Rank And File - PHP

Now, if you look closely at the HTML markup on the previous page, you'll see that the form references the script "login.php". This PHP script actually performs the task of validating the user information entered into the form against an external source. In this case, the external source is the system's "/etc/passwd" file.

Here's the script which performs the validation:

<?
// login.php - performs validation 
// authenticate using form variables
$status = authenticate($f_user, $f_pass);
// if  user/pass combination is correct
if ($status == 1)
{
// initiate a session
session_start();
// register some session variables
session_register("SESSION");
// including the username
session_register("SESSION_UNAME");
$SESSION_UNAME = $f_user;
// redirect to protected page
header("Location: /inner.sanctum.php");
exit();
}
else
// user/pass check failed
{
// redirect to error page
header("Location: /error.php?e=$status");
exit();
}
// authenticate username/password against /etc/passwd
// returns: -1 if user does not exist
//           0 if user exists but password is incorrect
//           1 if username and password are correct
function authenticate($user, $pass)
{
$result = -1;
// make sure that the script has permission to read this file!
$data = file("passwd");
// iterate through file
foreach ($data as $line)
{
$arr = explode(":", $line);
// if username matches
// test password
if ($arr[0] == $user)
{
// get salt and crypt()
$salt = substr($arr[1], 0, 2);
// if match, user/pass combination is correct
// return 1
if ($arr[1] == crypt($pass, $salt))
{
$result = 1;
break;
}
// otherwise return 0
else
{
$result = 0;
break;
}
}
}
// return value
return $result;
}
?>

Pay special attention to the authenticate() function, which forms the core of the script above. This is the function that actually does the hard work of accepting a username/password combo, iterating through the password file, crypt()-ing and matching the user's input against the encrypted data in the file, and finally returning a result code based on the results of the comparison.

In case you're wondering about the actual mechanics of the validation, it's fairly simple. The authenticate() reads the system's password file ("/etc/passwd" here), looks for a line beginning with the specified username, and extracts the first two letters of the corresponding encrypted password string. These two characters serve as the "salt" for the encryption process.

Next, the cleartext password is encrypted with PHP's crypt() function and the extracted "salt", with the result checked against the encrypted value in the password file. If the two match, it implies that the supplied password was correct; if they don't, it implies that the password was wrong. Either way, the result of this authentication procedure is then returned to the caller via a result code.

Assuming that the user has been successfully authenticated, a PHP session is instantiated via the session_start() function, and some session variables are registered. These session variables remain active for the duration of the user's visit to the site. In the example above, I've registered $SESSION (a flag variable to indicate that a session is active) and $SESSION_UNAME (the user's account username) as session variables

Note also that I have found it a good practice to capitalize session variable names, so as to distinguish them from the local variables found in individual script. Again, this is a personal quirk - feel free to ignore it if you think it's stupid.

Once all the session variables have been set up, the browser is redirected to the protected page, "inner.sanctum.php". We'll look at that, and also at the error handler "error.php" shortly - but first, let's look at an alternative scenario, which uses a database for user validation.

>>> More PHP Articles          >>> More By The Disenchanted Developer, (c) Melonfire

blog comments powered by Disqus