Jump to content

[SOLVED] Help with coding

RebeccaD

By RebeccaD
in PHP Coding Help

 Share

Recommended Posts

RebeccaD Newbie

RebeccaD

Posted
Posted

Hi! I maintain a website for a small UK charity and admit that I am no expert when it comes to PHP :(. We have a number of MySql databases associated with our site to give login access to restricted areas of the site. Login pages for these were designed by someone before I came along.

 

Our web hosting company has recently migrated our site onto new servers which have PHP installed as a CGI not a module and with the current coding in the pages we are unable link to the databases. They suggested a couple of fixes but they do not seem to work. If anyone can suggest a fix or re-write for this (be as brave as you like) I would be eternally grateful.

 

The coding is generally in this format below (I have replaced info about the server, database, password etc with uppercase labels). Please bear in mind if you reply that you are dealing with a complete novice, but someone willing to learn. Not too complicated or with too much geeky language.

 

Many thanks,

 

Rebecca Dittman

Chair

The Gender Trust

Brighton, UK

 

 

<?// Open a database connection

 

$mysql_link = mysql_connect("localhost", "SERVER_NAME", "PASSWORD") or die ('I cannot connect to the database, exitting.');

mysql_select_db("DATABASE_NAME");

 

// Get the correct password from the database

 

if($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {

$mysql_result = mysql_query("select ROW_1, ROW_2 from TABLE_NAME where ROW_1 = '$PHP_AUTH_USER' and ROW_2 = '$PHP_AUTH_PW' and pending = 0", $mysql_link);

$row = mysql_fetch_row($mysql_result);

 

if(mysql_num_rows($mysql_result) != 1) {

    header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');

    header("HTTP/1.1 401 Unauthorized");

    print "This page requires authorisation. Either you entered an incorrect email/password combination or your browser does not understand how to submit the credentials required";

    exit();

}

}

else {

header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');

header("HTTP/1.1 401 Unauthorized");

print "<table width=80% align=center><tr><td><font face=\"Arial\" size=2 color=\"#000066\"><p> <p><center><font size=4>THIS PAGE REQUIRES AUTHORISATION</center>

<p> <p align=center><font size=3>If you are not a member of The Gender Trust please click<br>the <font color=\"ff0000\"><b>GT Home</b><font color=\"#000066\"> link to return to the main site.

<p align=center>If you are a member, either you entered an incorrect email/password combination<br>or your browser does not understand how to submit the credentials required.<br>

<p align=center>Please contact <a href=\"mailto:EMAIL_ALIAS@gendertrust.org.uk?subject=Login Failure\"><font color=\"#000066\"><b>GT web support</b></a> for advice</td></tr></table>";

exit();

}

include("headerM.php");

?>

 

Link to comment
Share on other sites
PHPNewbie55 Member

PHPNewbie55

Posted
Posted

Just a suggestion... I am a novice as well...

But around here it seems that a lot of people will not even look at your code unless it is in the CODE FORMAT...

 

click on INSERT CODE.. the # sign..

 

Then paste that code in the code brackets... be sure and start the code with <?php LOWERCASE.. and end it with a ?> so that the code is color coded...

This way it is easier to examine...

 

Like This:::::::

<?php
// Open a database connection

$mysql_link = mysql_connect("localhost", "SERVER_NAME", "PASSWORD") or die ('I cannot connect to the database, exitting.');
mysql_select_db("DATABASE_NAME");

// Get the correct password from the database

if($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
   $mysql_result = mysql_query("select ROW_1, ROW_2 from TABLE_NAME where ROW_1 = '$PHP_AUTH_USER' and ROW_2 = '$PHP_AUTH_PW' and pending = 0", $mysql_link);
   $row = mysql_fetch_row($mysql_result);

   if(mysql_num_rows($mysql_result) != 1) {
       header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');
       header("HTTP/1.1 401 Unauthorized");
       print "This page requires authorisation. Either you entered an incorrect email/password combination or your browser does not understand how to submit the credentials required";
       exit();
   }
}
else {
   header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');
   header("HTTP/1.1 401 Unauthorized");
   print "<table width=80% align=center><tr><td><font face=\"Arial\" size=2 color=\"#000066\"><p> <p><center><font size=4>THIS PAGE REQUIRES AUTHORISATION</center>
   <p> <p align=center><font size=3>If you are not a member of The Gender Trust please click
the <font color=\"ff0000\">GT Home<font color=\"#000066\"> link to return to the main site.
   <p align=center>If you are a member, either you entered an incorrect email/password combination
or your browser does not understand how to submit the credentials required.

