RE: [PHP-DB] User authentication and redirect

2005-07-15 Thread Vinny Lape
I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
location
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so
I can do the following: (when I make $redirectLoginSuccess = example.php
all works fine)
snip
$redirectLoginSuccess = $location;
$redirectLoginFailed = ../index.php;
/snip

snip
}
header(Location:  . $redirectLoginSuccess );
  }
  else {
header(Location: . $redirectLoginFailed );
/snip

Here is where I query the db
snip
$LoginRS__query=sprintf(SELECT username, password FROM webauth WHERE
username='%s' AND password='%s',
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
/snip
On the landing page im using this for security:
?php
session_start();
$MM_authorizedUsers = ;
$MM_donotCheckaccess = true;

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank. 
  if (!empty($UserName)) { 
// Besides being logged in, you may restrict access to only certain
users based on an ID established when they login. 
// Parse the strings into arrays. 
$arrUsers = Explode(,, $strUsers); 
$arrGroups = Explode(,, $strGroups); 
if (in_array($UserName, $arrUsers)) { 
  $isValid = true; 
} 
// Or, you may restrict access to only certain users based on their
username. 
if (in_array($UserGroup, $arrGroups)) { 
  $isValid = true; 
} 
if (($strUsers == )  true) { 
  $isValid = true; 
} 
  } 
  return $isValid; 
}

$MM_restrictGoTo = ../index.php;
if (!((isset($_SESSION['MM_Username'])) 
(isAuthorized(,$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'] {   
  $MM_qsChar = ?;
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, ?)) $MM_qsChar = ;
  if (isset($QUERY_STRING)  strlen($QUERY_STRING)  0) 
  $MM_referrer .= ? . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . accesscheck= .
urlencode($MM_referrer);
  header(Location: . $MM_restrictGoTo); 
  exit;
}
?
-Original Message-
From: Ahmed Saad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape [EMAIL PROTECTED] wrote:
 If user validates then look at db entry location then redirect to
 mydomain.com/location/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your secured page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP-DB] User authentication and redirect

2005-07-15 Thread Bastien Koert

I can't see why you simply dont do this


if ($LoginSuccessful)
{
 $location = ;
}else{
 $location = ../index.php;
}
header(location=$location);

If i don't have the solution, perhaps I am misunderstanding the problem

Bastien



From: Vinny Lape [EMAIL PROTECTED]
To: php-db@lists.php.net
Subject: RE: [PHP-DB] User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400

I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
location
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so
I can do the following: (when I make $redirectLoginSuccess = example.php
all works fine)
snip
$redirectLoginSuccess = $location;
$redirectLoginFailed = ../index.php;
/snip

snip
}
header(Location:  . $redirectLoginSuccess );
  }
  else {
header(Location: . $redirectLoginFailed );
/snip

Here is where I query the db
snip
$LoginRS__query=sprintf(SELECT username, password FROM webauth WHERE
username='%s' AND password='%s',
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
/snip
On the landing page im using this for security:
?php
session_start();
$MM_authorizedUsers = ;
$MM_donotCheckaccess = true;

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank.
  if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain
users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(,, $strUsers);
$arrGroups = Explode(,, $strGroups);
if (in_array($UserName, $arrUsers)) {
  $isValid = true;
}
// Or, you may restrict access to only certain users based on their
username.
if (in_array($UserGroup, $arrGroups)) {
  $isValid = true;
}
if (($strUsers == )  true) {
  $isValid = true;
}
  }
  return $isValid;
}

$MM_restrictGoTo = ../index.php;
if (!((isset($_SESSION['MM_Username'])) 
(isAuthorized(,$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'] {
  $MM_qsChar = ?;
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, ?)) $MM_qsChar = ;
  if (isset($QUERY_STRING)  strlen($QUERY_STRING)  0)
  $MM_referrer .= ? . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . accesscheck= .
urlencode($MM_referrer);
  header(Location: . $MM_restrictGoTo);
  exit;
}
?
-Original Message-
From: Ahmed Saad [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape [EMAIL PROTECTED] wrote:
 If user validates then look at db entry location then redirect to
 mydomain.com/location/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your secured page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User authentication and redirect

