Protected page script | MYSQL & PHP | Username and Pass Database

[farnoise]

Hi everyone,

 

Here is my problem, and hope someone can help me.

I found a pretty awesome and simple script to protect my pages it works PERFECTLY FINE, but as you can see in the script its kind pre-assigned username/pass system I want to know if any of you can help me with removing that part and connect the form to MYSQL then whenever form wants to load username/pass it connects to database and check the usrename/pass from there or.

I dont think it should be an issue

 

 

 

<?php
$LOGIN_INFORMATION = array(
  'user1' => 'user1pass',
  'admin' => 'adminpass'  
   'user2' => 'user2pass',
  'admin2' => 'adminpass2'
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.example.com/');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 10);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

#  SETTINGS END


if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line): <br>Arad Gharagozli<?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?>');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>

******** SOME HTML CODES HERE FOR LOGIN FORM AND STUFF ******** 

</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) 
  ) {
    showLoginPasswordProtect("ERROR 500<br><br>Access denied.<br> Please check Username and (or) Password and try again.<br> ");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
    
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}

?>

 

 

THANKS A LOT :rtfm:

[garethhall]

Hi there, I agree getting the information from the DB won't be a problem but ......... I am not sure on how wise that would be. If the system you are working on is small (only a couple of users) then I guess it's ok but if it has the potential to have hundreds or even thousands of users then I would say no. I have a very large system having to do the same as yours.

 

Here is my code perhaps it will help you out.

 

<?php
//******************************** User and session authentication **************************************
function auth(){
	/*** If remeber cookies are set validate them ***/
	if(isset($_COOKIE['ql_loginName']) && isset($_COOKIE['ql_loginPassword'])){
		$sql = "SELECT * FROM usr WHERE (usrName = ".cv($_COOKIE['ql_loginName'])." OR usrEmail = ".cv($_COOKIE['ql_loginName'])." ) AND usrPass = ".cv($_COOKIE['ql_loginPassword'])." LIMIT 1";
		$rs = mysql_query($sql);
		$rw = mysql_fetch_assoc($rs);
		/*** if user details is valid set sessions ***/
		if(mysql_num_rows($rs)){
			session_regenerate_id();
			$_SESSION['ql_login'] = 1;
			$_SESSION['ql_usrID'] = $rw['usrID'];
			$_SESSION['ql_compID'] = $rw['compId'];
			$_SESSION['ql_level'] = $rw['usrLevel'];
			$_SESSION['ql_master'] = comp($rw['compId'],'master');
			$_SESSION['ql_toDate'] = comp($rw['compId'],'compRenewDate');
			if(basename($_SERVER['PHP_SELF']) == "index.php"){// if user is already logged in then redirect to main.php
				mysql_query("UPDATE usr SET usrLastLog = NOW() WHERE usrID = ".cv($rw['usrID']));
				header("Location: main.php");
			}
		}else{// user details not valid
			// expire the cookies
			setcookie("ql_loginName","", time() - 3600, "/");
			setcookie("ql_loginPassword","", time() - 3600, "/");
			header("Location: index.php");
			exit();
		}
		mysql_free_result($rs);
		/*** If Sessions are not set ***/
	}else if(!isset($_SESSION['ql_login']) || !isset($_SESSION['ql_usrID']) || !isset($_SESSION['ql_compID']) || !isset($_SESSION['ql_level']) || !isset($_SESSION['ql_master']) || !isset($_SESSION['ql_toDate'])){
		unset($_SESSION['ql_login']);
		unset($_SESSION['ql_usrID']);
		unset($_SESSION['ql_compID']); 
		unset($_SESSION['ql_level']);
		unset($_SESSION['ql_master']);
		unset($_SESSION['ql_toDate']);
		session_destroy();
		if(basename($_SERVER['PHP_SELF']) != "index.php"){
			header("Location: index.php");
		}
	}else{
		/*** session are set so regenerate id and privileges ***/
		session_regenerate_id();
		$_SESSION['ql_level'] = usr($_SESSION['ql_usrID'],'usrLevel');
		$_SESSION['ql_master'] = comp($_SESSION['ql_compID'],'master');
		$_SESSION['ql_toDate'] = comp($_SESSION['ql_compID'],'compRenewDate');
		if(basename($_SERVER['PHP_SELF']) == "index.php"){
				header("Location: main.php");
		}
	}
}
auth();//Run User and session authentication
?>