Cracking The Vault (part 1) - Start Me Up
(Page 6 of 12 )
With the database design out of the way, it's time to actually start creating the scripts. We'll begin at the top, with the scripts which verify the user's password. Here's the initial login form, "start.html".
<table border="0" cellspacing="5" cellpadding="5">
<form action="login.php" method="post">
<tr>
<td>Username</td>
<td><input type="Text" name="frmuser" size="15"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="frmpass" size="15"></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="Submit" name="submit"
value="Enter"></td>
</tr>
</form>
</table>
Here's what it looks like:
Once the form is submitted, the data is processed by "login.php", which connects to the database to verify the username and password against the "user" table.
<?
// includes
include("config.php");
// check login and password
// connect and execute query
$connection = mysql_connect($hostname, $user, $pass) or die ("Unable to
connect!");
$query = "SELECT id, username, password from user WHERE username =
'$frmuser' AND password = PASSWORD('$frmpass')";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
// if row exists - login/pass is correct
if (mysql_num_rows($result) == 1)
{
// initiate a session
session_start();
// register the user's ID
session_register("SESSION_UID");
list($id, $username, $password) = mysql_fetch_row($result);
$SESSION_UID = $id;
// redirect to main page
header("Location:out.php");
mysql_free_result ($result);
// close connection
mysql_close($connection);
}
else
// login/pass check failed
{
mysql_free_result ($result);
mysql_close($connection);
// redirect to error page
header("Location: error.php?ec=0");
exit;
}
?>
Assuming the username and password is correct, the script
initiates a session, and registers a session variable named $SESSION_UID, containing the user's ID; this variable will remain available throughout the session, and will be used in many of the subsequent scripts. The script then redirects the browser to "out.php", which forms the main interface to the system, via an HTTP header.
A login failure will redirect the browser to the generic error handler, "error.php", with an error code indicating the type of error. I'll be using this error handler extensively, to handle the different types of errors possible.
It is important to note that calls to header() and session_start() must take place before *any* output is sent to the browser. Even something as minor as whitespace or a carriage return outside the PHP tags can cause these calls to barf all over your script.
Finally, the include()d file, "config.php", contains some useful variables - the database name, user name and password, together with the location of the data storage area and a list of allowed file types.
<?
// database parameters
// alter this as per your configuration
$database="db35378";
$user = "mark347";
$pass = "h23590f2";
$hostname = "localhost";
// location of file repository
// this should ideally be outside the Web server root
// make sure the server has permissions to read/write files!
$dataDir = "/data/";
// list of allowed file types
$allowedFileTypes = array("image/gif", "text/html", "text/plain",
"image/jpeg", "image/pjpeg", "image/png");
}
?>
This article copyright Melonfire 2001. All rights reserved.Next: Entry Points >>
More PHP Articles
More By Vikram Vaswani, (c) Melonfire
