Skip site navigation (1) Skip section navigation (2)

Re: PHP Username & Password Detection From PSQL Database

From: "Yasmine Kedoo" <yazkedoo(at)hotmail(dot)com>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: PHP Username & Password Detection From PSQL Database
Date: 2004-04-07 14:16:57
Message-ID: BAY14-F10I5GH9vCeqj0002e59b@hotmail.com (view raw or flat)
Thread:
Lists: pgsql-php
Hi again.

After a recommendation, i have changed my approach and i'm now using a html 
form to accept the username and password.

Please view the following link: 
http://www.cyber.brad.ac.uk/~yamkedoo/Tests/brandnew.html

The username 'yamkedoo' and password 'yasmine' will give Successful Login. 
This works for all usernames and passwords in the database.

Though if a different password is used, Access Denied is printed as well as 
an error,  Warning: Unable to jump to row 0 on PostgreSQL result index 2 in 
/home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable to 
solve. This applies for all incorrect passwords. Please view my code:

<?php
                #Connects to the database
	$database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname = yamkedoo user = 
yamkedoo password = yamkedoo");

	if(!$database)
     	{
        	echo "Connection Failed<BR>";
     	}

	else
	{
                                #assign formusername from html form to 
$auth_user
                                #assign formpassword from html form to 
$auth_pass
		$auth_user = trim($formusername);
		$auth_pass = trim($formpassword);

		$query = "SELECT * FROM PatPerInfo WHERE trim(username) = '$auth_user' AND 
trim(password) = '$auth_pass'";
		$result = pg_exec($database, $query);
		$row = pg_fetch_object($result, $rw);

		if($row)
		{
			print "Successful Login\n";
		}

		else
		{
			print "Access Denied\n";
		}
	}

    pg_close($database);

?>

If anyone can spot any mistakes, i will welcome suggestions ;-)

Thanx




>From: Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz>
>To: Yasmine Kedoo <yazkedoo(at)hotmail(dot)com>
>CC: pgsql-php(at)postgresql(dot)org
>Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database
>Date: Wed, 07 Apr 2004 21:35:22 +1200
>
>On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> > Hi.
> >
> > I am just beginning to work with PHP & PSQL so forgive me if i make 
>simple
> > mistakes. :-)
> >
> > I created my PSQL database via telnet on my university's database 
>server. I
> > have no problems retrieving and displaying certain data using PHP, but i 
>am
> > unable to recognise a username and password entered via a predefined
> > authentication variable, $PHP_AUTH_USER.
> >
> > The script must recognise the username: 'yamkedoo', and password: 
>'yasmine'.
> > In the database, the username & password columns are spelt exactly as:
> > 'username' & 'password'. The database name is 'yamkedoo', and the table 
>name
> > is 'PatPerInfo', as can be seen from the following code:
>
>The example in the PHP manual is:
>
><?php
>   if (!isset($_SERVER['PHP_AUTH_USER'])) {
>     header('WWW-Authenticate: Basic realm="My Realm"');
>     header('HTTP/1.0 401 Unauthorized');
>     echo 'Text to send if user hits Cancel button';
>     exit;
>   } else {
>     echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
>     echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
>password.</p>";
>   }
>?>
>
>A couple of notes:
>
>1) You have <?PHP well down your page - you need this before the PHP
>starts (like in the example above).  Lowercase is also a lot more normal
>(although probably uppercase still works).
>
>2) The example above shows the syntax for more recent PHP versions, with
>some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER']
>rather than $PHP_AUTH_USER) whether the older syntax you have used below
>will work will depend on how the installation was configured, to some
>extent, as well as the version you are using.
>
>
> >
> > if(!isset($PHP_AUTH_USER))
> > 		{
> > 			Header("WWW-Authenticate: Basic realm=\"Authentication\"");
> > 			Header( "HTTP/1.0 401 Unauthorized");
> >
> > 			echo "No Login\n";
> > 			exit;
> > 		}
> > 		else
> > 		{
> > 			echo "User: $PHP_AUTH_USER<BR>";
> > 			echo "Password: $PHP_AUTH_PW<BR>";
> > 		}
> > <?PHP
> > 	$database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
> > user=yamkedoo password=yamkedoo");
> >
> > 		if(!$database)
> >      		{
> >         		print "Connection to database failed.";
> >      		}
> >
> > 		else
> >         	               {
> >         	               $selectquery = "SELECT * FROM PatPerInfo";
> >           	               $result = pg_exec($database, $selectquery);
> >
> > 		$maxrows = pg_numrows($result);
> >            		$maxfields = pg_numfields($result);
> >
> >           		for ($rw = 0; $rw < $maxrows; $rw++)
> >    	   		{
>
>Just as a suggestion you might want to consider:
>
>$row = pg_fetch_object($result, $rw);
>if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
>            trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) )
>{
>  ...
>
>Actually, though, you can get the database to do it:
>
>$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
>$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
>$selectquery = "SELECT * FROM PatPerInfo
>    WHERE trim(username) = '$auth_user'
>      AND trim(password) = '$auth_pass'";
>
>$result = pg_exec( ...
>
>
>Doing it this way you can simply see if you got back exactly one row,
>and if you did then that should be the correct user record - no need for
>PHP to inefficiently loop through all of the table looking.
>
>
> >    				$username = pg_Result($result,$rw,0);
> > 				$password = pg_Result($result,$rw,1);
> >
>
>Aren't you missing a comparison on the line below?
>
> > 				if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
> > 				{
> > 		  		 	$auth = 1;
> > 				}
> >            		                 }
> >
> > 		     echo $auth;
> > 		}
> >
> >       		 if($auth==0)
> >      		 {
> >      			print "Access Denied<BR>\n";
> >      			exit;
> >      		 }
> >
> >
> > ?>
> >
> > After the username and password, i get the following error: Parse error:
> > parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.
> >
> > Please view te following link:
> > http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what 
>is
> > happening.
> > Only once has the authentication window appeared, and has not done so 
>since.
> > It only gives the error as seen at the link.
>
>Once you have provided the correct credentials to basic auth, your web
>browser will repeatedly provide them each time until you exit the
>browser or cancel them.
>
>Most sites don't use Basic Authentication like the above - generally
>some form of session is maintained through URL rewriting or cookies
>since that allows a lot more control (and graphical design) fitting the
>login process more smoothly into the web page.
>
>Regards,
>					Andrew.
>
>-------------------------------------------------------------------------
>Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053,  Manners St,  Wellington
>WEB: http://catalyst.net.nz/             PHYS: Level 2, 150-154 Willis St
>DDI: +64(4)916-7201       MOB: +64(21)635-694      OFFICE: +64(4)499-2267
>                http://survey.net.nz/ - any more questions?
>-------------------------------------------------------------------------
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger


Responses

pgsql-php by date

Next:From: sundaravelDate: 2004-04-07 14:20:25
Subject: Pie/Bar chart
Previous:From: Glenn_WiensDate: 2004-04-07 12:47:17
Subject: Re: Connection problems

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group