2005-07-15 Thread Thomas Dodson

Bastien Koert wrote:


I can't see why you simply dont do this


if ($LoginSuccessful)
{
 $location = ;
}else{
 $location = ../index.php;
}
header(location=$location);

If i don't have the solution, perhaps I am misunderstanding the problem

Bastien



From: Vinny Lape [EMAIL PROTECTED]
To: php-db@lists.php.net
Subject: RE: [PHP-DB] User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400

I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
location
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as 
$location so
I can do the following: (when I make $redirectLoginSuccess = 
example.php

all works fine)
snip
$redirectLoginSuccess = $location;
$redirectLoginFailed = ../index.php;
/snip

snip
}
header(Location:  . $redirectLoginSuccess );
  }
  else {
header(Location: . $redirectLoginFailed );
/snip

Here is where I query the db
snip
$LoginRS__query=sprintf(SELECT username, password FROM webauth WHERE
username='%s' AND password='%s',
get_magic_quotes_gpc() ? $loginUsername : 
addslashes($loginUsername),

get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
/snip
On the landing page im using this for security:
?php
session_start();
$MM_authorizedUsers = ;
$MM_donotCheckaccess = true;

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank.
  if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain
users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(,, $strUsers);
$arrGroups = Explode(,, $strGroups);
if (in_array($UserName, $arrUsers)) {
  $isValid = true;
}
// Or, you may restrict access to only certain users based on their
username.
if (in_array($UserGroup, $arrGroups)) {
  $isValid = true;
}
if (($strUsers == )  true) {
  $isValid = true;
}
  }
  return $isValid;
}

$MM_restrictGoTo = ../index.php;
if (!((isset($_SESSION['MM_Username'])) 
(isAuthorized(,$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'] {
  $MM_qsChar = ?;
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, ?)) $MM_qsChar = ;
  if (isset($QUERY_STRING)  strlen($QUERY_STRING)  0)
  $MM_referrer .= ? . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . accesscheck= .
urlencode($MM_referrer);
  header(Location: . $MM_restrictGoTo);
  exit;
}
?
-Original Message-
From: Ahmed Saad [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape [EMAIL PROTECTED] wrote:
 If user validates then look at db entry location then redirect to
 mydomain.com/location/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your secured page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



you shouldn't do that (in my opinion) because of the following scenario: 
Bob needs access from a shared terminal. Bob puts in his (authorized) 
login information, and then bookmarks the resulting page. Fred comes 
along. Fred is not authorized to access the database. Fred follows the 
link out of curiosity, finds sensitive information, and either deletes 
it all, sells it to a competitor, or otherwise screws with it because he 
is bitter that he is being severly underpaid, all using either Bob's 
session information, or no session information, depending on how the 
session is set to expire. The best option is to put the login and login 
check functions in a file, include that file at the beginning of all 
your scripts which need access control, and then put the following code 
at the beginning of the script:


if(login_check($user, $pass)
{
  //allow access, main script body here
}
else
{
  //deny access
  echo you

Re: [PHP-DB] User authentication and redirect

2005-07-14 Thread Ahmed Saad
hi Vinny,

On 7/13/05, Vinny Lape [EMAIL PROTECTED] wrote:
 If user validates then look at db entry location then redirect to
 mydomain.com/location/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your secured page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User authentication and redirect

2005-07-14 Thread Thomas Dodson

Ahmed Saad wrote:


hi Vinny,

On 7/13/05, Vinny Lape [EMAIL PROTECTED] wrote:
 


If user validates then look at db entry location then redirect to
mydomain.com/location/index.php
   



i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your secured page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

 


perhaps if i had read the original message more carefully...
here are some functions for session based authentication that i use for 
one of my projects...they probably aren't as secure as they could be, im 
relatively new to scripting languages.


