SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast wyte raven's Avatar
    Join Date
    Feb 2007
    Location
    England, High Wycombe Bucks
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Admin Sign-in (authentication)

    Hi everyone.

    I have created a very simple authentication system for a friends website. She basically wants a photo album, where admin (including herself and friends) can upload photos, descriptions, captions to her photo gallery. I'm still working on the authentication system, I've managed to secure the admin page with a password and username pulled from the mysql database. My table I have holds id's, name's, email's, username's and password's.

    Can someone tell me what this code actually does:

    PHP Code:
    $moderators = @mysql_query('SELECT id, name, email, username, pass FROM moderator');
      
      
    // For each row of this table, escape database data and store it in the empty array $html 
      
    while ($moderator mysql_fetch_array($moderators)) {
        
    $html['id'] = htmlentities($moderator['id'], ENT_QUOTES'UTF-8');
        
    $html['name'] = htmlentities($moderator['name'], ENT_QUOTES'UTF-8');
        
    $html['email'] = htmlentities($moderator['email'], ENT_QUOTES'UTF-8');
        
    $html['username'] = htmlentities($moderator['username'], ENT_QUOTES'UTF-8');
        
    $html['pass'] = htmlentities($moderator['pass'], ENT_QUOTES'UTF-8');
      } 
    Basically I was under the impression that this would search through the moderator table, looking under all fields, until every row was exhausted. Can someone please tell me, why when I am presented with the login screen......I can only ever sign in with one of the entries in the database?

    I have two entries in there, two user accounts......and I can display them both in the edit moderator page.....but I can't seem to login with both user1 or user2.....for example I could sign in as user1 but not user2. If I changed the order of the code a little, I could then sign in as user2 but not user1. I need the design to be flexible.....so that I could sign in as any user, so that all passwords are associated to their users.

    Also, only two users will have access to the high levels in the admin......for example, editing who moderates and what albums will appear in the site.
    Have I structured this wrong?

    Do I need some other kind of loop within this while claus? or do I need to step back and think of another altenative?

    Thanks in advance guys, any help is much appreciated.
    Wyte R@ven - Creator of the Rift

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    That's because you're re-assigning the values to the same variable. For example, every time the code loops, it's resetting $html['id'] to the new one.

    Can you show me the rest of the code? I'll fix it up for you.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Enthusiast wyte raven's Avatar
    Join Date
    Feb 2007
    Location
    England, High Wycombe Bucks
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the reply mate.....your still on here How you doing?

    Yes I'll show you the rest of the code, please forgive me if it looks complicated, I've followed a few tutorials from different books, and I'm still learning this process myself...to try and build a secure application that can be updated......I maybe failing miserably lol

    Ok basically this system uses some other includes. Firstly you have the admin page admin.php:

    PHP Code:
    <?php require './phpincludes/secure.inc.php'?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
        <title>Untitled Document</title>
      </head>
      <body>
        <h1>Admin Section</h1>
        <?php echo '<p>Hello ' ADMIN_NAME '</p>' ?>
        <p>What would you like to do?</p>
        <ul>
          <?php if (ADMIN_ID == "1" or ADMIN_ID == "2"){ ?>
          <li><a href="edit_mods.php"title="Add, edit and delete moderators">Edit Moderators</a></li>
          <li><a href="edit_albums.php"title="Add, edit and delete albums">Edit Albums</a></li>
          <?php ?>
          <li><a href="upload_new.php"title="Upload a new photo">Upload a photo</a></li>
          <li><a href="admin_gallery.php"title="Edit the viewable gallery">Edit the gallery</a></li>
        </ul>
        <p>Not<?php echo ' <strong>' ADMIN_NAME .'</strong>? ' ?><a href="<?php echo $_SERVER['../PHP_SELF']; ?>?logout=1">Logout</a></p>
      </body>
    </html>
    I was hoping that I could have user ID's 1 and 2 with a higher level of access.

    To have admin.php secure (requiring a username and password) it requires secure.inc.php:

    PHP Code:
    <?php
      
    // This include will make any page it's attached to secure (Requiring authorisation to view content)
      // It makes sure a login form is displayed if the current user is not already logged in
      
    require_once 'access.inc.php';
      if (!
    loggedIn()) {
        include 
    'login.inc.php';
        exit;
      }
    ?>
    This in turns needs access.inc.php:

    PHP Code:
    <?php 
      
    // This include will determine the current state of the user to see if they are logged in or out, it's set inside a session variable
      
    require_once 'modconfig.inc.php';
      
    session_start();
      
    // Our defined function to determine if user is logged in
      
    function loggedIn()
      {
        return isset(
    $_SESSION['authorised']);
      }
      
      
    // Process login attempt
      
    if (isset($_POST['username'])) {
        if (
    $_POST['username'] == ADMIN_USER and $_POST['password'] == ADMIN_PASS) {
          
    $_SESSION['authorised'] = TRUE;
        }
      }
      
      
    // Process logout
      
    if (isset($_REQUEST['logout'])) {
        unset(
    $_SESSION['authorised']);
      }
    ?>
    This then calls modconfig.inc.php:

    PHP Code:
    <?php  
      
    // This include will deal with all moderator/administrator sensitive data
      
    require_once 'dbcnx.inc.php';
      
      
    // Initialise $clean as a new array, so we know data stored within from now on has been filtered
      
    $clean = array();
      
      
    // Initialse $html as a new array, so we know data stored within from now on has been escaped 
      
    $html = array();
      
      
    $moderators = @mysql_query('SELECT id, name, email, username, pass FROM moderator');
      
