Jump to content

user auth with PHP5 & MySQL 5.0

php4u

By php4u
in Third Party Scripts

 Share

Recommended Posts

php4u Newbie

php4u

Posted
Posted

I am using the "PHP 6 fast & easy web development" book and have all of the scripts working correctly, but one; the log-in and authenticate scripts. They are listed below. Whether I fill in the blanks or not, the page does not change; will not forward to the correct page, nor display an error message.

 

The two variables are "id" and "password" along with several others. I can add, modify and delete users, as well as perform sort/selects against the MySQL DB.

 

This project is being developed on a MacBook, with PHP5 and MySQL 5 with Apache2.

 

Any help greatly appreciated!

Thanks in advance,

Ralph

------------------

show_login.html -

 

<HTML>

<HEAD>

<TITLE>Login</TITLE>

</HEAD>

<BODY>

<H1>Login to Secret Area</H1>

<FORM METHOD="POST" ACTION="do_authuser.php">

<P><STRONG>Employee ID #:</STRONG><BR>

<INPUT TYPE="text" NAME="id" SIZE=25 MAXLENGTH=25></p>

<P><STRONG>Password:</STRONG><BR>

<INPUT TYPE="password" NAME="password" SIZE=25 MAXLENGTH=25></p>

<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login"></P>

</FORM>

</BODY>

</HTML>

 

----------------------

 

do_authuser.php -

 

<?

//check for required fields

if ((!$_POST[id]) || (!$_POST[password])) {

    header("Location: show_login.html");

    exit;

}

 

//setup names of database and table to use

$db_name = "fto";

$table_name = "test_new";

//connect to server and select database

$connection = @mysql_connect("127.0.0.1", "user", "xxxxxx")

    or die(mysql_error());

 

$db = @mysql_select_db($db_name, $connection) or die(mysql_error());

 

//build and issue query

$sql = "SELECT * FROM $table_name WHERE

id = '$_POST[id]' AND password = password('$_POST[password]')";

 

$result = @mysql_query($sql) or die (mysql_error());

 

//get the number of rows in the result set

$num = mysql_numrows($result);

 

//print a message and set a cookie if authorized,

//or redirect elsewhere if unauthorized

if ($num != 0) {

    $cookie_name = "auth";

    $cookie_value = "ok";

    $cookie_expire = "0";

    $cookie_domain = "127.0.0.1";

    setcookie($cookie_name, $cookie_value, $cookie_expire,

    "/" , $cookie_domain, 0);

 

    $display_block = "

    <p><strong>Secret Menu:</strong></p>

    <ul>

    <li><a href=\"secretA.php\">secret page A</a>

    <li><a href=\"secretB.php\">secret page B</a>

    </ul>";

} else {

    header("Location: show_login.html");

    exit;

}

?>

<HTML>

<HEAD>

<TITLE>Secret Area</TITLE>

</HEAD>

<BODY>

<? echo "$display_block"; ?>

</BODY>

</HTML>

 

 

 

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

Change

 

if ((!$_POST[id]) || (!$_POST[password])) {

 

To

 

if ((!$_POST['id']) || (!$_POST['password'])) {

 

Change this

$sql = "SELECT * FROM $table_name WHERE
id = '$_POST[id]' AND password = password('$_POST[password]')";

 

to this

 

$sql = "SELECT * FROM $table_name WHERE
id = '{$_POST['id']}' AND password = MD5({$_POST['password']})";

 

MySQL Manyal says:

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.

 

 

 

Does this book tell you to use short php quotes ( <? ?> ) and all CAPS HTML? If so, throw it out of the window.

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

Thank you Mchl, for your prompt response!

 

Your suggestions are getting me closer. Now, at least I receive an error; " Parse error: syntax error, unexpected '}', expecting ']' in /Library/WebServer/Documents/test/do_authuser.php on line 19"

 

 

As for the short quotes and caps in HTML - yes. Should I be using the full "<?php " tag?

 

Thank you very much!

Ralph

 

 

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

Thank you Mchl, for your prompt response!

