Re: [PHP-DB] User authentication and redirect

[Thomas Dodson]

Ahmed Saad wrote:

hi Vinny,
On 7/13/05, Vinny Lape <[EMAIL PROTECTED]> wrote:
 

If user validates then look at db entry location then redirect to
mydomain.com/"location"/index.php
   


i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

 

perhaps if i had read the original message more carefully...
here are some functions for session based authentication that i use for 
one of my projects...they probably aren't as secure as they could be, im 
relatively new to scripting languages.

<?php
   #this file should be in the include directory (include_path from 
php.ini), or the same directory as the functions which include it.
   #be sure to check file permissions if it doesnt work correctly!
   #This script assumes a database named DATABASE, and that user data 
is stored in a table called users, with (at least) fields user, 
password, and email. The password column must be char(32) type to accept 
the encrypted pwd
   #Thomas Dodson   [EMAIL PROTECTED]   24 May 2005

   function db_connect()
   {
       #connect to MySQL
       $link = mysql_connect('HOST', 'USER','PWD') or die('Could not 
connect: ' . mysql_error());
       #select database
       mysql_select_db('DATABASE') or die('Could not select database');

       return $link;
   }

   function encrypt($string) #hash then encrypt a string. the password 
column in the db must be CHAR(32) type
   {
       $crypted = crypt(md5($string), md5($string));
       return $crypted;
   }

   function login($user, $password) #this logs in the user by checking 
the name and pwd against the database. it returns true and writes the
   {                                 #proper session variables if the 
user/pwd combo matches, otherwise it returns false. do NOT use this script
                                    #to check the session variables for 
authorization, i wrote login_check() to do that.
       $auth = false;

       $link = db_connect();
       $result = mysql_query("SELECT password FROM users WHERE user = 
'$user'", $link);
       $row = mysql_fetch_array($result, MYSQL_ASSOC);
       $pass = $row['password'];
       mysql_free_result($result);
       mysql_close($link);

       if ($pass === (Encrypt($password)))
       {
           session_start();
           $_SESSION['userid'] = $user;
           $_SESSION['pwd'] = $pass;
           $auth = true;
       }
       return $auth;
   }

   function login_check($user, $password) #this checks to make sure a 
user is logged in. if the user/pwd combo in the session var matches
   {                                       #the table entry, it returns 
true, otherwise it returns false. it does NOT write any session variables,
                                          #so use this script and NOT 
login() to check authorization
       $auth = false;
      
       if(!$user || !$password)
       {
           return $auth;
       }

       $link = db_connect();
       $result = mysql_query("SELECT password FROM users WHERE user = 
'$user'", $link);
       $row = mysql_fetch_array($result, MYSQL_ASSOC);
       $pass = $row["password"];
       mysql_free_result($result);
       mysql_close($link);

       if ($pass === $password)
       {
           $auth = true;
       }
       return $auth;
   }

   function write_log($string) #adds a datestamp and writes to logfile 
in /var/log. the owner of the file SL.log must be the same as the
   {                            #the user running the apache process 
(usually www-data)
       $string = ' ' . $string . "\n";
       $filehandle = fopen('/var/log/SL.log', 'a');
       fwrite($filehandle, date('d M H:i:s')); #write date in format: 
01 Jun 23:01:01
       fwrite($filehandle, $string); #write log entry
       fclose($filehandle);
   }

   function calcElapsedTime($time) #returns elapsed time in seconds
   {

       $diff = time()-$time;
       $daysDiff = 0;
       $hrsDiff = 0;
       $minsDiff = 0;
       $secsDiff = 0;
      
       $sec_in_a_day = 60*60*24;

       while($diff >= $sec_in_a_day)
       {
           $daysDiff++; $diff -= $sec_in_a_day;
       }
       $sec_in_an_hour = 60*60;
  
       while($diff >= $sec_in_an_hour)
       {
           $hrsDiff++;
           $diff -= $sec_in_an_hour;
       }

       $sec_in_a_min = 60;

       while($diff >= $sec_in_a_min)
       {
           $minsDiff++;
           $diff -= $sec_in_a_min;
       }

       $secsDiff = $diff;

       return ($minsDiff.' minute'.(($minsDiff <> 1) ? "s" : "").', 
'.$secsDiff.' second'.(($secsDiff <> 1) ? "s" : ""));

       /*
       #this code goes after whatever you want to time
           $elap_time = 
calcElapsedTime(mktime($hrs,$min,$sec,$mon,$day,$yr));

       #this codes goes before it
           $date = getdate();
           $hrs = $date['hours'];
           $min = $date['minutes'];
           $sec = $date['seconds'];
           $mon = $date['mon'];
           $day = $date['mday'];
           $yr = $date['year'];
       */

   }
?>

--
Thomas Dodson
Programmer, Bioinformatics
S-327 Ag. Science North
Department of Entomology
University of Kentucky
Lexington, KY 40546-0091
Phone (859) 257-3169
Fax (859) 323-1120
Cell: (859) 420-1696

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php