?php
   #this file should be in the include directory (include_path from 
php.ini), or the same directory as the functions which include it.

   #be sure to check file permissions if it doesnt work correctly!
   #This script assumes a database named DATABASE, and that user data 
is stored in a table called users, with (at least) fields user, 
password, and email. The password column must be char(32) type to accept 
the encrypted pwd

   #Thomas Dodson   [EMAIL PROTECTED]   24 May 2005

   function db_connect()
   {
   #connect to MySQL
   $link = mysql_connect('HOST', 'USER','PWD') or die('Could not 
connect: ' . mysql_error());

   #select database
   mysql_select_db('DATABASE') or die('Could not select database');

   return $link;
   }

   function encrypt($string) #hash then encrypt a string. the password 
column in the db must be CHAR(32) type

   {
   $crypted = crypt(md5($string), md5($string));
   return $crypted;
   }

   function login($user, $password) #this logs in the user by checking 
the name and pwd against the database. it returns true and writes the
   { #proper session variables if the 
user/pwd combo matches, otherwise it returns false. do NOT use this script
#to check the session variables for 
authorization, i wrote login_check() to do that.

   $auth = false;

   $link = db_connect();
   $result = mysql_query(SELECT password FROM users WHERE user = 
'$user', $link);

   $row = mysql_fetch_array($result, MYSQL_ASSOC);
   $pass = $row['password'];
   mysql_free_result($result);
   mysql_close($link);

   if ($pass === (Encrypt($password)))
   {
   session_start();
   $_SESSION['userid'] = $user;
   $_SESSION['pwd'] = $pass;
   $auth = true;
   }
   return $auth;
   }

   function login_check($user, $password) #this checks to make sure a 
user is logged in. if the user/pwd combo in the session var matches
   {   #the table entry, it returns 
true, otherwise it returns false. it does NOT write any session variables,
  #so use this script and NOT 
login() to check authorization

   $auth = false;
  
   if(!$user || !$password)

   {
   return $auth;
   }

   $link = db_connect();
   $result = mysql_query(SELECT password FROM users WHERE user = 
'$user', $link);

   $row = mysql_fetch_array($result, MYSQL_ASSOC);
   $pass = $row[password];
   mysql_free_result($result);
   mysql_close($link);

   if ($pass === $password)
   {
   $auth = true;
   }
   return $auth;
   }

   function write_log($string) #adds a datestamp and writes to logfile 
in /var/log. the owner of the file SL.log must be the same as the
   {#the user running the apache process 
(usually www-data)

   $string = ' ' . $string . \n;
   $filehandle = fopen('/var/log/SL.log', 'a');
   fwrite($filehandle, date('d M H:i:s')); #write date in format: 
01 Jun 23:01:01

   fwrite($filehandle, $string); #write log entry
   fclose($filehandle);
   }

   function calcElapsedTime($time) #returns elapsed time in seconds
   {

   $diff = time()-$time;
   $daysDiff = 0;
   $hrsDiff = 0;
   $minsDiff = 0;
   $secsDiff = 0;
  
   $sec_in_a_day = 60*60*24;


   while($diff = $sec_in_a_day)
   {
   $daysDiff++; $diff -= $sec_in_a_day;
   }
   $sec_in_an_hour = 60*60;
  
   while($diff = $sec_in_an_hour)

   {
   $hrsDiff++;
   $diff -= $sec_in_an_hour;
   }

   $sec_in_a_min = 60;

   while($diff = $sec_in_a_min)
   {
   $minsDiff++;
   $diff -= $sec_in_a_min;
   }

   $secsDiff = $diff;

   return ($minsDiff.' minute'.(($minsDiff  1) ? s : ).', 
'.$secsDiff.' second'.(($secsDiff  1) ? s : ));


   /*
   #this code 

Re: [PHP-DB] User authentication and redirect

2005-07-13 Thread Micah Stevens

if (authorized($user)) {
header(Location: http://mydomain.com/$user/index.php;);
}




On Wednesday 13 July 2005 1:13 pm, Vinny Lape wrote:
 I am trying to make a login script that will check a mysql db for usernme,
 password and location.
 If user validates then look at db entry location then redirect to
 mydomain.com/location/index.php

 Anyone have an idea about this?

