Re: PHP Username & Password Detection From PSQL Database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi again.

After a recommendation, i have changed my approach and i'm now using a html form to accept the username and password.

Please view the following link: http://www.cyber.brad.ac.uk/~yamkedoo/Tests/brandnew.html

The username 'yamkedoo' and password 'yasmine' will give Successful Login. This works for all usernames and passwords in the database.

Though if a different password is used, Access Denied is printed as well as an error, Warning: Unable to jump to row 0 on PostgreSQL result index 2 in /home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable to solve. This applies for all incorrect passwords. Please view my code:

<?php
               #Connects to the database
$database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname = yamkedoo user = yamkedoo password = yamkedoo");

	if(!$database)
    	{
       	echo "Connection Failed<BR>";
    	}

	else
	{
#assign formusername from html form to $auth_user #assign formpassword from html form to $auth_pass
		$auth_user = trim($formusername);
		$auth_pass = trim($formpassword);

$query = "SELECT * FROM PatPerInfo WHERE trim(username) = '$auth_user' AND trim(password) = '$auth_pass'";
		$result = pg_exec($database, $query);
		$row = pg_fetch_object($result, $rw);

		if($row)
		{
			print "Successful Login\n";
		}

		else
		{
			print "Access Denied\n";
		}
	}

   pg_close($database);

?>

If anyone can spot any mistakes, i will welcome suggestions ;-)

Thanx




From: Andrew McMillan <andrew@xxxxxxxxxxxxxxx>
To: Yasmine Kedoo <yazkedoo@xxxxxxxxxxx>
CC: pgsql-php@xxxxxxxxxxxxxx
Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database
Date: Wed, 07 Apr 2004 21:35:22 +1200

On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> Hi.
>
> I am just beginning to work with PHP & PSQL so forgive me if i make simple
> mistakes. :-)
>
> I created my PSQL database via telnet on my university's database server. I > have no problems retrieving and displaying certain data using PHP, but i am
> unable to recognise a username and password entered via a predefined
> authentication variable, $PHP_AUTH_USER.
>
> The script must recognise the username: 'yamkedoo', and password: 'yasmine'.
> In the database, the username & password columns are spelt exactly as:
> 'username' & 'password'. The database name is 'yamkedoo', and the table name
> is 'PatPerInfo', as can be seen from the following code:

The example in the PHP manual is:

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
password.</p>";
  }
?>

A couple of notes:

1) You have <?PHP well down your page - you need this before the PHP
starts (like in the example above).  Lowercase is also a lot more normal
(although probably uppercase still works).

2) The example above shows the syntax for more recent PHP versions, with
some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER']
rather than $PHP_AUTH_USER) whether the older syntax you have used below
will work will depend on how the installation was configured, to some
extent, as well as the version you are using.


>
> if(!isset($PHP_AUTH_USER))
> 		{
> 			Header("WWW-Authenticate: Basic realm=\"Authentication\"");
> 			Header( "HTTP/1.0 401 Unauthorized");
>
> 			echo "No Login\n";
> 			exit;
> 		}
> 		else
> 		{
> 			echo "User: $PHP_AUTH_USER<BR>";
> 			echo "Password: $PHP_AUTH_PW<BR>";
> 		}
> <?PHP
> 	$database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
> user=yamkedoo password=yamkedoo");
>
> 		if(!$database)
>      		{
>         		print "Connection to database failed.";
>      		}
>
> 		else
>         	               {
>         	               $selectquery = "SELECT * FROM PatPerInfo";
>           	               $result = pg_exec($database, $selectquery);
>
> 		$maxrows = pg_numrows($result);
>            		$maxfields = pg_numfields($result);
>
>           		for ($rw = 0; $rw < $maxrows; $rw++)
>    	   		{

Just as a suggestion you might want to consider:

$row = pg_fetch_object($result, $rw);
if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
           trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) )
{
 ...

Actually, though, you can get the database to do it:

$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
$selectquery = "SELECT * FROM PatPerInfo
   WHERE trim(username) = '$auth_user'
     AND trim(password) = '$auth_pass'";

$result = pg_exec( ...


Doing it this way you can simply see if you got back exactly one row,
and if you did then that should be the correct user record - no need for
PHP to inefficiently loop through all of the table looking.


>    				$username = pg_Result($result,$rw,0);
> 				$password = pg_Result($result,$rw,1);
>

Aren't you missing a comparison on the line below?

> 				if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
> 				{
> 		  		 	$auth = 1;
> 				}
>            		                 }
>
> 		     echo $auth;
> 		}
>
>       		 if($auth==0)
>      		 {
>      			print "Access Denied<BR>\n";
>      			exit;
>      		 }
>
>
> ?>
>
> After the username and password, i get the following error: Parse error:
> parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.
>
> Please view te following link:
> http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what is
> happening.
> Only once has the authentication window appeared, and has not done so since.
> It only gives the error as seen at the link.

Once you have provided the correct credentials to basic auth, your web
browser will repeatedly provide them each time until you exit the
browser or cancel them.

Most sites don't use Basic Authentication like the above - generally
some form of session is maintained through URL rewriting or cookies
since that allows a lot more control (and graphical design) fitting the
login process more smoothly into the web page.

Regards,
					Andrew.

-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053,  Manners St,  Wellington
WEB: http://catalyst.net.nz/             PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201       MOB: +64(21)635-694      OFFICE: +64(4)499-2267
               http://survey.net.nz/ - any more questions?
-------------------------------------------------------------------------


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to majordomo@xxxxxxxxxxxxxx)

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger



[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux