$temp = preg_replace("/\r/", $data);
$values = explode("\n", $temp);

Maybe the separator of the data is not really "/r/n" maybe it just \n. the code above first removes all the \r and explodes it using only \n as a separator.

Hope this helps...