Passwording a PHP page

Re: Passwording a PHP page

cover wrote:$query="SELECT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";


--

//Aho

Re: Passwording a PHP page

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.n et>
wrote:

not sure if that's quite what I was looking for but I very much
appreciate your reply.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...

Re: Passwording a PHP page

On Mon, 09 Jul 2007 21:39:08 -0700, cover
<coverlandNOSPA M914@yahoo.comw rote:
So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:

$query="SELECT * FROM $table WHERE
firstname_colum n='{$_POST['firstname']}'" AND;
password_column ='{$_POST['password']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";

Re: Passwording a PHP page

cover wrote:I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.

You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.

IMHO the following flow is a good one:

1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query

The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.


--

//Aho

Re: Passwording a PHP page

cover wrote:
Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

--

//Aho

Re: Passwording a PHP page

On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.n et>
wrote:
Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.

mysql_query("UP DATE actions_tbl SET date='$ud_date' ,
targmonth='$ud_ targmonth', targyear='$ud_t argyear',
assignedto='$ud _assignedto', datecomp='$ud_d atecomp',
status='$ud_sta tus', referenceno='$u d_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column= '$updater' AND password_column ='$password'") or
die("Update Error: ".mysql_error() );

echo "Record Updated";
mysql_close();

The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)

Re: Passwording a PHP page

cover wrote:No, that won't work, do

$pass_query="SE LECT * FROM table WHERE password_column ='{$_POST['password']}'
AND user_column='{$ _POST['username']}'";
$res=mysql_quer y($pass_query);
if(mysql_num_ro ws($res)) {
$query="UPDATE actions_tbl SET date='$ud_date' ,
targmonth='$ud_ targmonth', targyear='$ud_t argyear',
assignedto='$ud _assignedto', datecomp='$ud_d atecomp',
status='$ud_sta tus', referenceno='$u d_referenceno'
WHERE id='$ud_id'";
mysql_query($qu ery);
$time=date('Y-m-d h:n');
shell_exec("ech o \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log") ;
}

This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.


--

//Aho

Re: Passwording a PHP page

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.n et>
wrote:

I started over... Can't seem to get anything but the 'sorry, wrong
password'.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.

Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.

I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol

Re: Passwording a PHP page

cover wrote:Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag

<form method="post" ... =$_POST
<form method="get" ... =$_GET

For testing, you can put the following in your script where you receive the form

echo "$_POST: ";
var_dump($_POST );
echo "$_GET: ";
var_dump($_GET) ;

This way you will see the values sent to the page, really useful when debugging.

// we have checked the empty values

$query="SELECT * FROM password_tbl WHERE
password_column ='{$_POST['password']}' AND user_column='{$ _POST['user']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}

// your old code here

I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).

You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.



PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.

if(empty($sourc e) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}


I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.

--

//Aho

Re: Passwording a PHP page

On Wed, 11 Jul 2007 06:32:46 +0200, "J.O. Aho" <user@example.n et>
wrote:
I'll take a look at this and look for a solution. Hey, thanks very
much for your replies - appreciate it very much... Be well.

Re: Passwording a PHP page

cover ha scritto:
DO NOT use php.net example to authenticate user

db table:

id (aurto increment)
user varchar 25(unique)
password varchar (30)
casual_number (30)

login:
select * from utenti WHERE user=POST[user]
....
if(md5(POST[password].$row[casual_number])===$row[password]){
$_SESSION[ok]=true;
}else{
echo "wrong password";
$_SESSION[ok]=false;
}

in any page .php
<?php
session_start() ;
if(@$_SESSION[ok]==false){
// empty,false and hide empty
header('Locatio n: http://www.example.com/login.php');
exit;
}

echo "proctected page";

?>