[RESOLVED] Login Page

OmegaB

Getting past the form to login,
How would one go about doing this?

I have one page to just use select queries and that's fine, since I could just make it automatically login with read privileges using an include function.

But to make changes, I have a database user with read and write privileges.

Could someone point me in the right direction to make a page having someone type in this specific user with read / write privileges and be authenticated?

tldr; I want to login to a database using a user and password, with php. and the user / password is not in the database...but protecting the database.

Thanks.

OmegaB

After some thinking:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login Form</title>
</head>
<body>
<p>&nbsp;</p>
<form id="loginForm" name="loginForm" method="post" action="login">
  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
    <tr>
      <td width="112"><b>Login</b></td>
      <td width="188"><input name="login" type="text" class="textfield" id="login" /></td>
    </tr>
    <tr>
      <td><b>Password</b></td>
      <td><input name="password" type="password" class="textfield" id="password" /></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" name="Submit" value="Login" /></td>
    </tr>
  </table>
</form>
</body>
</html>

<?php

if (isset($_POST['login']) && isset($_POST['password']))

{
echo 'password and user Submitted';
}
	if(!mysql_connect(localhost, $_POST['login'], $_POST['password']))
	{
	echo 'Connection failed.';
	}

else
{
echo ' and the connection was a success.';
}	


?>

Would this only last temporary for that page only ? and if so, how would you make the login last until the person logs out or clears their cookies?

Krik

I would say you're going about it all wrong.

In reality all users and passwords are stored by MySQL. Whether it is in a table and database you created for users to login into your website, or it is in the "information_schema" database so you can have your script login and access database resources.

The way you should handle this is in your database assign each user an access permission level. Real basic you can, for example, assign numbers and if a user has X number or higher, then access X page. Or for something more complex you create groups each group is then allowed access to certain pages and each user is assigned a group.

In your case, you would have your code check the users access permission level and if it is a certain level you include a different function/page/code that would use the database user that has the read/write permissions.

OmegaB

Well that's a good idea.
But with Netfirms...I have the plan that gives access to only one database.
So my situation is that I have a table which includes information about people (no user or password login) and nothing else.
Additionally, Netfirms allows a way to login the database with users and passwords created outside of the database. This gives them read / write or just read access.

So basically, I am using this way to retrieve a username / password from the person in order to see if they have read / write access or just read acesss. If they put in the correct user/pass then they will have access to the database.

Is this now a good idea?...
Or is it possible to create users in a table that has permission to other tables in the same database.

Krik

Additionally, Netfirms allows a way to login the database with users and passwords created outside of the database. This gives them read / write or just read access.

This is common with most hosts. And even that "users" login and access permissions information is still stored in a the database. That fact is just likely not visible to you.

So basically, I am using this way to retrieve a username / password from the person in order to see if they have read / write access or just read acesss. If they put in the correct user/pass then they will have access to the database.

Yep, have your code check the info they entered if it matches and they have the permission to have read / write access you then include the database connection code that has the user with the read / write access. Otherwise if they only have read access then you include the code that connects using the read only user.

I should note that when they are logging in you will need to check their info using the read only access user. And at that time you need to store there access permission level in the $_SESSION super global so that no mater what page they are on it will know their access level without having to request it. And then check the access level on every page load to see which connect code you should use.

if (isset($_SESSION['access'] )) {
    if ($_SESSION['access'] == 1) {
        // connect to read / write user
        mysql_connect($location, $username, $password);
    }
    else {
         // connect to read only user
        mysql_connect($location, $username, $password);
    }
}
else {
    echo 'ERROR: You do not have permission to view this page';
}

Or is it possible to create users in a table that has permission to other tables in the same database.

Yes is the general answer.

But, for the sake of clarity, putting a user info into a table doesn't effect the users access to other tables in the database, it is just information that means nothing to the database. The information gets meaning when you use it in your code. So you could use one table to store the user login info and in that table or a second table you could store info on which other tables a user has access to and then your code does all the work in granting or blocking access.

OmegaB

Thanks, two quick questions:
How long does a session last?
And would this be secure or not?

Krik

First, you will want to read up on Session Handling.

How long does a session last?

Generally as long as the browser window is open the session is open. I do believe there is a timeout on that even but I am not sure what the default amount of time is. And even then the default amount likely can be changed by your host.

If you need it to time out sooner you can either place a time stamp in the session super global or you can log the user activity in the database, with a time stamp, and then check the time stamp on the page load. And if they have been inactive for too long you can use [man]session_destroy[/man] to destroy the session and then make them login again.

And would this be secure or not?

It will be as secure as you make it. If security has to be real tight you will want to use a SSL. Otherwise you can try some basic things like make sure that the person that started the session is the one using it by storing the users browser info and IP and checking it each page load. There are a lot of tricks for making it secure. I would look for some tutorials on session security. The Session Handling section of php.net does have a section on security with a lot of user suggestions which may help also.

I should note that security problems are not generally caused by a particular functions of a programing language. Security problems are almost all ways a misuse of a function by the programmer. So I would say do your homework.

OmegaB

I'm having problems with sessions.

<?php
session_start();
if (isset($_POST['login']) && isset($_POST['password']))

{
echo 'Password and user submitted.<br>';
}
	if(!mysql_connect('mysql.netfirms.com:3306', $_POST['login'], $_POST['password']))
	{
	echo 'Connection failed. Please try again.';
	exit;
	}

else
{

echo 'You have logged in.<br>';

$_SESSION['access'] = 1;
$db_link = mysql_connect('mysql.netfirms.com:3306', $_POST['login'], $_POST['password']);
}

if ($_SESSION['access'] == 1) 
{
	if (!mysql_select_db('database', $db_link))
	{
	echo 'Error selecting database.';
	exit;
	}
}

echo '<br>Here are your options:<br>';
?>
<a href="insert.php">Search for tutor to insert<br></a> 
<a href="searchupdate.php">Search for tutor to update<br></a>
<a href="searchdelete.php">Search for tutor to delete<br></a>

The problem is that when I click on searchupdate.php, to move to the page, the session is gone.

This is the code for searchupdate.php:

<?php
if (!isset($_SESSION['access']))
{
var_dump($_SESSION['access']);
exit;
}
?>

<form id="searchupdateForm" name="searchupdateForm" method="post" action="update.php">
  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
    <tr>
      <td width="112"><b>Tutor ID</b></td>
      <td width="188"><input name="tutorid" type="text" class="textfield" id="update" /></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" name="Submit" value="Submit ID" /></td>
    </tr>
	</table>

When I vardump, I get a NULL, which means the session is empty for some reason.
Can someone help please? 🙂

bradgrafelman

You never call [man]session_start/man. You must start the session on every page you intend to use session data (read or write).

Also, on the topic of sessions... they can last an hour, a day, a month, a year... however long you'd like (assuming you configure things properly).

OmegaB

Thanks! Resolved