Filters and Login Systems for Web Application Security - Definition and Storage File (
Page 2 of 4 )
The file that defines and stores the functions has the following content:
<?
function userexist($username){
include('../config.inc');
$result=mysql_query("Select uname from users where uname='$username'") or die(mysql_error());
if(mysql_num_rows($result)>0)
return true;//username exist
else
return false;//username not in db
}
The first function, called userexist, is responsible for finding out whether a particular username already exists in the database. This function is used when a new user registers for our site or during the authentication process. The function takes only one argument. It returns a value of true or false.
function sendpass($user){
include("../config.inc");
$result =mysql_query("select pw from users where uname='$user'") or die(mysql_error());
if(mysql_num_rows($result)>0)
return true;//password exist
else
return false;//password not in db
}
The sendpass()function is used to determine whether the user password exists or matches a password that is stored in the database. The function takes only one argument. It returns a value of true or false.
function filledin($form_vars){
foreach($form_vars as $key=> $value)
{
if(!isset($key) || ($value == ''))
return false;
}
return true;
}
This is a handy function that checks to see if all the form variables have a value when submitted. It basically loops through all the form values and returns false if it is empty and true if it is not.
function changepw($name){
$query="select pw from users where uname='$name'" or die(mysql_error());
$result= mysql_query($query);
if(mysql_num_rows($result)>0){
for ($i=0; $i<mysql_num_rows($result); $i++) {
$row = mysql_fetch_assoc($result);
$pass=$row['pw'];
echo '
<center><form name="form1" method="post" action="forgotten.php">';
echo 'Please fill in the following:<br>';
echo ' <table width="445" border="0">';
echo ' <tr>
<td width="187"><div align="left">Old Password</div></td>
<td width="242"><input name="oldpass" type="text" size="40" value="'.$pass.'"></td>
</tr>
<tr>
<td><div align="left">New Password </div></td>
<td><input name="newpass" type="text" size="40"></td>
</tr>';
echo '</table>';
echo '<br>
<input name="submit" type="submit" value="Save">';
echo '</form>';
}
}
}
The changepw() function is responsible for enabling a user to change his or her password. The function presents the user with a form that takes two passwords, the old one and the new one. The new password is then submitted to a script called forgotten and processed there.
function update($newpass,$uname){
if(isset($_POST['submit'])){
//1. Check fields are filled in
if (!filledin($form_vars)){
echo "Please ensure that you have filled in ALL fields.";
exit;
}else{
$newpass=$_POST['newpass'];
}
include "config.inc";
$query="Update users SET pw='$newpass' Where uname=$uname Limit 1 ";
$result=mysql_query($query);
if(mysql_affected_rows()==1){
echo "Record number <b>$id</b> has been updated";
}else{
echo "Could not update record number <b>$id</b> because " .mysql_error() . "";
}
}
}
?>
The update function does exactly what the name suggests. It updates the user details. This function is used together with an HTML form that presents the user with her login details, such as name, surname and password etc. The user then changes the details to what they want and then submits the form.
/ 5 