   <p align=center>Please contact <a href=\"mailto:EMAIL_ALIAS@gendertrust.org.uk?subject=Login Failure\"><font color=\"#000066\">GT web support[/url] for advice</td></tr></table>";
   exit();
}
include("headerM.php");
?>

Link to comment
Share on other sites
kratsg Regular Member

kratsg

Posted
Posted

Hmm, forced php authentication, here's my simple way of doing it (I have a similar, much more secure system set up)

 

Here is an example of how to manipulate these two variables.

<?php

$user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
$pass = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);

//let's validate logins
if(empty($user) || empty($pass) || !isset($user) || !isset($pass)){//one or both do not exist
authenticate();
}

if(!empty($user) && !empty($pass) && isset($user) && isset($pass)){//they submitted info through alert box, the values are not null or empty
check_user($user,$pass);
}
?>

 

The following are the authenticate() and check_user() functions in a way... Note: $realm is defined in the top of the page so you can have separate sessions, etc.. :-o

<?php
//this function is for forcing the authentication header
function authenticate(){
global $realm;
header('WWW-Authenticate: Basic realm="'.$realm.'"');
header('HTTP/1.0 401 Unauthorized');
header("Refresh: 1; url=unprotected.php");
echo "I'm sorry, you do not have access to this secure location.";
exit;
}


function check_user($check_user,$check_pass){
if(!user_exist($check_user)){
	authenticate();
} else {
	//checks their password
	if(check_pass($check_user,$check_pass)){//validated
		return true;
	} else {
		authenticate();
	}
}
authenticate();
}
?>

 

My idea is very simple, someone logs in, I clean that log-in information, then I work with it, checking to see if an actual user exists, then checking to see if passwords match, and returning true if all clear (this function always runs each time any page is loaded that I protect, so it's pretty secure)

 

 

So.. for your code...

 

<?php

$user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
$pass = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);

//let's validate logins
if(empty($user) || empty($pass) || !isset($user) || !isset($pass)){//one or both do not exist
   header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');
   header("HTTP/1.1 401 Unauthorized");
   print "<table width=80% align=center><tr><td><font face=\"Arial\" size=2 color=\"#000066\"><p> <p><center><font size=4>THIS PAGE REQUIRES AUTHORISATION</center>
   <p> <p align=center><font size=3>If you are not a member of The Gender Trust please click
the <font color=\"ff0000\">GT Home<font color=\"#000066\"> link to return to the main site.
   <p align=center>If you are a member, either you entered an incorrect email/password combination
or your browser does not understand how to submit the credentials required.

   <p align=center>Please contact <a href=\"mailto:EMAIL_ALIAS@gendertrust.org.uk?subject=Login Failure\"><font color=\"#000066\">GT web support[/url] for advice</td></tr></table>";
   exit();
}

if(!empty($user) && !empty($pass) && isset($user) && isset($pass)){//they submitted info through alert box


// Open a database connection

$mysql_link = mysql_connect("localhost", "SERVER_NAME", "PASSWORD") or die ('I cannot connect to the database, exitting.');
mysql_select_db("DATABASE_NAME");

// Get the correct password from the database

$mysql_result = mysql_query("select ROW_1, ROW_2 from TABLE_NAME where ROW_1 = '$user' and ROW_2 = '$pass' and pending = 0", $mysql_link);
   $row = mysql_fetch_row($mysql_result);

   if(mysql_num_rows($mysql_result) != 1) {
       header('WWW-Authenticate: Basic realm="Gender Trust Members Only Area - Please Enter your Email Address as the Username and your Password"');
       header("HTTP/1.1 401 Unauthorized");
       print "This page requires authorisation. Either you entered an incorrect email/password combination or your browser does not understand how to submit the credentials required";
       exit();
   }
}
include("headerM.php");

?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.