Add a sign-up feature to a flat file login script

[Peuplarchie]

Good day to you all,

      I'm working on a flat file login script and I would like to add a sign-up feature to it with a email confirmation process.

 

Here is my code :

 

<?php
//sessions must be initialized prior to any output if output buffering if off
session_start();

//the list of files containing passwords
$files = array(
    "pass.txt", 
    "test/pass2.txt",
    "admin/pass3.txt"
);

//if list of users not set create a new array
if(!isset($_SESSION['users']))
    $_SESSION['users'] = array();
    
if(isset($_POST['username']) && isset($_POST['password'])){
    
    //need to remove slashes from POST if magic_quotes are on 
    if(get_magic_quotes_gpc()){
        $_POST['username'] = stripslashes($_POST['username']);
        $_POST['password'] = stripslashes($_POST['password']);
    }            
    
    $userFound = false; //we need this to exit the loops
    foreach($files as $file){ //loop every file in the $files array
        if($fh = fopen($file, "r")){
            while(!feof($fh) && !$userFound){ //while not the end of the current file or the user was not found
                list($username, $password, $url) = explode(",", fgets($fh,1024));
                
                if(($username == $_POST['username']) && ($password = $_POST['password'])){
                    $_SESSION['username'] = $username;
                    $_SESSION['present'] = true;
				$_SESSION['legal'] = true;
				$_SESSION['profile'] = $username.".txt";
                    array_push($_SESSION['users'], $username); //add the current user to the list of users
                    header("Location: ".$url);
                    $userFound = true; //confirm that the user was found


                }    
            }
            
            fclose($fh);
            //we need to use break to exit the foreach loop if the user is found in one of the files
            if($userFound)
                break;
        } else
            echo "Unable to complete";
    }
    if(!$userFound)
        login('Invalid Member name or Password.<br />');
} else {
    login();
}
?>
<?php

function login($response='Welcome visitor !') {
?>

 

the user, password and redirection path are listed like  the following in the files :

 

user, pass, path

user, pass, path

 

How can I add this sign in feature, user would click on sign in, fill a form with his/her full name as user, no space, choose a password, an email  would be send and there would be an link to confirm, then the user would be added to the really list.

 

 

Thanks!

 

 

[JonnoTheDev]

My god. The fact that you are storing passwords in a text file that is accessible from the website document root is ridiculous!

[Peuplarchie]

how would you do that without db ?

[JonnoTheDev]

Nothing to do with how you are storing passwords but where you are storing them. i.e I could visit your url http://yourdomain.com/pass.txt and I have a list of all user login credentials. Store the files outside of the document root i.e

 

//the list of files containing passwords
$files = array("/usr/etc/passwords/pass.txt", 
    "/usr/etc/passwords/test/pass2.txt",
    "/usr/etc/passwords/admin/pass3.txt"
);

[Peuplarchie]

so just create and folder and save them in ?

[JonnoTheDev]

Yes, but not within the document root of the website i.e not accessible via a url

[Peuplarchie]

i didn't know I could do that, I can't access that in ftp?

[JonnoTheDev]

So your FTP access is limited to your document root?

Store the text files within a subfolder and protect with .htaccess

[Peuplarchie]

but now I have to modufy my hole script  !

Thanks for the info !

[PFMaBiSmAd]

add a sign-up feature to it with a email confirmation process.

Once you clear up the security problem of where the .txt files are stored, the solution to your question is the same no matter where the actual usernames/passwords/paths get stored. Just the steps that would store the  information in the text file/database would be different.

 

What exact part of solving this do you need help with? The sign up form? Generating and sending the email? The activation page? We are not really here to write a part of your application for you.

 

Your first step should be to find an existing sign up script that performs the steps you want, then modify it to use your specific flat-file(s) to store the information. However, writing the custom code to read/parse/write to your specific flat-files is going to actually be more code and take more time to write and test than if you were using a database. So, is there a reason you are not using a database for this?

[Peuplarchie]

if I use htaccess, can I still use my login script, do the use who try to login by my login script will have to also pass trough the htaccess ?

[JonnoTheDev]

No, test it out. Again, you cannot store user credentials in a file that can be accessed by the whole world. If that file were to be read I wouldn't want to be in your shoes.

[PFMaBiSmAd]

The .htaccess file in the folder with the .txt files only prevents (Deny from all) HTTP requests to the .txt files in that folder.

 

 

[Peuplarchie]

wow, nice so I can countinue to use my login script and if somebody would like to see the password.txt file they need to login by the htaccess !

 

Nice !

 

[Peuplarchie]

Thanks for you help !