      
    // For each row of this table, escape database data and store it in the empty array $html 
      
    while ($moderator mysql_fetch_array($moderators)) {
        
    $html['id'] = htmlentities($moderator['id'], ENT_QUOTES'UTF-8');
        
    $html['name'] = htmlentities($moderator['name'], ENT_QUOTES'UTF-8');
        
    $html['email'] = htmlentities($moderator['email'], ENT_QUOTES'UTF-8');
        
    $html['username'] = htmlentities($moderator['username'], ENT_QUOTES'UTF-8');
        
    $html['pass'] = htmlentities($moderator['pass'], ENT_QUOTES'UTF-8');
      }
      
      
    // Escaped data in $html array is assigned to these constant variables for easy output throughout the script
      
    define('ADMIN_ID'$html['id']);
      
    define('ADMIN_NAME'$html['name']);
      
    define('ADMIN_EMAIL'$html['email']);
      
    define('ADMIN_USER'$html['username']);
      
    define('ADMIN_PASS'$html['pass']);
    ?>
    Which finally calls the database connection file dbcnx.inc.php:

    PHP Code:
    <?php
      
    // This include handles all connection to the database
      // Connect to the database or display an error accordingly
      
    $dbcnx = @mysql_connect('localhost''database''password');
      if (!
    $dbcnx) {
        exit(
    '<p>Unable to connect to the database server at this time.</>');
      }
      
    // Select database to use or display error accordingly
      
    if (!@mysql_select_db('database'$dbcnx)) {
        exit(
    '<p>Unable to locate the database at this time.</p>');
      }
    ?>
    If a page has the attached secure.inc.php file it will prompt the user with this login form, via login.inc.php:

    PHP Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
        <title>Untitled Document</title>
      </head>
      <body>
          <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
            <fieldset>
              <legend>Login Details</legend>
              <ol>
                <li>
                  <label for="username">Username:</label>
                  <input type="text" name="username" />
                </li>
                <li>
                  <label for="password">Password:</label>
                  <input type="text" name="password" />
                </li>
                <input type="submit" value="Log In" />
              </ol>
            </fieldset>
          </form>
      </body>
    </html>
    I'm still learning the basics of PHP and Mysql, so any further advice is very much appreciated. I'm trying to learn about filtering and escaping data to prevent certain security risks. Also, another problem I face is that my host will not allow me to create a folder outside of root, which means I've had to password protect a directory using .htaccess.

    Is there a better way I could write this with using fewer files? will it still be considered a secure option, with the ability to update it easily?

    Thanks in advance, your help is much appreciated.
    Wyte R@ven - Creator of the Rift

  4. #4
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hmmm...

    That code is strictly one-admin based. I'll do some modifications for you now.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  5. #5
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Here you go:
    access.inc.php:
    PHP Code:
    <?php
    session_start
    ();
    require_once 
    'dbcnx.inc.php';
    function 
    loggedIn(){
        return isset(
    $_SESSION['authorised']);
    }
    if (isset(
    $_POST['username'])) {
        
    $user $_POST['username'];
        
    $pass $_POST['password'];
        
    $moderators mysql_query("SELECT * FROM `moderator` WHERE `username` = '".$user."' && `pass` = '".$pass."'"); //id, name, email, username, pass
        
    if($row mysql_fetch_array($moderators)){
            
    $_SESSION['authorised'] = TRUE;
            
    $_SESSION['userid'] = $row['id'];
            
    $_SESSION['name'] = $row['name'];
            
    $_SESSION['email'] = $row['email'];
            
    $_SESSION['username'] = $row['username'];
            
    $_SESSION['password'] = $row['pass'];
        }
    }
    if (isset(
    $_REQUEST['logout'])) {
        unset(
    $_SESSION['authorised']);
    }
    ?>
    admin.php:
    PHP Code:
    <?php
        
    require './phpincludes/secure.inc.php';
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
        <title>Admin Section</title>
      </head>
      <body>
        <h1>Admin Section</h1>
        <?php echo '<p>Hello ' $_SESSION['name'] . '</p>' ?>
        <p>What would you like to do?</p>
        <ul>
          <?php if ($_SESSION['userid'] == "1" or $_SESSION['userid'] == "2"){ ?>
          <li><a href="edit_mods.php"title="Add, edit and delete moderators">Edit Moderators</a></li>
          <li><a href="edit_albums.php"title="Add, edit and delete albums">Edit Albums</a></li>
          <?php ?>
          <li><a href="upload_new.php"title="Upload a new photo">Upload a photo</a></li>
          <li><a href="admin_gallery.php"title="Edit the viewable gallery">Edit the gallery</a></li>
        </ul>
        <p>Not<?php echo ' <strong>' $_SESSION['name'] .'</strong>? ' ?><a href="<?php echo $_SERVER['../PHP_SELF']; ?>?logout=1">Logout</a></p>
      </body>
    </html>
    You won't need modconfig.inc.php.

    Keep a backup of the files you have, then change the above two files. I haven't tested it, but unless theres a syntax error, it will work.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  6. #6
    SitePoint Enthusiast wyte raven's Avatar
    Join Date
    Feb 2007
    Location
    England, High Wycombe Bucks
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks mate, I'll alter the files and see what I get......

    I'll let you know

    Thanks
    Wyte R@ven - Creator of the Rift

  7. #7
    SitePoint Enthusiast wyte raven's Avatar
    Join Date
    Feb 2007
    Location
    England, High Wycombe Bucks
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks buddy, you've given me something that works that I can work with....with this I can better understand how sessions work. I'm most appreciative....I left you a little something
    Wyte R@ven - Creator of the Rift

  8. #8
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •