Re: PHP Username & Password Detection From PSQL Database - Mailing list pgsql-php
| From | Yasmine Kedoo |
|---|---|
| Subject | Re: PHP Username & Password Detection From PSQL Database |
| Date | |
| Msg-id | BAY14-F10I5GH9vCeqj0002e59b@hotmail.com Whole thread Raw |
| In response to | PHP Username & Password Detection From PSQL Database ("Yasmine Kedoo" <yazkedoo@hotmail.com>) |
| Responses |
Re: PHP Username & Password Detection From PSQL Database
Re: PHP Username & Password Detection From PSQL Database |
| List | pgsql-php |
Hi again. After a recommendation, i have changed my approach and i'm now using a html form to accept the username and password. Please view the following link: http://www.cyber.brad.ac.uk/~yamkedoo/Tests/brandnew.html The username 'yamkedoo' and password 'yasmine' will give Successful Login. This works for all usernames and passwords in the database. Though if a different password is used, Access Denied is printed as well as an error, Warning: Unable to jump to row 0 on PostgreSQL result index 2 in /home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable to solve. This applies for all incorrect passwords. Please view my code: <?php #Connects to the database $database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname = yamkedoo user = yamkedoo password = yamkedoo"); if(!$database) { echo "Connection Failed<BR>"; } else { #assign formusername from html form to $auth_user #assign formpassword from html form to $auth_pass $auth_user = trim($formusername); $auth_pass = trim($formpassword); $query = "SELECT * FROM PatPerInfo WHERE trim(username) = '$auth_user' AND trim(password) = '$auth_pass'"; $result = pg_exec($database, $query); $row = pg_fetch_object($result, $rw); if($row) { print "Successful Login\n"; } else { print "Access Denied\n"; } } pg_close($database); ?> If anyone can spot any mistakes, i will welcome suggestions ;-) Thanx >From: Andrew McMillan <andrew@catalyst.net.nz> >To: Yasmine Kedoo <yazkedoo@hotmail.com> >CC: pgsql-php@postgresql.org >Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database >Date: Wed, 07 Apr 2004 21:35:22 +1200 > >On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote: > > Hi. > > > > I am just beginning to work with PHP & PSQL so forgive me if i make >simple > > mistakes. :-) > > > > I created my PSQL database via telnet on my university's database >server. I > > have no problems retrieving and displaying certain data using PHP, but i >am > > unable to recognise a username and password entered via a predefined > > authentication variable, $PHP_AUTH_USER. > > > > The script must recognise the username: 'yamkedoo', and password: >'yasmine'. > > In the database, the username & password columns are spelt exactly as: > > 'username' & 'password'. The database name is 'yamkedoo', and the table >name > > is 'PatPerInfo', as can be seen from the following code: > >The example in the PHP manual is: > ><?php > if (!isset($_SERVER['PHP_AUTH_USER'])) { > header('WWW-Authenticate: Basic realm="My Realm"'); > header('HTTP/1.0 401 Unauthorized'); > echo 'Text to send if user hits Cancel button'; > exit; > } else { > echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; > echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your >password.</p>"; > } >?> > >A couple of notes: > >1) You have <?PHP well down your page - you need this before the PHP >starts (like in the example above). Lowercase is also a lot more normal >(although probably uppercase still works). > >2) The example above shows the syntax for more recent PHP versions, with >some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER'] >rather than $PHP_AUTH_USER) whether the older syntax you have used below >will work will depend on how the installation was configured, to some >extent, as well as the version you are using. > > > > > > if(!isset($PHP_AUTH_USER)) > > { > > Header("WWW-Authenticate: Basic realm=\"Authentication\""); > > Header( "HTTP/1.0 401 Unauthorized"); > > > > echo "No Login\n"; > > exit; > > } > > else > > { > > echo "User: $PHP_AUTH_USER<BR>"; > > echo "Password: $PHP_AUTH_PW<BR>"; > > } > > <?PHP > > $database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo > > user=yamkedoo password=yamkedoo"); > > > > if(!$database) > > { > > print "Connection to database failed."; > > } > > > > else > > { > > $selectquery = "SELECT * FROM PatPerInfo"; > > $result = pg_exec($database, $selectquery); > > > > $maxrows = pg_numrows($result); > > $maxfields = pg_numfields($result); > > > > for ($rw = 0; $rw < $maxrows; $rw++) > > { > >Just as a suggestion you might want to consider: > >$row = pg_fetch_object($result, $rw); >if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username) > trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) ) >{ > ... > >Actually, though, you can get the database to do it: > >$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER'])); >$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW'])); >$selectquery = "SELECT * FROM PatPerInfo > WHERE trim(username) = '$auth_user' > AND trim(password) = '$auth_pass'"; > >$result = pg_exec( ... > > >Doing it this way you can simply see if you got back exactly one row, >and if you did then that should be the correct user record - no need for >PHP to inefficiently loop through all of the table looking. > > > > $username = pg_Result($result,$rw,0); > > $password = pg_Result($result,$rw,1); > > > >Aren't you missing a comparison on the line below? > > > if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW)) > > { > > $auth = 1; > > } > > } > > > > echo $auth; > > } > > > > if($auth==0) > > { > > print "Access Denied<BR>\n"; > > exit; > > } > > > > > > ?> > > > > After the username and password, i get the following error: Parse error: > > parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44. > > > > Please view te following link: > > http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what >is > > happening. > > Only once has the authentication window appeared, and has not done so >since. > > It only gives the error as seen at the link. > >Once you have provided the correct credentials to basic auth, your web >browser will repeatedly provide them each time until you exit the >browser or cancel them. > >Most sites don't use Basic Authentication like the above - generally >some form of session is maintained through URL rewriting or cookies >since that allows a lot more control (and graphical design) fitting the >login process more smoothly into the web page. > >Regards, > Andrew. > >------------------------------------------------------------------------- >Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington >WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St >DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267 > http://survey.net.nz/ - any more questions? >------------------------------------------------------------------------- > > >---------------------------(end of broadcast)--------------------------- >TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) _________________________________________________________________ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger