Jump to content

Recommended Posts

So I'm being forced to learn a little about PHP (which I wanted to learn) on a much more condensed timeframe in order to do a project for school.

 

I'd like to restrict the ability to register for the website to only people from a certain school (so they'd have to use their school email) so it would only allow joeblow@school.edu as opposed to joe blow's hotmail, gmail, yahoo, etc account.

 

At this point, I've downloaded this Micro Login Sytem to use, and my best option seems to be to tweak the code to restrict the login ahttp://www.phpfreaks.com/forums/index.php?action=post;board=1.0s described above.

 

Micro Login System

http://www.hotscripts.com/listing/micro-login-system-file-based/

 

Also, instead of something such as MySQL it uses a file based login. Any security issues with that (since its not using a database)?

 

Thanks

Miesnerd

First of all, I would store the file of email/passwords in a .txt file under the public directory (under public_html)

 

If you store the emails and the password, comma seperated, for each student on a newline for each record you could use file() to pull the data into an array, restrict the username input to the part of the email before the @ and add the scheme yourself in the script.

 

Also look into the explode() and md5() functions..

 

 

 

if you want to post your code i can implement it if you like, also you shouldnt have any issues with a flat file database.

 

shergold.

Shergold-

Below is the code, just as I downloaded it  and extracted it. Obviously, this is from the register.php file.

There is one hitch though.

At some point, our university (who is setting this up as an intervention for a high school) might require some logins from our domain .edu (of the university, not the HS).

There should only be a few of those, though. Can I go in somehow and just add those manually? Is there a way to override it so you can register with either their login or ours?

 

Thanks.

Miesnerd (Code below)

<?php
require_once('common.php');

if (isset($_POST['submitBtn'])){
	// Get user input
	$username  = isset($_POST['username']) ? $_POST['username'] : '';
	$password1 = isset($_POST['password1']) ? $_POST['password1'] : '';
	$password2 = isset($_POST['password2']) ? $_POST['password2'] : '';
        
	// Try to register the user
	$error = registerUser($username,$password1,$password2);
}	
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Micro Login System</title>
   <link href="style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="main">
<?php if ((!isset($_POST['submitBtn'])) || ($error != '')) {?>
      <div class="caption">Register user</div>
      <div id="icon"> </div>
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="registerform">
        <table width="100%">
          <tr><td>Username:</td><td> <input class="text" name="username" type="text"  /></td></tr>
          <tr><td>Password:</td><td> <input class="text" name="password1" type="password" /></td></tr>
          <tr><td>Confirm password:</td><td> <input class="text" name="password2" type="password" /></td></tr>
          <tr><td colspan="2" align="center"><input class="text" type="submit" name="submitBtn" value="Register" /></td></tr>
        </table>  
      </form>
     
<?php 
}   
    if (isset($_POST['submitBtn'])){

?>
      <div class="caption">Registration result:</div>
      <div id="icon2"> </div>
      <div id="result">
        <table width="100%"><tr><td><br/>
<?php
if ($error == '') {
	echo " User: $username was registered successfully!<br/><br/>";
	echo ' <a href="login.php">You can login here</a>';

}
else echo $error;

?>
	<br/><br/><br/></td></tr></table>
</div>
<?php            
    }
?>
<div id="source">Micro Login System v 1.0</div>
    </div>
</body>   

I just realized something.

It doesnt have a field for an email address yet.

Also, it needs to work by sending them a confirmation email, and requiring that they log into their email and click it to verify their email address. This is extremely important given the purpose of the website.

 

Miesnerd

I just realized something else.

A part of the login system  is a file called login.php.

It was preventing index.html from loading when you type the domain name in.

 

I disabled this by now for renaming index.php to  index2.php. Is this acceptable? Any problems I might run into?

I disabled this by now for renaming index.php to  index2.php. Is this acceptable? Any problems I might run into?

 

No problem. However make sure that your files now point to index2.php instead of index.php

I disabled this by now for renaming index.php to  index2.php. Is this acceptable? Any problems I might run into?

 

Great. Glad to know its that simple. I was hoping, but not expecting that it would be that way.

 

No problem. However make sure that your files now point to index2.php instead of index.php

thanks so much for your help thus far, but im bumping it for several reasons:

 

1. As sharagold mentioned, I dont know where to impliment the one line

2. I also dont know how to make the script auto-mail login info that needs to be validated.

3. I dont know how to make it so that a certain page cannot be accessed unless a person is logged in.

(Ie: couldnt they just get the url and use that to access the page without logging in every time?