 Thanks
 Vinny

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User authentication and redirect

2005-07-13 Thread Alain Rivest

Vinny Lape a écrit :


I am trying to make a login script that will check a mysql db for usernme,
password and location.
If user validates then look at db entry location then redirect to
mydomain.com/location/index.php

Anyone have an idea about this?

 


header(Location: /somewhere/index.php) ;


--

Alain -- http://www.vivahate.org

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User Authentication

2004-02-27 Thread Erwin Kerk
Craig Hoffman wrote:

  $result = (select user_id password FROM users WHERE 
username='$username' AND password=md5('$password'));
password is a reserved word. try this instead:

$result = (select user_id password FROM users WHERE 
username='$username' AND `password`=md5('$password'));

Erwin Kerk
Web Developer
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] User Authentication

2004-02-27 Thread Peter Beckman
Try fixing your SQL:

$result = (select user_id, password FROM users WHERE username='$username'...

You forgot a comma between user_id and password.

On Fri, 27 Feb 2004, Craig Hoffman wrote:

// check if username
$result = (select user_id password FROM users WHERE
 username='$username' AND password=md5('$password'));

---
Peter Beckman  Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User Authentication

2004-02-27 Thread Erwin Kerk
Peter Beckman wrote:

Try fixing your SQL:

$result = (select user_id, password FROM users WHERE username='$username'...

You forgot a comma between user_id and password.
Yup, that too. Oops, missed it too.

Erwin Kerk
Web Developer
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] User Authentication

2004-02-27 Thread Jason Wong
On Friday 27 February 2004 22:26, Craig Hoffman wrote:

 I could use some help here.  I have a script that checks a user name
 and password against the MySQL DB.  I have it set as a function so I
 included/require it on the page.  Here is the script:

[snip]

 When I change the return false to return true in the first script
 (login) it authenticates, but logs any one in.  Not good. Does anyone
 have any ideas or suggestions?

You aren't actually performing any queries -- you're missing a mysql_query().

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
The average girl would rather have beauty than brains because she knows
that the average man can see much better than he can think.
-- Ladies' Home Journal
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] User Authentication

2004-02-27 Thread Erwin Kerk
Jason Wong wrote:

You aren't actually performing any queries -- you're missing a mysql_query().

Ah. Did i mis that too? Unbelievable



Erwin Kerk
Web Developer
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] User Authentication

2004-02-27 Thread Craig Hoffman
Thanks - I can't believe I missed that.  :(

Craig
__
Craig Hoffman - eClimb Media
v: (847) 644 - 8914
f: (847) 866 - 1946
e: [EMAIL PROTECTED]
w: www.eclimbmedia.com
_
On Feb 27, 2004, at 8:34 AM, Jason Wong wrote:
On Friday 27 February 2004 22:26, Craig Hoffman wrote:

I could use some help here.  I have a script that checks a user name
and password against the MySQL DB.  I have it set as a function so I
included/require it on the page.  Here is the script:
[snip]

When I change the return false to return true in the first script
(login) it authenticates, but logs any one in.  Not good. Does anyone
have any ideas or suggestions?
You aren't actually performing any queries -- you're missing a 
mysql_query().

--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
The average girl would rather have beauty than brains because she knows
that the average man can see much better than he can think.
-- Ladies' Home Journal
*/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] User Authentication

2004-02-27 Thread Jason Wong
On Friday 27 February 2004 22:42, Craig Hoffman wrote:
 Thanks - I can't believe I missed that.  :(

And I'm sure you'll want to stick in a mysql_error() as well.

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
Write yourself a threatening letter and pen a defiant reply.
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php