Verify user-pass Against database

halojoy

hi
halojoy here

this is an include part of my login/page protection script
it is the part where it all happens
if user will VERIFY alright

tried to make it as effective as possible
because a page protection script should be as TRANSPARENT as possible
when it comes to delay page-view
when a user is authorized to view, he shouldnt even notice
that there is a test performed at top of page

CODE uses my own Database Table Class - One Object instance per table
Does fwrite() binary and read() binary to and from 1 file for each table

Enjoy or Post Critique.
This is a commented version, for public.
Original verify.php is only 281 bytes.

regars ..to my friends 🙂
hello to them others ....
/halojoy

<?php
// Protects this page from direct access
// Using 2 controls 
if(eregi('security/verify.php', $_SERVER['PHP_SELF']) || !defined('SECURE')){
    exit('err:v');
}

require_once($database_dir.'db_table.class.php');
// New db_table object, with arg: database-name, table-name
$tb = new db_table('my_db', 'users');
// Load the complete table specified above. Into array.
$tb->tb_load();


// INDATA: $entered_username + $entered_password

// Find first occurance of entered username in Column 'username'
$tb->tb_find_one('username', $entered_username);

// Method 'tb_find_one()' returns to its own variable: '->result_one' 
// If Found store: The full row as an array, 
// If Not found  : array() .. an empty array
$result = $tb->result_one;

$found = false;
$message = '';
// If username match, we test for sha1(password)
if(!empty($result)){
    $found = true;
    if($result['password'] !== sha1($entered_password))
        $message = 'bad pass';
}
if(!$found)
    $message = 'no user';

// OUTDATA: $message = '' / 'no user' / 'bad pass'
// ''         = verify was okay, no error message
// 'no user'  = exists no such user
// 'bad pass' = password does not match user    

?>

NogDog

CODE uses my own Database Table Class - One Object instance per table
Does fwrite() binary and read() binary to and from 1 file for each table

Does this mean you are using a flat file "database" as opposed to an actual DBMS? Is so, any particular reason why?

Weedpacket

NogDog wrote:
Is so, any particular reason why?

They're against his religion.

eregi('security/verify.php'...)

The POSIX functions are being downgraded in favour of PCRE
The '.' should be escaped unless "security/verify!php" should match as well
There nothing there that requires regular expressions. Either strpos() or stripos() would be adequate.
Is case-insensitivity necessary?

// OUTDATA: $message = '' / 'no user' / 'bad pass'
// ''         = verify was okay, no error message
// 'no user'  = exists no such user
// 'bad pass' = password does not match user

If these are not intended for end user consumption, then named constants may be more efficient. If they are intended for user consumption (say as part of an error message), it's a security risk.

halojoy

okay, thanks.
So, I managed to make a better and and more slim verify.php
Now, I do not think I can simplify and improve this any more 😃

Here is the new version.
For more comments, see the old version, below.
Changes:
- stripos() instead of eregi()
- require() instead of require_once() ... thanks to: Rasmus Lerdorf blog
- if($res = $tb->one){ replaces
$result = $tb->result_one;
if(!empty($result)){
- using else instead of extra variable '$found'

I must say I am surprised so many improvments can be made
in such a small piece of PHP code.
Regars 🙂 halojoy

New version 3a:

<?php
    // verify.php
    // This page is called from Login: require('verify.php');
    if(false!==stripos($_SERVER['PHP_SELF'],'verify.php')||!defined('SECURE')){
        exit('err:v');
    }
        require($dbdir.'class.dbtable.php');

    // INDATA: $m=''; error message. $u,$p; entered_user, entered_pass
    $tb = new dbtable('mydb','users');
    $tb->load();
    $tb->find_one('username', $u);

    if($res = $tb->one){
        if(sha1($p) !== $res['password']){
            $m = 'bad pass';
        }
    }else{
        $m = 'no user';
    }
    // OUTDATA: $m='' or $m=error-msg

?>

Old version 1:

<?php
// Protects this page from direct access
// Using 2 controls 
if(eregi('security/verify.php', $_SERVER['PHP_SELF']) || !defined('SECURE')){
    exit('err:v');
}

require_once($database_dir.'db_table.class.php');
// New db_table object, with arg: database-name, table-name
$tb = new db_table('my_db', 'users');
// Load the complete table specified above. Into array.
$tb->tb_load();


// INDATA: $entered_username + $entered_password

// Find first occurance of entered username in Column 'username'
$tb->tb_find_one('username', $entered_username);

// Method 'tb_find_one()' returns to its own variable: '->result_one' 
// If Found store: The full row as an array, 
// If Not found  : array() .. an empty array
$result = $tb->result_one;

$found = false;
$message = '';
// If username match, we test for sha1(password)
if(!empty($result)){
    $found = true;
    if($result['password'] !== sha1($entered_password))
        $message = 'bad pass';
}
if(!$found)
    $message = 'no user';

// OUTDATA: $message = '' / 'no user' / 'bad pass'
// ''         = verify was okay, no error message
// 'no user'  = exists no such user
// 'bad pass' = password does not match user    

?>

laserlight

Now, I do not think I can simplify and improve this any more

You can improve variable naming, indentation, and formatting in general:

<?php
// verify.php
// This page is called from Login: require('verify.php');
if (false !== stripos($_SERVER['PHP_SELF'], 'verify.php') || !defined('SECURE')) {
    exit('err:v');
}

require $dbdir . 'class.dbtable.php';

// INDATA: $error_message, $entered_user, $entered_pass
$tb = new dbtable('mydb', 'users');
$tb->load();
$tb->find_one('username', $entered_user);

$error_message = '';
if ($tb->one) {
    if (sha1($entered_pass) !== $tb->one['password']) {
        $error_message = 'bad pass';
    }
} else {
    $error_message = 'no user';
}

// OUTDATA: $error_message
?>

However, a possibly even better improvement would be to turn this into a function, then the INDATA and OUTDATA requirements can be enforced as parameters and return value.

halojoy

You can improve variable naming, indentation, and formatting in general:

For documentation, yes. Absolutely!

However,
a possibly even better improvement would be to turn this into a function,
then the INDATA and OUTDATA requirements can be enforced as parameters and return value.

For increase general usefulness, yes.
I could write such version, too. Later.
I even have started making a PHP 5 Class of it all.
But first i want to see it working optimal, as a file-based version.
Because,

This script of mine uses require(subfile) instead of functions:

config.php is the first little bit, file to be required
getstatus.php is where see status of user, logged in/or not
verify.php is just one of all those small bits, includes.
form.php is another

.. and to hold it all together there is of course one file:

/secure/main.php This is the file that is called by secure.php

And to protect pages, I use this.
secure.php - Will pass if you are logged in, else a login form.

<?php require('secure.php'); ?>
rest of page

secforce.php - Will require you log in EACH visit.
Performs logout and then requires login:

<?php require('secforce.php'); ?>
extra secure page

halojoy

Here I attach flow chart of Secure pages.
See my flowchart attachment image.

I have color marked the verify.php bit.
This way is easier to understand the context of the code.

Regars 🙂
halojoy