Dealing with passwords

This question I promiss I won't figure out myself.

Now I'm working on a blog (so I learn PHP and MySQL better) and I got everything working so far except the admin stuff. When I want to add something, how should I make sure the user is an admin and not someone else? What would be the easiest method? I thought about storing the password in the php file that connects to the database and just doing a comparison from the one entered by the user. How my database is setup I didn't want to store or read in the password from it unless I absolutely had to. I didn't want to do sessions either. Just have an admin page and only allow stuff to work if the correct password is accompanied by the action.

What is the best way?

Re: Dealing with passwords

Best way is to store the users in a database. User is required to log in to access fancy stuff. Database stores encrypted version of password. On receiving a login request, you encrypt the password and compare that to the one in the database (and you compare the usernames too, of course). Then, if the login is successful, you send the client a very complicated session cookie, e.g. md5sum(uniqid().rand()). This value you also store in the database along with the user, so when you receive the cookie you can verify it's the same user.
Another field of the user table is the access privilege field. This can be a group identifier or something else. It tells you what the user is allowed to do.

Re: Dealing with passwords

How exactly do I do that? Make a form using post, encrypt the password with md5() and check it against the pass in the database? If so, what do I do next? I'm still quite new to this.

Re: Dealing with passwords

This is what I do. It might not be optimal, but it works.
If anyone know of any ways to improve it, please tell me.

dblib.php

PHP Code:

<?php //Start the session session_start(); //Connect to the database @mysql_connect('localhost', 'root', '') or die('Could not connect to the database: ' . mysql_error()); //Select the database @mysql_select_db("akracom") or die('Could not select that database: ' . mysql_error()); //////////////////// //    Global Functions //////////////////// function loggedincheck() {     if (isset($_SESSION['usrname']) && $_SESSION['usrname'] != '')     {         $usrname = $_SESSION['usrname'];         if (!check_loggedin($usrname))         {             header("Location: ../index.php?msgcode=3");    //msgcode3: "Du har blivit utloggad - logga in igen"                         mysql_close();             exit;         }     }     else     {         header("Location: ../index.php?msgcode=4"); //msgcode4: "Du måste vara inloggad för att komma åt den sidan"                 mysql_close();         exit;     } } //// // // This function will return true or false depending on if the user is logged in or not /// function check_loggedin($usrname) {     //Check to see if the sessionvar $usrname exists     if (isset($_SESSION['usrname']) && $_SESSION['usrname'] != "")     {         $usrname = $_SESSION['usrname'];         //Check to see if the 'ppl'-post where usrname == $usrname is logged in AND session_id = "'. session_id() .'" AND loggedin = 1';         //and that the session id matches.         $query = 'SELECT * FROM ppl WHERE usrname = "'. $usrname .'" AND session_id = "'. session_id() .'" AND loggedin = 1';         $result = mysql_query($query);         $num = mysql_num_rows($result);                  if ($num > 0)         {             //Yes, the user with the username $usrname is logged in.             //Update the timestamp: set it to NULL             $query = 'UPDATE ppl SET timestmp = NULL WHERE usrname = $usrname AND session_id = "'. session_id() .'"';             mysql_query($query);                         return true;         }         else         {             return false; //Not logged in         }     }     else     {         //The session variable $usrname didn't exsist, so the user can't be logged in         return false;     } } ?>

dologin.php

PHP Code:

<?php //Start the session, connect to the database, run a few commands and get access to some functions include '../Lib/dblib.php'; $username = $_POST['usrName']; $password = md5($_POST['pass']); //Check if we can find a match in the database $query = 'SELECT * FROM ppl WHERE usrname = "'. $username .'" AND password = "'. $password .'"'; $result = mysql_query($query); $num = mysql_num_rows($result); if ($num == 0) {     //The user didn't exist in the database     header("Location: ../index.php?msgcode=1"); //msgcode1: Felaktiga logginuppgifter - försök igen     exit; } else {     //Register some session varibles and give them a value     $_SESSION['usrname'] = strtolower($username);     $_SESSION['timestamp'] = mysql_result($result, 0, 'timestmp');     //Set the loggedin flag and the session_id in the database update timestmp as well         $query = 'UPDATE ppl SET loggedin = 1, session_id = "'. session_id() .'", timestmp = NOW() WHERE usrname = "'. $username .'"';     mysql_query($query);     mysql_close();         //Go to the start page     header("Location: ../index.php"); } ?>

Part of login.php

PHP Code:

<form method="post" action="./Startpage/dologin.php">     <?php     if (isset($msg) && $msg != "")     {         echo "\t\t\t\t" . '<span class="message"><strong>' . $msg . '</strong></span><br />';         echo "\n\t\t\t\t<br />";     }     ?>     Användarnamn:<br />     <input type="text" name="usrName" /><br />     Lösenord:<br />     <input type="password" name="pass" /><br />     <input type="submit" value="Logga In" /> </form>

Re: Dealing with passwords

Hi!

I think you can skip the database but you must use session in order to check the login thing. One simple example:

PHP Code:

//Suppose we already have the password and username for admin then // We do the following and set a session as admin. if ($username == $_POST[username] || $password == $_POST[password]) { $_SESSION["loggedin"] = "true"; $_SESSION["usertype"] = "admin"; }

Hope this gives some idea. I am not sure weather it'll work or not but oh well it might give you hint what i am trying to say here!

Thansk!

Re: Dealing with passwords

For right now I'm trying to just allow changes to be made if you enter the correct user and pass. For some reason it does not work.

