Checking username and password...

Jnuw

Hello all. I'll first say that I’m very new and have very little experience with php or mysql. Here is what I’m trying to do, any guidance or pointing in the right direction would be very appreciated, thanks.

I work for a company that sells software, and we send out updates to our customers frequently. To get the updates, our customers have to log on to a php web page that requires a username and password (stored on the mysql db I’m sure). Once logged on, they can click on links to the updates.

I wrote a small program using the Nullsoft Installer (NSIS) to check to see if a user is up-to-date or not, and report what updates they are missing. I want to take it step further now, and have this program download the updates for them. However I want to first check that they are current customers.

My question is this, if I prompt users for a username and password within my little program, how can I check that their credentials are good? I don't know how I would communicate to our companies mysql server. My only other thought was that I could create some dummy txt file behind the logon area of our website, and simply try to download the file, placing the username and password right in the url of the txt file. If the file downloads, then I know if have a good username and password. I have no idea if I can even do that, put a username and password in a url.

Any help would be appreciated, thanks!

Sxooter

On the assumption that everyone has web access, just create a super simple web page that takes a get argument like:

http://myserver.com/checker.php?name=xyz&pwd=123

and returns a true or false or whatever. Then just grab that with the installer.

id10t

If you are including your own dl client, etc then do as the above poster suggested. and pass the username and password as a arg, or probably better would be some sort of hash you could decode on your end (unless you are sending over ssl).

If you just want to call up the users default browser and go to a web page to enter the user/pass, then you can do it with sessions and redirects.

First, write a quick script for download that will take the file as an argument, like http://you.com/dl.php?filename.exe

In that page, start a session. See if there is a session variable set to indicate good login, and if there is, send the file. If there isn't, set a session var to indicate teh file they wanted and use a redirect header and send them to a login page.

Start the session on the login page, start by processing the login information, if it is logged in already (other browser window open from a previous update dl moments ago) and a desired file var is set, redirect 'em to the dl.php script with the file as the arg again. If it isnt logged in yet, and you have auth tokens, process them. If they are right, set the login ok variable and redirect to the dl page. if they arent correct, or arent there at all, show the login form.

Jnuw

Wow, thanks Sxooter and id10t. I should reiterate that I know next to nothing about php, but I’m very willing to learn. Let me rephrase some of the ideas you two presented.

First, I need to make a php file/page that within the php code
will "scrape" off the username and password from a url like:
http://myserver.com/checker.php?name=xyz&pwd=123
and then inside the php file it checks with the db to verify these.

That I understand, but will have to investigate how to write. The part I’m still having trouble with is this. Within my little program I don't want the user to see any IE windows, or anything of the sort. I'm trying to mimic a live updater, where my program runs, checks, and reports what they are missing, then prompts them for a username and password, and then downloads the updates for them.

So the main question is: So how do I communicate to my little program (call vChecker) what the php page finds from checking the username and password?

There is a plug in I’m already using within the NSIS system to download files, which is silent to the user. That’s why I thought I could just download a file from behind the protected area of our website, and use that as an indicator.

Let me know if I can provide any other info, and thanks again guys for getting me started.

Jnuw

Sxooter

If your plugin lets you download from a web server, then you're pretty close to home. just download the file http://myserver.com/checker.php?name=xyz&pwd=123 and check the contents.

If not, you could look at the source code to wget to get an idea of how to write a super simple web server download function.

Jnuw

Originally posted by Sxooter
If your plugin lets you download from a web server, then you're pretty close to home. just download the file http://myserver.com/checker.php?name=xyz&pwd=123 and check the contents.

I just checked, I was able to download our login.php page off our current website. So this should work.

So...I would need to write the http://myserver.com/checker.php?name=xyz&pwd=123 page that simply produces html code with "Good" or "NoGood" in it. Then I can read that file with NSIS looking for "Good" or "NoGood"?

Am I on the right track? Thank you so much.

Jnuw

Assuming I am on the right track, are there any examples of the type of php page I need to write to do what the checker.php?name=xyz&pwd=123 needs to do?

Thanks so much all.

id10t


<?php

import_request_variables("gP","rvar_");


do some stuff to connect to a db server here

 do some stuff here to check the db if the username (now stored in $rvar_name) and password (now stored in $rvar_password) are valid and store it in a variable 


if ($userAuth=="ok"){
 print("good");
}else{
 print("not good");

}

You will of course need to do the db connection or whatever you are going to do to check the username and password.

Sxooter

Warning, the following code does no scrubbing or checking of user input (i.e. it assumes we've got automatic gpc quoting turned on...)

<?php
$conn = pg_connect("dbname=test user=dbuser");
$name = $_GET['name'];
$pwd = $_GET['password'];
$query = "select * from checker where name='$name' and pwd='$pwd'";
$res = pg_query($query);
if (pg_num_rows($res)>0) print "OKAY";
else print "NOPE";
?>

Database:

create table checker (name text, pwd text);
insert into checker values('stan','wendy');
URL to call server:
[url]http://servername.com/check.html?name=stan&password=wendy[/url]

Jnuw

Thank you guys so much! I'm 98% there. I have one problem. When I download the php page, it should have only 1 of 2 contents, either "LoggedIn" or "Denied". I can only get it to say LoggedIn if I provide the correct credentials. If I provide incorrect credentials, the php file I download is totally empty, and does not say Denied. Any thoughts. Here is the code I’m using (minus company specific data), don't laugh too hard, its my first php page ever! :rolleyes:

<?php

$name = $_GET['name'];
$pwd = $_GET['pwd'];

{

  mysql_connect('mysql.bla.bla', 'admin', 'adminspwd') or
    die ('Could not connect to database');

  mysql_select_db('Customers') or
    dir ("Could not select database");

$result=mysql_query("SELECT bla, bla, bla, bla FROM Users WHERE username='$name' AND password='$pwd' AND accepted>0") or
    die ('cant do it');

while ($row=mysql_fetch_array($result))
 {
 if ($row["password"]==$password )
    {
    print("LoggedIn");
    }else{
    print("Denied");
    }
 }

}
?>