Calling Php For Authentication

[dweb]

Hi

 

I wonder if someone can help.

 

I'm setting up a login page and have been told by the development team that I need to build a HTML login screen to run on their system and then call a PHP script on my server for authentication, of which sessions will then be created (to show certain content on their system).

 

I'm not done any authentication this way before, can anyone show me a simple script, which demo's how this would work?

 

I've had a look around, but could only find complex examples

 

Thanks very much

[xyph]

Is the PHP script being used to authenticate running on the same server as their application?

[White_Lily]

Its actually quite simple with just a few if and else statements with the odd comparison to entries in a database.

[White_Lily]

Here is some simple form and validation:

 

<html>
<head>

</head>
<body>

<?php

//Variables holding the post values
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted
if($submit){

//checks if the form was empty or not
if(!$username && !$password){
 $msg = "The form was submitted empty.";
}else{

 //checks to make sure a username was entered
 if(!$username){
 $msg .= "Please enter a username.";
 }else{

 //checks to make sure a password was entered
 if(!$password){
 $msg .= "Please enter a password.";
 }else{
 $query = mysql_query("SELECT * FROM members");//Queries the database
 $num = mysql_num_rows($query);//Collects the rows (if any)
 $row = mysql_fetch_assoc($query);//a variable to grab rows with

 //checks if there are any registered members
 if($num == 0){
 $msg .= "There are no members in the database, register first.";
 }else{
 //if there are members this checks the entered username against those in the database
 if($row["username"] != $username){
	 $msg .= "The username does not match any registered members.";
 }else{
	 //if there are members this checks the entered password against those in the database
	 if($row["password"] != $password){
	 $msg .= "The password does not match any registered members.";
	 }else{

	 //if everything succeeds then the sessions will start
	 session_start();
	 $_SESSION["username"] = $username;
	 $_SESSION["password"] = $password;

	 //re-directs the user to the home page.
	 header("Location: index.php");
	 }
 }
 }
 }
 }
}
echo $msg;
}

?>

<form action="" method="POST">
<label>Username:</label>
<input type="text" name="username" />
<label>Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Login" />
</form>
</body>
</html>

 

Remember: if the user has logged in you need to carry over the sessions to every single page on the website,

 

this is done at the very top of the source code (before the doctype):

 

<?php
session_start();
$username = $_SESSION["username"];
$password = $_SESSION["password"];
?>

Edited October 8, 2012 by White_Lily

[Jessica]

$query = mysql_query("SELECT * FROM members");//Queries the database
        $num = mysql_num_rows($query);//Collects the rows (if any)
        $row = mysql_fetch_assoc($query);//a variable to grab rows with

        //checks if there are any registered members
        if($num == 0){
        $msg .= "There are no members in the database, register first.";
        }else{

 

Are you (a) actually suggesting querying for every column of every row of a table just to find out if any rows exist and ( b ) suggesting this is necessary to tell the end user whether or not ANY rows exist in the users table?

 

Also, your code will only ever let the very first user login, and assumes passwords stored plain text.

 

Please don't hand out code like this for newbies to use, this is just making things worse.

Edited October 8, 2012 by Jessica

[dweb]

Is the PHP script being used to authenticate running on the same server as their application?

 

Nope, the script to authenticate is on our server, they said to return a JSON so that once logged in, content can be viewed

[White_Lily]

If its so bad jessica, post a better one.

[White_Lily]

Plus i dont know what his database passwords are stored as, its like assuming they are sha1 when they could be md5...

[dweb]

Here is some simple form and validation:

 

<html>
<head>

</head>
<body>

<?php

//Variables holding the post values
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted
if($submit){

//checks if the form was empty or not
if(!$username && !$password){
 $msg = "The form was submitted empty.";
}else{

 //checks to make sure a username was entered
 if(!$username){
 $msg .= "Please enter a username.";
 }else{

 //checks to make sure a password was entered
 if(!$password){
 $msg .= "Please enter a password.";
 }else{
 $query = mysql_query("SELECT * FROM members");//Queries the database
 $num = mysql_num_rows($query);//Collects the rows (if any)
 $row = mysql_fetch_assoc($query);//a variable to grab rows with

