Ahmed Saad wrote:
hi Vinny,
On 7/13/05, Vinny Lape <vinny@xxxxxxxxxxxxxxxxxx> wrote:
If user validates then look at db entry location then redirect to
mydomain.com/"location"/index.php
i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication (which is not a very good idea).
-ahmed
perhaps if i had read the original message more carefully...
here are some functions for session based authentication that i use for
one of my projects...they probably aren't as secure as they could be, im
relatively new to scripting languages.
<?php
#this file should be in the include directory (include_path from
php.ini), or the same directory as the functions which include it.
#be sure to check file permissions if it doesnt work correctly!
#This script assumes a database named DATABASE, and that user data
is stored in a table called users, with (at least) fields user,
password, and email. The password column must be char(32) type to accept
the encrypted pwd
#Thomas Dodson tomd@xxxxxxx 24 May 2005
function db_connect()
{
#connect to MySQL
$link = mysql_connect('HOST', 'USER','PWD') or die('Could not
connect: ' . mysql_error());
#select database
mysql_select_db('DATABASE') or die('Could not select database');
return $link;
}
function encrypt($string) #hash then encrypt a string. the password
column in the db must be CHAR(32) type
{
$crypted = crypt(md5($string), md5($string));
return $crypted;
}
function login($user, $password) #this logs in the user by checking
the name and pwd against the database. it returns true and writes the
{ #proper session variables if the
user/pwd combo matches, otherwise it returns false. do NOT use this script
#to check the session variables for
authorization, i wrote login_check() to do that.
$auth = false;
$link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user =
'$user'", $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$pass = $row['password'];
mysql_free_result($result);
mysql_close($link);
if ($pass === (Encrypt($password)))
{
session_start();
$_SESSION['userid'] = $user;
$_SESSION['pwd'] = $pass;
$auth = true;
}
return $auth;
}
function login_check($user, $password) #this checks to make sure a
user is logged in. if the user/pwd combo in the session var matches
{ #the table entry, it returns
true, otherwise it returns false. it does NOT write any session variables,
#so use this script and NOT
login() to check authorization
$auth = false;
if(!$user || !$password)
{
return $auth;
}
$link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user =
'$user'", $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$pass = $row["password"];
mysql_free_result($result);
mysql_close($link);
if ($pass === $password)
{
$auth = true;
}
return $auth;
}
function write_log($string) #adds a datestamp and writes to logfile
in /var/log. the owner of the file SL.log must be the same as the
{ #the user running the apache process
(usually www-data)
$string = ' ' . $string . "\n";
$filehandle = fopen('/var/log/SL.log', 'a');
fwrite($filehandle, date('d M H:i:s')); #write date in format:
01 Jun 23:01:01
fwrite($filehandle, $string); #write log entry
fclose($filehandle);
}
function calcElapsedTime($time) #returns elapsed time in seconds
{
$diff = time()-$time;
$daysDiff = 0;
$hrsDiff = 0;
$minsDiff = 0;
$secsDiff = 0;
$sec_in_a_day = 60*60*24;
while($diff >= $sec_in_a_day)
{
$daysDiff++; $diff -= $sec_in_a_day;
}
$sec_in_an_hour = 60*60;
while($diff >= $sec_in_an_hour)
{
$hrsDiff++;
$diff -= $sec_in_an_hour;
}
$sec_in_a_min = 60;
while($diff >= $sec_in_a_min)
{
$minsDiff++;
$diff -= $sec_in_a_min;
}
$secsDiff = $diff;
return ($minsDiff.' minute'.(($minsDiff <> 1) ? "s" : "").',
'.$secsDiff.' second'.(($secsDiff <> 1) ? "s" : ""));
/*
#this code goes after whatever you want to time
$elap_time =
calcElapsedTime(mktime($hrs,$min,$sec,$mon,$day,$yr));
#this codes goes before it
$date = getdate();
$hrs = $date['hours'];
$min = $date['minutes'];
$sec = $date['seconds'];
$mon = $date['mon'];
$day = $date['mday'];
$yr = $date['year'];
*/
}
?>
--
Thomas Dodson
Programmer, Bioinformatics
S-327 Ag. Science North
Department of Entomology
University of Kentucky
Lexington, KY 40546-0091
Phone (859) 257-3169
Fax (859) 323-1120
Cell: (859) 420-1696
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php