Re: [PHP] Password Protection] -- My solution
Mailit, LLC a écrit : $userName = $_POST[userName]; $passw= $_POST[passw]; (...) $cmd = SELECT * FROM theTable . WHERE userName='$userName' ; $res = mysql_query( $cmd ) or die( Password search failed. ); Without validating userName in $_POST, that code is vulnerable to SQL injection, by example if userName starts by a single quote... See the PHP Security Guide on 'SQL Injection' http://phpsec.org/projects/guide/3.html#3.2 $passe = crypt( $passw, $rec[ePass] ); if( $passe == $rec[ePass] ) I seems that the above vulnerability cant be exploited, but I think it's better to be aware of it. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection] -- My solution
---BeginMessage--- Here is the setup that I have used. Please, adapt to your needs. Table 'theTable' is supposed to contain columns fname, mname, lname and ePass (encrypted password). The crypt() function produces a password that cannot be decrypted and really works well. Of course, you need to use crypt() in the PHP script that creates a row in 'theTable'. ?php #-- code starts here -# $action = $_POST[action]; if( !empty( $action ) ) { $userName = $_POST[userName]; $passw= $_POST[passw]; # Bring the encrypted password and creation date from database: $cmd = SELECT * FROM theTable . WHERE userName='$userName' ; $res = mysql_query( $cmd ) or die( Password search failed. ); $numRows = mysql_num_rows( $res ); if( $numRows == 0 ) { print( $userName not a valid user name.BR ); exit; } $rec = mysql_fetch_array( $res ); $privLevel = $rec[level]; $nome = $rec[fname]. .$rec[mname]. .$rec[lname]; # Encrypt the password: $passe = crypt( $passw, $rec[ePass] ); if( $passe == $rec[ePass] ) { /* Bring up the home page */ print( h2WELCOME TO MY HOME PAGE/h2 ); exit; } else { $retry = 1; } } if( $retry ) print(brh3Incorrect Login - Please, try again./h3br); ? FORM ACTION=? print( $_SERVER[PHP_SELF] ); ? METHOD=POST INPUT TYPE=hidden NAME=action VALUE=login table align=center tr td BUser Name :/B /tdtd INPUT TYPE=text NAME=userName SIZE=20 /td /trtr td BPassword :/B /tdtd INPUT TYPE=password NAME=passw SIZE=20 /td /tr /table br P align=center INPUT TYPE=submit VALUE=Login STYLE=width:120;height:25 /P /FORM !-- - code ends here -- Mario Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. ---End Message--- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
On Wed, 2005-02-16 at 21:31, Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. Chances are this is not a php thing at all but uses the webserver's authentication infrastructure. It depends on the server being used. The apache manual has a very good write up on authentication options available: See if this gets you started: http://httpd.apache.org/docs-2.0/howto/auth.html Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. http://www.zend.com/zend/tut/authentication.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
Kevin, I'm having some issues with my email client right now so I'm sorry if you've already found the answer. There is a way for PHP to do this without the need to modify your web server's configuration or bothering with .htaccess/ .htpasswd files by simply modifying the http headers that your pages produce. I'm not about to try to give you a working example as the fine folks at phpmyadmin have already done this in the form of an authentication library. If you have phpMyAdmin installed look in the libraries/auth directory for a file called http.auth.lib.php. If not you can get it from www.phpmyadmin.net Like I said, it is in library form so you can use it in your program as well (be sure to give credit per the GPL) but I haven't done so, so I'm not sure how much modification might be needed. Cheers! Bret Hughes wrote: On Wed, 2005-02-16 at 21:31, Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. Chances are this is not a php thing at all but uses the webserver's authentication infrastructure. It depends on the server being used. The apache manual has a very good write up on authentication options available: See if this gets you started: http://httpd.apache.org/docs-2.0/howto/auth.html Bret
RE: [PHP] password protection
The only way to keep a password secure between the client and server is to use a Secure Socket Layer (SSL) to create an encrypted channel of communication between the client and server. You can see this in practice over at Sourceforge.net. They use PHP over an SSL connection to handle user logins. Do a seach on Google for 'SSL' and start reading :) - James -Original Message- From: Bill Rausch [mailto:[EMAIL PROTECTED]] Sent: January 25, 2001 4:54 PM To: [EMAIL PROTECTED] Subject: [PHP] password protection Hi all, This isn't strictly a PHP issue but is quite related. Given that you have a PHP-driven web site with user authorization and session identifiers etc., what can you do to prevent electronic "snooping" of the clear text password that is passed from the browser to the server? When filling out a form, for example: Enter your user name and password: ... FORM ACTION="?=$PHP_SELF?" METHOD="POST" BUser Name:/BBR INPUT TYPE="TEXT" NAME="newusername" VALUE="" SIZE="10" MAXLENGTH="15" P BPassword:/BBR INPUT TYPE="password" NAME="newpassword" VALUE="" SIZE="10" MAXLENGTH="15" P INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login" /FORM ... the TYPE="password" makes sure the browser doesn't echo the password as it is typed but it is still sent to the web server as clear text. How do folks deal with this issue? Thanks, Bill --- Bill Rausch, Software Development, Unix, Mac, Windows Numerical Applications, Inc. 509-943-0861 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]