|
-
Feb 2nd, 2005, 09:14 AM
#1
Dealing with passwords
This question I promiss I won't figure out myself.
Now I'm working on a blog (so I learn PHP and MySQL better) and I got everything working so far except the admin stuff. When I want to add something, how should I make sure the user is an admin and not someone else? What would be the easiest method? I thought about storing the password in the php file that connects to the database and just doing a comparison from the one entered by the user. How my database is setup I didn't want to store or read in the password from it unless I absolutely had to. I didn't want to do sessions either. Just have an admin page and only allow stuff to work if the correct password is accompanied by the action.
What is the best way?
-
Feb 2nd, 2005, 09:36 AM
#2
Re: Dealing with passwords
Best way is to store the users in a database. User is required to log in to access fancy stuff. Database stores encrypted version of password. On receiving a login request, you encrypt the password and compare that to the one in the database (and you compare the usernames too, of course). Then, if the login is successful, you send the client a very complicated session cookie, e.g. md5sum(uniqid().rand()). This value you also store in the database along with the user, so when you receive the cookie you can verify it's the same user.
Another field of the user table is the access privilege field. This can be a group identifier or something else. It tells you what the user is allowed to do.
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Feb 2nd, 2005, 10:12 AM
#3
Re: Dealing with passwords
How exactly do I do that? Make a form using post, encrypt the password with md5() and check it against the pass in the database? If so, what do I do next? I'm still quite new to this.
-
Feb 2nd, 2005, 12:30 PM
#4
Fanatic Member
Re: Dealing with passwords
This is what I do. It might not be optimal, but it works.
If anyone know of any ways to improve it, please tell me.
dblib.php
PHP Code:
<?php
//Start the session
session_start();
//Connect to the database
@mysql_connect('localhost', 'root', '') or die('Could not connect to the database: ' . mysql_error());
//Select the database
@mysql_select_db("akracom") or die('Could not select that database: ' . mysql_error());
////////////////////
// Global Functions
////////////////////
function loggedincheck()
{
if (isset($_SESSION['usrname']) && $_SESSION['usrname'] != '')
{
$usrname = $_SESSION['usrname'];
if (!check_loggedin($usrname))
{
header("Location: ../index.php?msgcode=3"); //msgcode3: "Du har blivit utloggad - logga in igen"
mysql_close();
exit;
}
}
else
{
header("Location: ../index.php?msgcode=4"); //msgcode4: "Du måste vara inloggad för att komma åt den sidan"
mysql_close();
exit;
}
}
////
//
// This function will return true or false depending on if the user is logged in or not
///
function check_loggedin($usrname)
{
//Check to see if the sessionvar $usrname exists
if (isset($_SESSION['usrname']) && $_SESSION['usrname'] != "")
{
$usrname = $_SESSION['usrname'];
//Check to see if the 'ppl'-post where usrname == $usrname is logged in AND session_id = "'. session_id() .'" AND loggedin = 1';
//and that the session id matches.
$query = 'SELECT * FROM ppl WHERE usrname = "'. $usrname .'" AND session_id = "'. session_id() .'" AND loggedin = 1';
$result = mysql_query($query);
$num = mysql_num_rows($result);
if ($num > 0)
{
//Yes, the user with the username $usrname is logged in.
//Update the timestamp: set it to NULL
$query = 'UPDATE ppl SET timestmp = NULL WHERE usrname = $usrname AND session_id = "'. session_id() .'"';
mysql_query($query);
return true;
}
else
{
return false; //Not logged in
}
}
else
{
//The session variable $usrname didn't exsist, so the user can't be logged in
return false;
}
}
?>
dologin.php
PHP Code:
<?php
//Start the session, connect to the database, run a few commands and get access to some functions
include '../Lib/dblib.php';
$username = $_POST['usrName'];
$password = md5($_POST['pass']);
//Check if we can find a match in the database
$query = 'SELECT * FROM ppl WHERE usrname = "'. $username .'" AND password = "'. $password .'"';
$result = mysql_query($query);
$num = mysql_num_rows($result);
if ($num == 0)
{
//The user didn't exist in the database
header("Location: ../index.php?msgcode=1"); //msgcode1: Felaktiga logginuppgifter - försök igen
exit;
}
else
{
//Register some session varibles and give them a value
$_SESSION['usrname'] = strtolower($username);
$_SESSION['timestamp'] = mysql_result($result, 0, 'timestmp');
//Set the loggedin flag and the session_id in the database update timestmp as well
$query = 'UPDATE ppl SET loggedin = 1, session_id = "'. session_id() .'", timestmp = NOW() WHERE usrname = "'. $username .'"';
mysql_query($query);
mysql_close();
//Go to the start page
header("Location: ../index.php");
}
?>
Part of login.php
PHP Code:
<form method="post" action="./Startpage/dologin.php">
<?php
if (isset($msg) && $msg != "")
{
echo "\t\t\t\t" . '<span class="message"><strong>' . $msg . '</strong></span><br />';
echo "\n\t\t\t\t<br />";
}
?>
Användarnamn:<br />
<input type="text" name="usrName" /><br />
Lösenord:<br />
<input type="password" name="pass" /><br />
<input type="submit" value="Logga In" />
</form>
Never argue with fools, they will only drag you down to their level, and beat you with experience.