 //checks if there are any registered members
 if($num == 0){
 $msg .= "There are no members in the database, register first.";
 }else{
 //if there are members this checks the entered username against those in the database
 if($row["username"] != $username){
	 $msg .= "The username does not match any registered members.";
 }else{
	 //if there are members this checks the entered password against those in the database
	 if($row["password"] != $password){
	 $msg .= "The password does not match any registered members.";
	 }else{

	 //if everything succeeds then the sessions will start
	 session_start();
	 $_SESSION["username"] = $username;
	 $_SESSION["password"] = $password;

	 //re-directs the user to the home page.
	 header("Location: index.php");
	 }
 }
 }
 }
 }
}
echo $msg;
}

?>

<form action="" method="POST">
<label>Username:</label>
<input type="text" name="username" />
<label>Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Login" />
</form>
</body>
</html>

 

Remember: if the user has logged in you need to carry over the sessions to every single page on the website,

 

this is done at the very top of the source code (before the doctype):

 

<?php
session_start();
$username = $_SESSION["username"];
$password = $_SESSION["password"];
?>

 

Thanks for that, that seemed to work grea

[White_Lily]

Just to add to the problem of only letting the first user log in, he only has to add to the query:

 

$query = mysql_query("SELECT * FROM members WHERE username = $username");

[Christian F.]

This is a better login script:

<?php

// If login form has been submitted, and within the time limit.
if (Check_Submit ($Template->BUTTON_SUBMIT, 5000)) {
   // Initialize variables for later use, mark validation as successful by default
   $check = true;
   $message = '';

   // Validate the e-mail posted. If fails mark validation as failed, and add form label to error message.
   // Also automatically adds the user's input to the form, in case validation fails.
   $username = validate ('email', 'email', 'EMAIL', FORM_EMAIL, $check, $message, 80);

   // Verify that a password has been entered, or mark validation as failed.
   if(!isset($_POST['password']) || empty($_POST['password'])) {
       $message .= substr ($Template->FORM_PASSWORD, 0, -1).'","';
       $check = false;
   }

   if (!$check) {
       // If validation failed, format the error message and add it to the output.
       $message = substr ($Message, 0, -3);
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.sprintf($Template->ERROR_FORM, $Message)."</p>\n";

       // Return to include file/calling function.
       return;
   }

   // Add a WHERE condition to the DB query, to only fetch the row for the user trying to log in.
   $DB->Add_Condition ('email = ' . $username);

   // Retrieve the selected fields from the 'users' table.
   $users = $DB->Get (array ('id', 'email', 'password', 'salt', 'usertype'), 'users');

   // If no rows are found, or the hashed password doesn't match the stored, give warning about password mismatch.
   if (empty ($users) || Hash_Password($_POST['password'], $users['salt']) !== $users['password']) {
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.$Template->WRONG_PASSWORD."</p>\n";
       return;
   }

   // Check for inactive users.
   if($users['usertype'] < 2) {
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.$Template->USER_NOT_ACTIVE."</p>\n";
       return;
   }

   // Regenerate the session ID, to prevent session fixation.
   Sess_Regen ();

   // Add user details to the session variable.
   $_SESSION['userid'] = $users['id'];
   $_SESSION['email'] = $users['email'];
   $_SESSION['usetype'] = $users['usertype'];

   // Send the user to the front page.
   header ("Location: {$Template->_PHP_INDEX}");
   die();
}

// Show the form plus error message, and repopulate fields, if the form was submitted after of time limit.
if (Check_Submit ($Template->BUTTON_SUBMIT)) {
   $Template->_MESSAGE = '<p id="form_error" class="message error">' .$Template->ERROR_TIME_EXPIRED. "</p>\n";
   $Template->_FORM_FIELD_EMAIL = htmlspecialchars($_POST['email']);
}

 

It assumes a template class, and my MySQL DBA layer. Plus a wrapper-function for a set of validation functions, which interfaces with the template class. The basic principle should be easy enough to understand, and applicable to other such scripts.

 

I also strongly recommend that you read this article about secure login systems

Edited October 8, 2012 by Christian F.