1. As sharagold mentioned, I dont know where to impliment the one line

Implement this line where your validation starts and should come as:

 

if (strstr($email, '@school.edu')) {
    // valid
}

 

2. I also dont know how to make the script auto-mail login info that needs to be validated.

You usually send this kind of information after they registered at your website.

 

$mailBody = "";
$username = $_POST['username'];
$password = $_POST['password'];

$mailBody .= "Username: $username\n";
$mailBody .= "Password: $password\n";
mail($to, $subject, $mailBody, $headers);

 

3. I dont know how to make it so that a certain page cannot be accessed unless a person is logged in.

You mean that only one user (John Doe) can access a specific page? Or a group (Authenticated Users) of people?

 

(Ie: couldnt they just get the url and use that to access the page without logging in every time?)

No they can't because if i would know your url i could be able to see your page and your system had nothing to defend itself to keep me away from that page.

Show code for common.php ??

<?php

session_start();

function registerUser($user,$pass1,$pass2){
$errorText = '';

// Check passwords
if ($pass1 != $pass2) $errorText = "Passwords are not identical!";
elseif (strlen($pass1) < 6) $errorText = "Password is to short!";

// Check user existance	
$pfile = fopen("userpwd.txt","a+");
    rewind($pfile);

    while (!feof($pfile)) {
        $line = fgets($pfile);
        $tmp = explode(':', $line);
        if ($tmp[0] == $user) {
            $errorText = "The selected user name is taken!";
            break;
        }
    }

    // If everything is OK -> store user data
    if ($errorText == ''){
	// Secure password string
	$userpass = md5($pass1);
    	
	fwrite($pfile, "\r\n$user:$userpass");
    }
    
    fclose($pfile);


return $errorText;
}

function loginUser($user,$pass){
$errorText = '';
$validUser = false;

// Check user existance	
$pfile = fopen("userpwd.txt","r");
    rewind($pfile);

    while (!feof($pfile)) {
        $line = fgets($pfile);
        $tmp = explode(':', $line);
        if ($tmp[0] == $user) {
            // User exists, check password
            if (trim($tmp[1]) == trim(md5($pass))){
            	$validUser= true;
            	$_SESSION['userName'] = $user;
            }
            break;
        }
    }
    fclose($pfile);

    if ($validUser != true) $errorText = "Invalid username or password!";
    
    if ($validUser == true) $_SESSION['validUser'] = true;
    else $_SESSION['validUser'] = false;

return $errorText;	
}

function logoutUser(){
unset($_SESSION['validUser']);
unset($_SESSION['userName']);
}

function checkUser(){
if ((!isset($_SESSION['validUser'])) || ($_SESSION['validUser'] != true)){
	header('Location: login.php');
}
}

?>

 

Thanks so much for your help guys.

Per what you've given me, I'll add it and play on Sunday when I get to work on this project again.

I'm rather bogged down with my other academic duties right now.

1. As sharagold mentioned, I dont know where to impliment the one line

Implement this line where your validation starts and should come as:

 

if (strstr($email, '@school.edu')) {
    // valid
}

 

2. I also dont know how to make the script auto-mail login info that needs to be validated.

You usually send this kind of information after they registered at your website.

 

$mailBody = "";
$username = $_POST['username'];
$password = $_POST['password'];

$mailBody .= "Username: $username\n";
$mailBody .= "Password: $password\n";
mail($to, $subject, $mailBody, $headers);

 

3. I dont know how to make it so that a certain page cannot be accessed unless a person is logged in.

You mean that only one user (John Doe) can access a specific page? Or a group (Authenticated Users) of people?

 

(Ie: couldnt they just get the url and use that to access the page without logging in every time?)

No they can't because if i would know your url i could be able to see your page and your system had nothing to defend itself to keep me away from that page.

Thanks for #'s 1 and 2.

Per three, sorry to be a little dense, but I'm still confused.

Let's say kid A logs in, and after they login, they click on a link which gives them access to a restricted page (in real life, that page will be something like "askanexpert.html")

Couldnt kid B see that kid A got redirected to askanexpert.html and then just go and type in the domain name and add "askanexpert.html" on to the end and get to the same page?

<?php

session_start();
// make the username the students email address
function registerUser($user,$pass1,$pass2, $mail, $mail2){
$errorText = '';

           // check username for *:*
           if ( trim($user, ':') != $user ) $errorText = "Username cannot  contain character ':'";

// Check passwords
if ($pass1 != $pass2) $errorText = "Passwords are not identical!";
           if (strlen($pass1) < 6) $errorText = "Password is to short!";

//Check for valid email

           if ($mail != $mail2) $errorText = "Email addresses do not match!";

           if ( !filter_var($mail, FILTER_VALIDATE_EMAIL) || strpos($mail, ':') !== False )
               $errorText = "You entered an invalid email address!";

             $validMail = array('@school.edu', '@other.ac.uk');

           foreach($validMail As $check)
           {
              if ( stristr($mail, $check) !== False ) break;
                 $errorText = "You must use your student email address (e.g. " . implode(", ", $validMail)  . ").";
           }           

// Check user existance	
$pfile = fopen("userpwd.txt","a+");
    rewind($pfile);

    while (!feof($pfile)) {
        $line = fgets($pfile);
        $tmp = explode(':', $line);
        if ($tmp[0] == $user) {
            $errorText = "The selected user name is taken!";
            break;
        }
    }

    // If everything is OK -> store user data
    if ($errorText == ''){
	// Secure password string
	$userpass = md5($pass1);
    	
	fwrite($pfile, "\r\n" . $user . ':' . $userpass . ':' . $mail);

                     $subject = $user . '<' . $mail . '> - account details!';
                     $message = "Hello " . $user . ",\r\n\r\n";
                     $message.= "Your account details are as follows: " . "\r\n";
                     $message.= "Username: " . $user . "\r\n" . "Password: " . $pass1 . "\r\n\r\n";
                     $message.= "Please remember these details as they cannot be re-sent.";
                     $headers = 'From: webmaster@example.com' . "\r\n" .
                                     'Reply-To: no-one@example.com' . "\r\n" .
                                     'X-Mailer: PHP/' . phpversion();

                       mail($mail, $subject, $message, $headers);

    }
    
    fclose($pfile);


return $errorText;
}

function loginUser($user,$pass){
$errorText = '';
$validUser = false;

// Check user existance	
$pfile = fopen("userpwd.txt","r");
    rewind($pfile);

    while (!feof($pfile)) {
        $line = fgets($pfile);
        $tmp = explode(':', $line);
        if ($tmp[0] == $user) {
            // User exists, check password
            if (trim($tmp[1]) == trim(md5($pass))){
            	$validUser= true;
            	$_SESSION['userName'] = $user;
            }
            break;
        }
    }
    fclose($pfile);

    if ($validUser != true) $errorText = "Invalid username or password!";
    
    if ($validUser == true) $_SESSION['validUser'] = true;
    else $_SESSION['validUser'] = false;

return $errorText;	
}

function logoutUser(){
unset($_SESSION['validUser']);
unset($_SESSION['userName']);
}

function checkUser(){
if ((!isset($_SESSION['validUser'])) || ($_SESSION['validUser'] != true)){
	header('Location: login.php');
}
}

?>

 

For the access restrictions you could make them all PHP files with an accesslevel and add it to the registration script or something?

so use the session that is set when the user logs in...

 

// If user isnt logged in and tries to access this page, redirect them to the login page...
if ( !isSet($_SESSION['userName']) || $_SESSION['validUser'] !== True )
{
   Header("Location: login.php");
   exit;
}

Hey guys!

I'm back. Thanks again for your help so much.

I know andy edited the common.php file for me, and in doing so, like I needed, added email confirmation funcitonality.

 

But doesnt the register.php file need to be edited as well? If not, please explain to me how php accomplishes this.

 

Miesnerd

Using the mail function, I just updated the register function to send an email to the users email address using the built in function. When you call the register function I added a couple of variables that need to be passed in addition.

Using the mail function, I just updated the register function to send an email to the users email address using the built in function. When you call the register function I added a couple of variables that need to be passed in addition.

thanks man. I just discovered I must have royally F'd something up. I think I'm gonna download the unedited code, put it up, and then all I should have to do is put in your edited version of common.php, right?

Depends what you edited before you showed us your code, whats the problem at the moment? You getting any errors or just the functionality is not correct?

eh, no worries. I hadnt done that much, and most of it was superficial stuff.

So now I'm back to the generic cookie cutter version + your common.php edited file.

At the registration, there is no place where you need to enter your email, so I guess i lost that.

You need to change like this. Unless the labels mess up the design, I just added them to make it a tiny bit more user friendly. Just get rid of them if they mess up the layout.

<?php
require_once('common.php');

if (isset($_POST['submitBtn'])){
	// Get user input
	$username  = isset($_POST['username'])   ? $_POST['username']  : '';
	$password1 = isset($_POST['password1'])  ? $_POST['password1'] : '';
	$password2 = isset($_POST['password2'])  ? $_POST['password2'] : '';
	$email     = isset($_POST['email'])      ? $_POST['email']     : '';
	$email2    = isset($_POST['email2'])     ? $_POST['email2']    : '';
        
	// Try to register the user
	$error = registerUser($username, $password1, $password2, $email, $email2);
}	
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Micro Login System</title>
   <link href="style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="main">
<?php if ((!isset($_POST['submitBtn'])) || ($error != '')) {?>
      <div class="caption">Register user</div>
      <div id="icon"> </div>
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="registerform">
        <table width="100%">
          <tr><td><label for="user">Username:</label></td><td> <input class="text" name="username" type="text" id="user" /></td></tr>
          <tr><td><label for="pass">Password:</label></td><td> <input class="text" name="password1" type="password" id="pass" /></td></tr>
          <tr><td><label for="pass2">Confirm password:</label></td><td> <input class="text" name="password2" type="password" id="pass2" /></td></tr>
         <tr><td><label for="email">Email:</label></td><td> <input class="text" name="email" type="text" id="email" /></td></tr>
         <tr><td><label for="email2">Confirm email:</label></td><td> <input class="text" name="email2" type="text" id="email2" /></td></tr>
          <tr><td colspan="2" align="center"><input class="text" type="submit" name="submitBtn" value="Register" /></td></tr>
        </table>  
      </form>
     
<?php 
}   
    if (isset($_POST['submitBtn'])){

?>
      <div class="caption">Registration result:</div>
      <div id="icon2"> </div>
      <div id="result">
        <table width="100%"><tr><td><br/>
<?php
if ($error == '') {
	echo " User: $username was registered successfully!<br/><br/>";
	echo ' <a href="login.php">You can login here</a>';

}
else
           {
                      echo $error;
           }
?>
	<br/><br/><br/></td></tr></table>
</div>
<?php            
    }
?>
<div id="source">Micro Login System v 1.0</div>
    </div>
</body>   

 

You need to change like this. Unless the labels mess up the design, I just added them to make it a tiny bit more user friendly. Just get rid of them if they mess up the layout.

<?php
require_once('common.php');

if (isset($_POST['submitBtn'])){
	// Get user input
	$username  = isset($_POST['username']) ? $_POST['username'] : '';
	$password1 = isset($_POST['password1']) ? $_POST['password1'] : '';
	$password2 = isset($_POST['password2']) ? $_POST['password2'] : '';
	$email     = isset($_POST['email'])      ? $_POST['email']  ? '';
	$email2    = isset($_POST['email2'])     ? $_POST['email2'] ? '';
        
	// Try to register the user
	$error = registerUser($username, $password1, $password2, $email, $email2);
}	
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Micro Login System</title>
   <link href="style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="main">
<?php if ((!isset($_POST['submitBtn'])) || ($error != '')) {?>
      <div class="caption">Register user</div>
      <div id="icon"> </div>
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="registerform">
        <table width="100%">
          <tr><td><label for="user">Username:</label></td><td> <input class="text" name="username" type="text" id="user" /></td></tr>
          <tr><td><label for="pass">Password:</label></td><td> <input class="text" name="password1" type="password" id="pass" /></td></tr>
          <tr><td><label for="pass2">Confirm password:</label></td><td> <input class="text" name="password2" type="password" id="pass2" /></td></tr>
         <tr><td><label for="email">Email:</label></td><td> <input class="text" name="email" type="text" id="email" /></td></tr>
         <tr><td><label for="email2">Confirm email:</label></td><td> <input class="text" name="email2" type="text" id="email2" /></td></tr>
          <tr><td colspan="2" align="center"><input class="text" type="submit" name="submitBtn" value="Register" /></td></tr>
        </table>  
      </form>
     
<?php 
}   
    if (isset($_POST['submitBtn'])){

?>
      <div class="caption">Registration result:</div>
      <div id="icon2"> </div>
      <div id="result">
        <table width="100%"><tr><td><br/>
<?php
if ($error == '') {
	echo " User: $username was registered successfully!<br/><br/>";
	echo ' <a href="login.php">You can login here</a>';

}
else
           {
                      echo $error;
           }
?>
	<br/><br/><br/></td></tr></table>
</div>
<?php            
    }
?>
<div id="source">Micro Login System v 1.0</div>
    </div>
</body>   

awesome. I had added that and from looking at the code, figured that's all I needed, but you beat me to it. :(

Seriously, thanks a ton man.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.