Simple database authentication?

[Moron]

Can someone please point me in the right direction on this?

I want authentication where an employee enters their employee number and the password is their Social Security number, which of course must match the employee number in the database.

I only want this on the front end. Once they're in, they can do pretty much whatever they want.

[AndyB]

I use a combination like this:

In each content page of the site, this at the top of the script:

[code]<?php
session_start();
include("logincheck.php");[/code]

logincheck.php looks like this:

[code]<?php
// logincheck.php
if ($_SESSION['loggedin']!="winner") {
  include("loginform.php");
  die();
} else {
$user_id = $_SESSION['user_id'];
$user_name = $_SESSION['user_name'];
$user_email = $_SESSION['user_email'];
}
?>[/code]

loginform.php looks like this:

[code]<html>
<head>
<title>Login</title>
<style type="text/css">
td,p {
font-family:verdana, arial, helvetica, sans-serif;
color:#000;
background-color:#fff;
font-size:12px;
}
input {
border:1px solid #999;
background-color:#f4f4f4;
}
.submit {
border:1px solid #000;
background-color:#f90;
</style>
</head>
<body onLoad="document.formname.username.focus();">

<form name="formname" method="post" action="login2.php">
<table style="border:1px solid #999;">
<tr>
<td>Username</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="userpass"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input type="submit" name="submit" class="submit" value="Log in"></td>
</tr>
</table>
</form>
</body>
</html>[/code]

And login2.php looks like this:

[code]<?php
session_start();
// login part 2
include("includes/db-conn.php");
$uname = trim(strip_tags($_POST['username']));
$upass = trim(strip_tags($_POST['userpass']));

mysql_connect($db_host, $db_login, $db_pass) or die ("Can't connect!");
mysql_select_db($db_name) or die ("Can't open database!");

$query = "SELECT * FROM users WHERE binary user_name = '$uname' AND binary user_pass = '$upass'";
$result = mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query);
$count = @mysql_numrows($result);
if ($count == 1) {
$myrow = mysql_fetch_array($result);
$_SESSION['loggedin'] = "winner";
$_SESSION['user_id'] = $myrow['id'];
$_SESSION['user_name'] = $myrow['user_name'];
$_SESSION['user_email'] = $myrow['user_email'];
$_SESSION['real_name'] = $myrow['name'];
$_SESSION['user_pass'] = $myrow['user_pass'];

header("Location:index.php");
die();
} else {
header("Location:loginform.php");
die();
}
?>[/code]

[devbanana]

You need a way for each page to specify what kind of permissions a user requires to access that page. If it is the same for the entire application, you could have a central authentication/authorization class, which would be called for every page, to check if the user is logged in or not. I think you could use a front controller for this type of thing.

After the user is authenticated, you could have a principal object with their username and role(s). If they aren't authenticated, just assign a principal object specifying a role of anonymous. The authorization component then could check that they have sufficient privileges to access the system.

Role definitions:
[code=php:0]define('ROLE_ANONYMOUS', 0);
define('ROLE_EMPLOYEE', 1);
define('ROLE_MANAGER', 2);[/code]

Authorization could do something like:

[code=php:0]// Ensure user is at least an employee or manager
if ($principal->Role & (ROLE_EMPLOYEE | ROLE_MANAGER))
{
    // Allow access
}
else
{
    // Disallow access
}[/code]