Jump to content

Archived

This topic is now archived and is closed to further replies.

Moron

Simple database authentication?

Recommended Posts

Can someone please point me in the right direction on this?

I want authentication where an employee enters their employee number and the password is their Social Security number, which of course must match the employee number in the database.

I only want this on the front end. Once they're in, they can do pretty much whatever they want.

Share this post


Link to post
Share on other sites
I use a combination like this:

In each content page of the site, this at the top of the script:

[code]<?php
session_start();
include("logincheck.php");[/code]

logincheck.php looks like this:

[code]<?php
// logincheck.php
if ($_SESSION['loggedin']!="winner") {
  include("loginform.php");
  die();
} else {
$user_id = $_SESSION['user_id'];
$user_name = $_SESSION['user_name'];
$user_email = $_SESSION['user_email'];
}
?>[/code]

loginform.php looks like this:

[code]<html>
<head>
<title>Login</title>
<style type="text/css">
td,p {
font-family:verdana, arial, helvetica, sans-serif;
color:#000;
background-color:#fff;
font-size:12px;
}
input {
border:1px solid #999;
background-color:#f4f4f4;
}
.submit {
border:1px solid #000;
background-color:#f90;
</style>
</head>
<body onLoad="document.formname.username.focus();">

<form name="formname" method="post" action="login2.php">
<table style="border:1px solid #999;">
<tr>
<td>Username</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="userpass"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input type="submit" name="submit" class="submit" value="Log in"></td>
</tr>
</table>
</form>
</body>
</html>[/code]

And login2.php looks like this:

[code]<?php
session_start();
// login part 2
include("includes/db-conn.php");
$uname = trim(strip_tags($_POST['username']));
$upass = trim(strip_tags($_POST['userpass']));

mysql_connect($db_host, $db_login, $db_pass) or die ("Can't connect!");
mysql_select_db($db_name) or die ("Can't open database!");

$query = "SELECT * FROM users WHERE binary user_name = '$uname' AND binary user_pass = '$upass'";
$result = mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query);
$count = @mysql_numrows($result);
if ($count == 1) {
$myrow = mysql_fetch_array($result);
$_SESSION['loggedin'] = "winner";
$_SESSION['user_id'] = $myrow['id'];
$_SESSION['user_name'] = $myrow['user_name'];
$_SESSION['user_email'] = $myrow['user_email'];
$_SESSION['real_name'] = $myrow['name'];
$_SESSION['user_pass'] = $myrow['user_pass'];

header("Location:index.php");
die();
} else {
header("Location:loginform.php");
die();
}
?>[/code]

Share this post


Link to post
Share on other sites
You need a way for each page to specify what kind of permissions a user requires to access that page. If it is the same for the entire application, you could have a central authentication/authorization class, which would be called for every page, to check if the user is logged in or not. I think you could use a front controller for this type of thing.

After the user is authenticated, you could have a principal object with their username and role(s). If they aren't authenticated, just assign a principal object specifying a role of anonymous. The authorization component then could check that they have sufficient privileges to access the system.

Role definitions:
[code=php:0]define('ROLE_ANONYMOUS', 0);
define('ROLE_EMPLOYEE', 1);
define('ROLE_MANAGER', 2);[/code]

Authorization could do something like:

[code=php:0]// Ensure user is at least an employee or manager
if ($principal->Role & (ROLE_EMPLOYEE | ROLE_MANAGER))
{
    // Allow access
}
else
{
    // Disallow access
}[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.