Q: How do you tell an experienced hacker from a novice?
A: The latter thinks there's 1000 bytes in a kilobyte, while the former is sure there's 1024 meters in a kilometer
-
Feb 3rd, 2005, 01:06 PM
#5
Hyperactive Member
 Re: Dealing with passwords
Hi!
I think you can skip the database but you must use session in order to check the login thing. One simple example:
PHP Code:
//Suppose we already have the password and username for admin then
// We do the following and set a session as admin.
if ($username == $_POST[username] || $password == $_POST[password])
{
$_SESSION["loggedin"] = "true";
$_SESSION["usertype"] = "admin";
}
Hope this gives some idea. I am not sure weather it'll work or not but oh well it might give you hint what i am trying to say here!
Thansk!
Tapan Bhanot,
CEO, Avis Software.
Website: www.avissoftware.com
-
Feb 4th, 2005, 12:23 AM
#6
Re: Dealing with passwords
For right now I'm trying to just allow changes to be made if you enter the correct user and pass. For some reason it does not work.
This handles the variables sent to my php file that handles my admin stuff
PHP Code:
function handle_vars()
{
switch ($_GET['method'])
{
case "add":
if(confirm_admin($_POST['user'],md5($_POST['pass'])))
add_entry($_POST['date'], $_POST['title'], $_POST['text']);
else
header("Location: adminerror.php");
break;
case "delete":
if(confirm_admin($_POST['user'],md5($_POST['pass'])))
delete_entry($_POST['id']);
else
header("Location: adminerror.php");
break;
case "edit":
//Do Edit
break;
default:
//Do Stuff
break;
}
}
This confirms if the person is an admin or not
PHP Code:
function confirm_admin($user, $pass)
{
connect();
$result = mysql_query("SELECT password FROM users WHERE username='$user'");
if (!$result) {
die('Invalid query: ' . mysql_error());}
$row = mysql_fetch_array($result, MYSQL_ASSOC);
if($pass == $row['password'])
return true;
else
return false;
}
I'm not sure where it fails at. This is my delete function:
PHP Code:
function delete_entry($id)
{
connect();
$result = mysql_query("DELETE FROM blogs WHERE number='$id'");
if (!$result) {
die('Invalid query: ' . mysql_error());}
}
I know my connect() function works fine because I use that for displaying and I get no errors.
Any ideas?
-
Feb 4th, 2005, 01:00 AM
#7
Fanatic Member
Re: Dealing with passwords
PHP Code:
$row = mysql_fetch_array($result, MYSQL_ASSOC);
This can be written as
PHP Code:
$row = mysql_fetch_assoc($result);
It works exactly the same, it's just shorter to type.
PHP Code:
if($pass == $row['password'])
Does the admin confirmation stuff work? If not, have you checked that $row['password'] is md5 encrypted?
PHP Code:
$result = mysql_query("DELETE FROM blogs WHERE number='$id'");
Try that without the quotes around $id:
PHP Code:
$result = mysql_query('DELETE FROM blogs WHERE number = '. $id);
Never argue with fools, they will only drag you down to their level, and beat you with experience.
Q: How do you tell an experienced hacker from a novice?
A: The latter thinks there's 1000 bytes in a kilobyte, while the former is sure there's 1024 meters in a kilometer
-
Feb 4th, 2005, 01:38 AM
#8
Re: Dealing with passwords
It should work because it doesn't go to adminerror.php so I'm thinking there is something wrong with my delete code and my add an entry code. I tried removing the authentication function and tried just removing and adding entries without it and it still did nothing. Maybe there is something wrong with my XHTML?
