|
|
|
This is a simple script for a login system that uses a PostgreSQL database
(It could quite easily be changed to use MySql or any other database if you
choose).
As well as having a username and a password the user has there own zone (I
did this so I could dynamically make a page depending on what user and so
they could have duplicate usernames if in a different zone (I have set
different zones for a different company))
<?php
// I have used * to hide certian detail
// web site script is used on
// i.e. http://www.example.com/ would be $site = "http://www.example.com/";
$site = "*******";
// checks to see if id is pass to script
If(!isset($_GET['id'])){
// I was gonna put the redirect in a function but it isn't
// neccessary and maybe done in the next version
Header("Content-type: text/html");
Header("Status: 302 Moved");
// you must have unauthorised.htm in the route of your site, i.e.
//http://www.example.com/unauthorised.htm
Header("Location: $site/unauthorised.htm");
exit;
}
// checks if id is only made up of numbers
If(!ereg("^[0-9]{1,}$", $_GET['id'])){
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
session_start();
// sets id var from what was sent to page
// id will be there zone
$id = $_GET['id'];
// checks if user has tried to logon before in the same session
If(!session_is_registered("authrealm")) {
// sets id in a session var
session_register(authrealm);
$authrealm = $_GET['id'];
}
// checks if user is trying to logon to a different company page
If($authrealm != $_GET['id']){
// resets username and password to blank
$PHP_AUTH_USER = '';
unset($PHP_AUTH_USER);
$PHP_AUTH_PW = '';
unset($PHP_AUTH_PW);
$authrealm = $_GET['id'];
}
If(!IsSet($PHP_AUTH_USER)){
// if username hasn't been set before for this realm, prompts
//user for username/password
Header("WWW-Authenticate: Basic realm=\"$id\"");
Header('Status: 401 Unauthorized');
exit;
}
// opens database connection
$connstr = "dbname=**** user=****";
$dbh = pg_connect($connstr);
// sets the SQL statment to recive the user/password for that id $sql =
"SELECT * FROM **** WHERE **** = '$authrealm'";
// executes the SQL statment on the database
$passdb = pg_exec($dbh, $sql);
// if database connection failed send to unauthorised page
If(!$passdb){
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// if there is no entry in the database for this id then redirect to
//unauthorised page
If(pg_numrows($passdb) == '0'){
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
$data = pg_fetch_row($passdb, 0);
// if there is no entry in the database for this id then redirect to
//unauthorised page
If(!$data){
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// sets username into var $login
$login = $data[1];
//sets a key for the md5 hash (replace stars with numbers execpt the
//first one)
// example would be $key = (($id * 9347^7) / 7849^5);
$key = (($id * ****^*) / ****^*);
// encrypts the password
$hash = md5($id.$PHP_AUTH_PW.$key);
// returns encrypted password from database
$pass = $data[2];
// checks username/password entered against the ones in the database
//if correct continues on, if wrong redirects you to the unauthorised page
If((!$PHP_AUTH_USER == '$login') || (!$pass == '$hash')){
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
pg_close($dbh);
?>
if you can think of any improvments they would be much appericated but
remember i'm not a security expert and i'm sure this has holes in it, for
instance if you are not using ssl then the passwords are sent in plain
text so you may need to use a java applet to encrypt the password before
it is sent.
|
|
| Authorize Me! An authentication script. Categories : MySQL, Databases, Authentication, PHP | | | Script for postgresql to walk through the results limiting the results shown per
page. Categories : PostgreSQL, Databases, PHP | | | Is there some possibility to link a database to an htaccess file, so that instead of having a passwd file you would have a database with DES-crypted password and username fields? Categories : Authentication, PHP, General SQL, Databases | | | PostGreSQL and MySQL 2 in 1 db Manager Categories : PHP, PHP Classes, Databases, PostgreSQL, MySQL | | | Monthly and Daily Upcoming Events calendar. Categories : Date Time, PostgreSQL, PHP, Calendar, Databases | | | Full membership authentication system. Categories : Authentication, MySQL, PHP, Databases | | | Logs hits to any page which includes it. Automatically utilises page access information left behind by PHP/FI2.0. Categories : Databases, PHP, mSQL, Databases | | | Implementing a "Members ONLY" area Categories : PHP, MySQL, Databases, Authentication | | | DBE - Database Expander: Edit PostgreSQL individual database tables online via your Web browser! Categories : PostgreSQL, Complete Programs, Databases, PHP Classes, PHP | | | complete, simple, working example of a login screen/system using php functions, cookies, and a mysql database for begginers. Categories : Authentication, Complete Programs, PHP, MySQL, Databases | | | Using Postgres and PHP3 Authentication from a Web application Categories : PostgreSQL, HTML and PHP, Authentication, PHP | | | user-authentication with php3 and msql Categories : Authentication, mSQL, PHP, Databases | | | This program allows you to upload an ODBC ressource - i.e. an MS-Access database to a MySQL server. Categories : Databases, MySQL, Complete Programs, PHP, Databases | | | Is there any way to test that the $result has null values or not without reading the field values in the results in postgre?
Categories : PostgreSQL, PHP, Databases | | | This is a database wrapper for PostgreSQL, but can be simply modified for any other database type. Categories : Databases, PostgreSQL, PHP | |
|
|
|