 

Your suggestions are getting me closer. Now, at least I receive an error; "FUNCTION fto.md5 does not exist" - where "fto" is the DB.

 

If I leave "password" in place, I receive the error;

"Unknown column 'abc123' in 'where clause'" - where "abc123" is the users password.

 

 

As for the short quotes and caps in HTML - yes. Should I be using the full "<?php " tag?

 

Thank you very much!

Ralph

 

 

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

update -

 

seems I need to add the MD5 attribute to the password column. If I can't figure out how to add it to the existing column, I will rebuild the user table from scratch.

 

I'll provide an update.

 

Thanks again!

Ralph

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

update -

 

seems I need to add the MD5 attribute to the password column. If I can't figure out how to add it to the existing column, I will rebuild the user table from scratch.

 

I'll provide an update.

 

.....update 1)

I created a new table titled "emp" and added within the DB titled "fto." I added data and made sure MD5 was included in the password column, however the error message complains of "fto.MD5" which seems like it is complaining about the DB not having the MD5? I am using phpMyAdmin to do my DB work.

 

Thoughts?

 

 

Thanks again!

Ralph

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

Here is the current table titled test_new;

 

mysql> select * from test_new;

+---------+--------+-------+----------------------+----------+----------------------+----------------------+-------+------------+----------+

| l_name  | f_name | id    | password            | username | location            | misc                | other | date      | position |

+---------+--------+-------+----------------------+----------+----------------------+----------------------+-------+------------+----------+

| montana | joe    | 11111 | joemontana          | NULL    | Marsh Creek Detentio | this is a test      | NULL  | 0000-00-00 |          |

| Brown  | Sue  | 99999 | suebrown          | NULL    | West County Dtention | this is a test for d | NULL  | 0000-00-00 |          |

| Brown  | Ralph  | 65063 | abc123              | NULL    | Marsh Creek Detentio | This is a test of da | NULL  | 0000-00-00 |          |

| Brown  | Debbie | 33333 | *52C630F4A7AC817A0AF | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| Taber  | Guyle  | 44444 | *89C155504AC5DEBF309 | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| Ordona  | Daniel | 88888 | *3C06A471CB6048FCCCF | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| Ordona  | Joseph | 77777 | *98DCB82E2D44BE7ED3F | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| Chalk  | Tom    | 55555 | *71FF744436C7EA1B954 | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| NULL    | NULL  |    0 | d41d8cd98f00b204e980 | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| NULL    | NULL  |    1 | d41d8cd98f00b204e980 | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

| NULL    | NULL  |    2 | NULL                | NULL    | NULL                | NULL                | NULL  | 0000-00-00 |          |

+---------+--------+-------+----------------------+----------+----------------------+----------------------+-------+------------+----------+

11 rows in set (0.00 sec)

 

 

.....here is the new table with MD5 included from the start;

 

mysql> select * from emp;

+-------+---------+--------+------------------------------------+-------+

| id    | l_name  | f_name | password                          | other |

+-------+---------+--------+------------------------------------+-------+

|      |        |        | d41d8cd98f00b204e9800998ecf8427e  |      |

| 65063 | Brown  | Ralph  | *A49FE3532B2DCB43D448992D8488B2733 |      |

| 11111 | Brown  | Linda  | *D026C843F8E4D7DDD754AE837037611CB |      |

| 22222 | Montana | Joe    | *72A77A3C2F6B154CFFBA8E63B84EB7563 |      |

+-------+---------+--------+------------------------------------+-------+

4 rows in set (0.00 sec)

 

 

Link to comment
Share on other sites
php4u Newbie

php4u

Posted
  • Author
Posted

Through some help of a friend, the solution was two fold;

 

1) I had a syntax and white-space errror;

 

(corrected syntax)$sql = "SELECT * FROM $table_name WHERE

id = '$_POST[id]' AND password = MD5('$_POST[password]')";

 

2) I was using "password" instead of "md5" on the user_add.php page.

 

I updated the passwords to md5 from the mysql command line,  and reloaded the page; walllah!

 

Hope this helps someone else.

 

Mchl, thanks again!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.