Code:
<b class="skill">Add Entry:<br /><br /></b>
<form action="dbaseadmin.php?method=add" method="post">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>Date: <input name="date" type="text" size="25" maxlength="30" /></p>
<p>Title: <input name="title" type="text" size="40" maxlength="40" /></p>
<p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
<hr />
<b class="skill">Delete Entry:<br /><br /></b>
<form action="dbaseadmin.php?method=delete" method="post">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
-
Feb 4th, 2005, 02:14 AM
#9
Hyperactive Member
Re: Dealing with passwords
Hi!
Why don't you put the method as post and also keep it hidden ?
I am refering to: <form action="dbaseadmin.php?method=add" method="post">
PHP Code:
<form method="post" action="dbaseadmin.php">
<input type="hidden" name="method" value="add">
...
your other fields
...
</form>
Thanks!
Tapan Bhanot,
CEO, Avis Software.
Website: www.avissoftware.com
-
Feb 4th, 2005, 02:23 AM
#10
Hyperactive Member
 Re: Dealing with passwords
Hi!
You can try this thing..its a one single file solution if you like it:
PHP Code:
<?php
if (isset($_POST[method]))
{
// MySQL Database Host
$dbhost = "localhost";
//MySQL Database Name
$dbname = "somedb";
// MySQL Database Username
$dbuser = "someuser";
// MySQL Database Password
$dbpass = "somepass";
// Connect to db
$connection = mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
$db = mysql_select_db($dbname, $connection);
// Check its add then do add
if ($_POST[method] == "add")
{
//put add code here
//..do some coding
// you always exit using exit(); from here or can continue
}
// Check its del then do del
If ($_POST[method] == "del")
{
//put delete code here
$sql = "DELETE FROM blogs WHERE number='$id'";
mysql_query($sql) or die(mysql_error());
// you always exit using exit(); from here or can continue
}
}
?>
<b class="skill">Add Entry:<br /><br /></b>
<form action="dbaseadmin.php" method="post">
<input type="hidden" name="method" value="add">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>Date: <input name="date" type="text" size="25" maxlength="30" /></p>
<p>Title: <input name="title" type="text" size="40" maxlength="40" /></p>
<p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
<hr />
<b class="skill">Delete Entry:<br /><br /></b>
<form action="dbaseadmin.php" method="post">
<input type="hidden" name="method" value="delete">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
Tapan Bhanot,
CEO, Avis Software.
Website: www.avissoftware.com
-
Feb 4th, 2005, 03:30 AM
#11
Re: Dealing with passwords
I feel sooooooooooooo stupid right now. I had all my functions but never had a method that actually started everything.
-
Feb 4th, 2005, 03:32 AM
#12
Re: Dealing with passwords
 Originally Posted by kasracer
It should work because it doesn't go to adminerror.php so I'm thinking there is something wrong with my delete code and my add an entry code. I tried removing the authentication function and tried just removing and adding entries without it and it still did nothing. Maybe there is something wrong with my XHTML?
Code:
<b class="skill">Add Entry:<br /><br /></b>
<form action="dbaseadmin.php?method=add" method="post">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>Date: <input name="date" type="text" size="25" maxlength="30" /></p>
<p>Title: <input name="title" type="text" size="40" maxlength="40" /></p>
<p>Text:</p><p><textarea name="text" cols="65" rows="14"></textarea></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
<hr />
<b class="skill">Delete Entry:<br /><br /></b>
<form action="dbaseadmin.php?method=delete" method="post">
<p>Username: <input name="user" type="text" size="25" maxlength="25" /></p>
<p>Password: <input name="pass" type="password" size="25" maxlength="25" /></p>
<p>ID #: <input name="id" type="text" size="12" maxlength="10000" /></p>
<p><input name="Submit" type="submit" /><input name="Reset" type="reset" /></p>
</form>
Did you take the quotes away from your integer so the query looks like this:
Code:
DELETE FROM blogs WHERE number=1;
Rather than like this:
Code:
DELETE FROM blogs WHERE number='1';
It seems that quoting integers is yielding strange results, as we were discussing in this thread: http://www.vbforums.com/showthread.php?t=323085
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