This handles the variables sent to my php file that handles my admin stuff

PHP Code:

function handle_vars() {     switch ($_GET['method'])         {             case "add":                 if(confirm_admin($_POST['user'],md5($_POST['pass'])))                     add_entry($_POST['date'], $_POST['title'], $_POST['text']);                 else                     header("Location: adminerror.php");                 break;             case "delete":                 if(confirm_admin($_POST['user'],md5($_POST['pass'])))                     delete_entry($_POST['id']);                 else                     header("Location: adminerror.php");                 break;             case "edit":                 //Do Edit                 break;             default:                 //Do Stuff                 break;         } }

This confirms if the person is an admin or not

PHP Code:

function confirm_admin($user, $pass) {     connect();     $result = mysql_query("SELECT password FROM users WHERE username='$user'");     if (!$result) {         die('Invalid query: ' . mysql_error());}     $row = mysql_fetch_array($result, MYSQL_ASSOC);     if($pass == $row['password'])         return true;     else         return false; }

I'm not sure where it fails at. This is my delete function:

PHP Code:

function delete_entry($id) {     connect();     $result = mysql_query("DELETE FROM blogs WHERE number='$id'");     if (!$result) {         die('Invalid query: ' . mysql_error());} }

I know my connect() function works fine because I use that for displaying and I get no errors.

Any ideas?

Re: Dealing with passwords

PHP Code:

$row = mysql_fetch_array($result, MYSQL_ASSOC);

This can be written as

PHP Code:

$row = mysql_fetch_assoc($result);

It works exactly the same, it's just shorter to type.

PHP Code:

if($pass == $row['password'])

Does the admin confirmation stuff work? If not, have you checked that $row['password'] is md5 encrypted?

PHP Code:

$result = mysql_query("DELETE FROM blogs WHERE number='$id'");

Try that without the quotes around $id:

PHP Code:

$result = mysql_query('DELETE FROM blogs WHERE number = '. $id);

Re: Dealing with passwords

It should work because it doesn't go to adminerror.php so I'm thinking there is something wrong with my delete code and my add an entry code. I tried removing the authentication function and tried just removing and adding entries without it and it still did nothing. Maybe there is something wrong with my XHTML?

Code:

<b class="skill">Add Entry:<br /><br /></b> <form action="dbaseadmin.php?method=add" method="post"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>Date: <input name="date" type="text" size="25" maxlength="30" /></p> <p>Title: <input name="title" type="text" size="40" maxlength="40" /></p> <p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form> <hr /> <b class="skill">Delete Entry:<br /><br /></b> <form action="dbaseadmin.php?method=delete" method="post"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form>

Re: Dealing with passwords

Hi!

Why don't you put the method as post and also keep it hidden ?
I am refering to: <form action="dbaseadmin.php?method=add" method="post">

PHP Code:

<form method="post" action="dbaseadmin.php"> <input type="hidden" name="method" value="add"> ... your other fields ... </form>

Thanks!

Re: Dealing with passwords

Hi!

You can try this thing..its a one single file solution if you like it:

PHP Code:

<?php if (isset($_POST[method])) { // MySQL Database Host $dbhost = "localhost"; //MySQL Database Name $dbname = "somedb"; // MySQL Database Username $dbuser = "someuser"; // MySQL Database Password $dbpass = "somepass"; // Connect to db $connection = mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error()); $db = mysql_select_db($dbname, $connection); // Check its add then do add if ($_POST[method] == "add") { //put add code here //..do some coding // you always exit using exit(); from here or can continue } // Check its del then do del If ($_POST[method] == "del") { //put delete code here $sql = "DELETE FROM blogs WHERE number='$id'"; mysql_query($sql) or die(mysql_error()); // you always exit using exit(); from here or can continue } } ?> <b class="skill">Add Entry:<br /><br /></b> <form action="dbaseadmin.php" method="post"> <input type="hidden" name="method" value="add"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>Date: <input name="date" type="text" size="25" maxlength="30" /></p> <p>Title: <input name="title" type="text" size="40" maxlength="40" /></p> <p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form> <hr /> <b class="skill">Delete Entry:<br /><br /></b> <form action="dbaseadmin.php" method="post"> <input type="hidden" name="method" value="delete"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form>

Re: Dealing with passwords

I feel sooooooooooooo stupid right now. I had all my functions but never had a method that actually started everything.

Re: Dealing with passwords

Quote:

Originally Posted by kasracer

It should work because it doesn't go to adminerror.php so I'm thinking there is something wrong with my delete code and my add an entry code. I tried removing the authentication function and tried just removing and adding entries without it and it still did nothing. Maybe there is something wrong with my XHTML?

Code:

<b class="skill">Add Entry:<br /><br /></b> <form action="dbaseadmin.php?method=add" method="post"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>Date: <input name="date" type="text" size="25" maxlength="30" /></p> <p>Title: <input name="title" type="text" size="40" maxlength="40" /></p> <p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form> <hr /> <b class="skill">Delete Entry:<br /><br /></b> <form action="dbaseadmin.php?method=delete" method="post"> <p>Username: <input name="user" type="text" size="25" maxlength="25" /></p> <p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p> <p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p> <p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p> </form>

Did you take the quotes away from your integer so the query looks like this:

Code:

DELETE FROM blogs WHERE number=1;

Rather than like this:

Code:

Code:

DELETE FROM blogs WHERE number='1';

It seems that quoting integers is yielding strange results, as we were discussing in this thread: http://www.vbforums.com/showthread.php?t=323085