Heavy Iron - PHP

In the event that you want to validate user credentials against information in a database, rather than a file, it's fairly easy to modify the script on the previous page to work with this requirement. Let's assume that the user data is stored in a MySQL table, which looks like this:

mysql> select * from user;
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
|  1 | john     | 2ca0ede551581d29 |
|  2 | joe      | 7b57f28428847751 |
|  3 | tom      | 675bd1463e544441 |
|  4 | bill     | 656d52cb5d0c13cb |
+----+----------+------------------+
4 rows in set (0.16 sec)

This is a simple two-column table, with the unique usernames in one column and an encrypted password in the other. Now, when the user logs in, the information entered into the form needs to be validated against the information in this table.

Here's the modified "login.php" script:

<?
// login.php - performs validation 
// authenticate using form variables
$status = authenticate($f_user, $f_pass);
// if  user/pass combination is correct
if ($status == 1)
{
// initiate a session
session_start();
// register some session variables
session_register("SESSION");
// including the username
session_register("SESSION_UNAME");
$SESSION_UNAME = $f_user;
// redirect to protected page
header("Location: /inner.sanctum.php");
exit();
}
else
// user/pass check failed
{
// redirect to error page
header("Location: /error.php?e=$status");
exit();
}
// authenticate username/password against a database
// returns: 0 if username and password is incorrect
//          1 if username and password are correct
function authenticate($user, $pass)
{
// configuration variables
// normally these should be sourced from an external file
// for example: include("dbconfig.php");
// variables explicitly set here for illustrative purposes
$db_host = "localhost";
$db_user = "login_agent";
$db_pass = "secret";
$db_name = "system";
// check login and password
// connect and execute query
$connection = mysql_connect($db_host, $db_user, $db_pass) or die
("Unable to connect!");
$query = "SELECT id from user WHERE username = '$user' AND
password = PASSWORD('$pass')";
mysql_select_db($db_name);
$result = mysql_query($query, $connection) or die ("Error in
query: $query. " . mysql_error());
// if row exists -> user/pass combination is correct
if (mysql_num_rows($result) == 1)
{
return 1;
}
// user/pass combination is wrong
else
{
return 0;
}
}
?>

Most of the changes here are localized to the authenticate() function. In this case, rather than reading a text file, the function uses PHP's MySQL functions to connect to the database, execute a SELECT query, and verify whether or not the information entered by the user was correct. Based on the result code returned by the function, a decision can be taken whether to redirect the user to the protected page or to the error handler.

There's one important thing to note when performing this kind of authentication. From the security point of view, it's not a good idea to include the password field in the result set returned by the query. Rather, you should perform validation by using the password as a key (via the WHERE clause) within the SELECT query. If a match is found for that particular username/password combination, the returned record set will contain a single row; if no match is found, the record set will contain zero rows. Either way, it's possible to identify whether or not validation was successful, and return an appropriate result code, without ever passing any sensitive password information back and forth.

>>> More PHP Articles          >>> More By The Disenchanted Developer, (c) Melonfire

blog comments powered by Disqus