php login

Nupraptor

How do you compare a password entered on a form to a password written in a separate file? I know how to do the form and the pass to PHP thing (lol).

All I know how to do when it comes to comparing passwords etc. is the standard:

$pass = "24";

if ($password === $pass) { bla bla bla

I want to compare the entered password to a password in a separate file (e.g. password.php). Thanks in advance.

wilku

There are better ways to store passwords (databases for example), but if you want it this way 😉
First you need to create your password.php file, which would not give out your passwords when asked by browser. I suggest somthing like

<?php /*
username#password
username2#password2
username3#etc.
*/ ?>

Then you can open this file in another script and read the values:

<?php 
$lines=file("password.php");
$auth=false;
foreach ($lines as $line)
{
  //to get rid of the first and last line
  if ($line=="<?php/*" || $line=="*/ ?>") continue;
  //divide username from password
  list($user,$pass)=explode("#",$line);
  if ($user == $_POST['username'] && $pass == $_POST['password']) $auth=true;
}
?>

To improve this a bit you could store passwords hashed. When adding a user you should write username and a result of md5($pass."somestring");
While checking the password change the second if-statement to:

if ($user == $_POST['username'] && $pass == md5($_POST['password']."somestring")) $auth=true;

This method will make it harder to break in even if someone gets the password.php file.
The last possibility is, that instead of using text file you could make an array of username as a key and password as value. Then, before writing to file use serialize() function. After reading from file you'll need unserialize(). See their description in php manual.

Nupraptor

Thanks, Wilku, I'll try that. I need to be able to change the password and username from a page within the 'admin' area after you login. How would I do this using the code you provided?

wilku

You can do something like this (I'm assuming the "hashed password" version, but you can adapt it to the simpler one):

<?php
//check if user is authorized to do the changes
//and then continue with:
$string = file_get_contents("password.php");//find the difference between file and this function in php manual
$srch = $_POST["username"]."#".md5($_POST["password"]."somestring");
$rep = $_POST["newusername"]."#".md5($_POST["newpassword"]."somestring");
//before the next function you may want to check if $srch exists in $string
$string = str_replace($srch,$rep,$string);
//then save to file again
$file = fopen("password.php","w");//this will erease the previous content
fwrite($file,$string);
fclose($file);
?>

This is only a sketch - you should add some checking (for $_POST variables if, they are set, if the file exists etc.).
For more info on handling files and strings look in the manual, in the respective chapters at http://www.php.net/
One more notice: you cannot read the password explicitly from the file in hashed method. You can only check if the password provided by user is the same one that was given when adding a user. So you can't, for example, output the old password to a form, because you can't retrieve it.