Jump to content

Calling Php For Authentication


dweb

Recommended Posts

Hi

 

I wonder if someone can help.

 

I'm setting up a login page and have been told by the development team that I need to build a HTML login screen to run on their system and then call a PHP script on my server for authentication, of which sessions will then be created (to show certain content on their system).

 

I'm not done any authentication this way before, can anyone show me a simple script, which demo's how this would work?

 

I've had a look around, but could only find complex examples

 

Thanks very much

Link to comment
Share on other sites

Here is some simple form and validation:

 

<html>
<head>

</head>
<body>

<?php

//Variables holding the post values
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted
if($submit){

//checks if the form was empty or not
if(!$username && !$password){
 $msg = "The form was submitted empty.";
}else{

 //checks to make sure a username was entered
 if(!$username){
 $msg .= "Please enter a username.";
 }else{

 //checks to make sure a password was entered
 if(!$password){
 $msg .= "Please enter a password.";
 }else{
 $query = mysql_query("SELECT * FROM members");//Queries the database
 $num = mysql_num_rows($query);//Collects the rows (if any)
 $row = mysql_fetch_assoc($query);//a variable to grab rows with

 //checks if there are any registered members
 if($num == 0){
 $msg .= "There are no members in the database, register first.";
 }else{
 //if there are members this checks the entered username against those in the database
 if($row["username"] != $username){
	 $msg .= "The username does not match any registered members.";
 }else{
	 //if there are members this checks the entered password against those in the database
	 if($row["password"] != $password){
	 $msg .= "The password does not match any registered members.";
	 }else{

	 //if everything succeeds then the sessions will start
	 session_start();
	 $_SESSION["username"] = $username;
	 $_SESSION["password"] = $password;

	 //re-directs the user to the home page.
	 header("Location: index.php");
	 }
 }
 }
 }
 }
}
echo $msg;
}

?>

<form action="" method="POST">
<label>Username:</label>
<input type="text" name="username" />
<label>Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Login" />
</form>
</body>
</html>

 

Remember: if the user has logged in you need to carry over the sessions to every single page on the website,

 

this is done at the very top of the source code (before the doctype):

 

<?php
session_start();
$username = $_SESSION["username"];
$password = $_SESSION["password"];
?>

Edited by White_Lily
Link to comment
Share on other sites

$query = mysql_query("SELECT * FROM members");//Queries the database
        $num = mysql_num_rows($query);//Collects the rows (if any)
        $row = mysql_fetch_assoc($query);//a variable to grab rows with

        //checks if there are any registered members
        if($num == 0){
        $msg .= "There are no members in the database, register first.";
        }else{

 

Are you (a) actually suggesting querying for every column of every row of a table just to find out if any rows exist and ( b ) suggesting this is necessary to tell the end user whether or not ANY rows exist in the users table?

 

Also, your code will only ever let the very first user login, and assumes passwords stored plain text.

 

Please don't hand out code like this for newbies to use, this is just making things worse.

Edited by Jessica
Link to comment
Share on other sites

Is the PHP script being used to authenticate running on the same server as their application?

 

Nope, the script to authenticate is on our server, they said to return a JSON so that once logged in, content can be viewed

Link to comment
Share on other sites

Here is some simple form and validation:

 

<html>
<head>

</head>
<body>

<?php

//Variables holding the post values
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted
if($submit){

//checks if the form was empty or not
if(!$username && !$password){
 $msg = "The form was submitted empty.";
}else{

 //checks to make sure a username was entered
 if(!$username){
 $msg .= "Please enter a username.";
 }else{

 //checks to make sure a password was entered
 if(!$password){
 $msg .= "Please enter a password.";
 }else{
 $query = mysql_query("SELECT * FROM members");//Queries the database
 $num = mysql_num_rows($query);//Collects the rows (if any)
 $row = mysql_fetch_assoc($query);//a variable to grab rows with

