PHP and SQL server authentication

garethjennings

I'm pretty new to PHP and i'm trying to build a login system where users have to authenticate against a sql server db on a windows box from a php page on a unix box.

I have managed to get the connection working ok but i'm having trouble checking the username and password against ones already in the db.

I'm then trying to send the user to different pages depending on wheather they have logged in correctly

I have the following code:

<?php
require('dbconnect.php'); // database connect script.

$sql= "SELECT * FROM tbl_users";
$rs= mssql_query ($sql, $con);

if (username==$username) AND (password==password) {
header("location: registration_form.html");
}
else{
header("location: sorry_memb.html");
}
mssql_close ($con);
?>

cbj4074

Well, the problem you're having stems from the fact that the passwords stored in the MySQL database are encrypted. How you encrypt the password from your form, or wherever you're getting the input from, depends on how the ones in the database are encrypted.

If you have a table in your database with user names and passwords, you need to use the same function for encrypting the user name/password combo you submit as what's used to store them in the DB. I use MD5 in my UN/pass table. Conveniently, there's an MD5 function built into PHP.

I'll just save you some trouble and post a snippet of code that I wrote for this very purpose. It's not complete here, but you will be able to take something away from it:

<?php

//set the variables for connecting to the mysql database
$dbhostname='localhost';
$dbuser='xxx';
$dbpass='xxx';
$dbname='xxx';

//connects to the MySQL database with the supplied credentials
$dbconnection = mysql_connect($dbhostname, $dbuser, $dbpass)

//message to display if there's an error
or die('Connection to the database failed. =(');

//selects the specified database
mysql_select_db($dbname, $dbconnection) or die ("The database $dbname could not be found, attempted by user $dbuser");

//*****NOTE: these two POST statements come before the query because
//*****it's possible that the user is already logged in...
//add slashes to the username (which prevents errors from people who have
//non-alpha-numeric passwords), and make an md5 checksum of the password
$_POST['username'] = addslashes($_POST['username']);
$_POST['password'] = md5($_POST['password']);

//query the database for a credential match for this user
$result = mysql_query("SELECT count(userid) FROM `administrators` WHERE userpass='$_POST[password]' AND username='$_POST[username]'") or die("Couldn't query the user-database.");

//stores the results of row 0 (0 being the only matching row)
$some_row = mysql_result($result, 0);

//closes the connection to the database
mysql_close($dbconnection);

//if the credentials didn't match (i.e. the query didn't return a row in the result)...
if (!$some_row) {
	//if a login attempt has been made, notify the user of a bad username
	//and/or password if necessary
	if (($_POST['first_attempt'])) {
		echo '<table align="center" cellpadding="3" cellspacin="0" border="0"><tr><td valign="top"><img src="' . $pathtoroot . 'images/misc_images/warning.gif" alt="Warning Icon" /></td><td valign="top"><font color="#FF0000">The username/password combination you supplied is invalid. Please try again.</font></td></tr></table>';
	}
	include_once('login_form.inc.php');
}
else {
	//start the session
	session_start();

//we've already added slashes and MD5'd the password
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
//and we need to add the authorization type
$_SESSION['authtype'] = 'administrator';

//any text output below this line will be displayed to the users that are authenticated,
//or, you can just redirect the user and not output anything, which is what I've done here

if ($_SESSION['referer'] == $PHP_SELF) {
	header('Location: index.php');
	die();
}
else {
	$url = $_SESSION['referer'];
	header("Location: $url");
	die();
}
}
?>

You also need to have cookies enable to work with session variables in this way.

The other thing, is that you have a few syntactical errors in your code up there... I'm guessing you just threw a makeshift example in the window and not your actual code, because the parser would get hung up long before your password submission didn't match...

garethjennings

Thanks for the help but i specifically need some explanation using a SQL SERVER DB not mysql.
Also this is my actual code not an example - I dont recieve any errors before the username and password are passed?

I'm very very new and do appreciate the help.

Roger_Ramjet

There is everything wrong with your script:

1 you are not passing any selection criteria so your query will return all users. You would then have to iterate through the results untill you found your user and then try to validate the password.

you are not extracting anything from the results to compare to anything anyway.


$sql = "SELECT * FROM users WHERE user= ' " . $_POST['user'] . " ' ";
$rs= mssql_query ($sql, $con); 

if (!$rs) {   //user not found
header("location: not_a_memb.html"); 
exit;
} 
$row = mssql_fetch_array($rs);
if ($_POST['pwd']==$row['pwd']) {  //password matches
header("location: welcome.html"); 
}
else {  //wrong password
header("location: wrong_password.html"); 
}

Is the sort of thing you need to do.

PS. Why not use SQLServer authentication: set the users up as SQLServer users, insert the user name and password supplied in your connect script, if it fails then not a valid user.

garethjennings

Mr.Ramjet,

You truly will not realise how much you are saving my life but I still have a problem.

Here is the actually code i'm using (you will notice the resemblance to your own!):

<?php
require('dbconnect.php'); // database connect script.

$sql = "SELECT * FROM tbl_memb WHERE broker_ref= ' " . $POST['BrokerRef'] . " ' ";
$rs= mssql_query ($sql, $con);

if (!$rs) { //user not found
header("location: not_a_memb.html");

exit;
}

$row = mssql_fetch_array($rs);
if ($POST['post_code']==$row['PCode']) { //post code matches
header("location: welcome.html");
}
else { //wrong post code
header("location: not_found.html");
}

mssql_close ($con);
?>

The problem i'm having is that whatever is passed in the broker_ref or post_code fields it always takes you to the welcome.html pages.

Any suggestion?

Thank you so much for all the help so far.

Roger_Ramjet

Echo your query to see what is being sent, echo out the post vars, and print_r the result set to see what is actually returned. Could be any number of reasons why they alwasy match including the possibilty that NULL==NULL: ie nothing in either variable so they match.

garethjennings

How do I do all that?

Sorry - like i said, i'm very very new.

Roger_Ramjet

http://uk.php.net/echo