 //checks if there are any registered members
 if($num == 0){
 $msg .= "There are no members in the database, register first.";
 }else{
 //if there are members this checks the entered username against those in the database
 if($row["username"] != $username){
	 $msg .= "The username does not match any registered members.";
 }else{
	 //if there are members this checks the entered password against those in the database
	 if($row["password"] != $password){
	 $msg .= "The password does not match any registered members.";
	 }else{

	 //if everything succeeds then the sessions will start
	 session_start();
	 $_SESSION["username"] = $username;
	 $_SESSION["password"] = $password;

	 //re-directs the user to the home page.
	 header("Location: index.php");
	 }
 }
 }
 }
 }
}
echo $msg;
}

?>

<form action="" method="POST">
<label>Username:</label>
<input type="text" name="username" />
<label>Password:</label>
<input type="password" name="password" />
<input type="submit" name="submit" value="Login" />
</form>
</body>
</html>

 

Remember: if the user has logged in you need to carry over the sessions to every single page on the website,

 

this is done at the very top of the source code (before the doctype):

 

<?php
session_start();
$username = $_SESSION["username"];
$password = $_SESSION["password"];
?>

 

Thanks for that, that seemed to work grea

Link to comment
Share on other sites

This is a better login script:

<?php

// If login form has been submitted, and within the time limit.
if (Check_Submit ($Template->BUTTON_SUBMIT, 5000)) {
   // Initialize variables for later use, mark validation as successful by default
   $check = true;
   $message = '';

   // Validate the e-mail posted. If fails mark validation as failed, and add form label to error message.
   // Also automatically adds the user's input to the form, in case validation fails.
   $username = validate ('email', 'email', 'EMAIL', FORM_EMAIL, $check, $message, 80);

   // Verify that a password has been entered, or mark validation as failed.
   if(!isset($_POST['password']) || empty($_POST['password'])) {
       $message .= substr ($Template->FORM_PASSWORD, 0, -1).'","';
       $check = false;
   }

   if (!$check) {
       // If validation failed, format the error message and add it to the output.
       $message = substr ($Message, 0, -3);
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.sprintf($Template->ERROR_FORM, $Message)."</p>\n";

       // Return to include file/calling function.
       return;
   }

   // Add a WHERE condition to the DB query, to only fetch the row for the user trying to log in.
   $DB->Add_Condition ('email = ' . $username);

   // Retrieve the selected fields from the 'users' table.
   $users = $DB->Get (array ('id', 'email', 'password', 'salt', 'usertype'), 'users');

   // If no rows are found, or the hashed password doesn't match the stored, give warning about password mismatch.
   if (empty ($users) || Hash_Password($_POST['password'], $users['salt']) !== $users['password']) {
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.$Template->WRONG_PASSWORD."</p>\n";
       return;
   }

   // Check for inactive users.
   if($users['usertype'] < 2) {
       $Template->_MESSAGE = '<p id="form_error" class="message error">'.$Template->USER_NOT_ACTIVE."</p>\n";
       return;
   }

   // Regenerate the session ID, to prevent session fixation.
   Sess_Regen ();

   // Add user details to the session variable.
   $_SESSION['userid'] = $users['id'];
   $_SESSION['email'] = $users['email'];
   $_SESSION['usetype'] = $users['usertype'];

   // Send the user to the front page.
   header ("Location: {$Template->_PHP_INDEX}");
   die();
}

// Show the form plus error message, and repopulate fields, if the form was submitted after of time limit.
if (Check_Submit ($Template->BUTTON_SUBMIT)) {
   $Template->_MESSAGE = '<p id="form_error" class="message error">' .$Template->ERROR_TIME_EXPIRED. "</p>\n";
   $Template->_FORM_FIELD_EMAIL = htmlspecialchars($_POST['email']);
}

 

It assumes a template class, and my MySQL DBA layer. Plus a wrapper-function for a set of validation functions, which interfaces with the template class. The basic principle should be easy enough to understand, and applicable to other such scripts.

 

I also strongly recommend that you read this article about secure login systems

Edited by Christian F.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.