All right then time for the second part in this article series.
If you’ve missed the previous post then you can find it HERE.
In this part it’s time for some actual coding, I’ll present the code for the secret.php file and will be discussing and pointing out important parts in the code later on.
First up is to set up the database, I’m not going to do anything fancy here, just make a simple one just for the purpose so you can test the code later on if you want to.
CREATE DATABASE auth;
USE auth;
CREATE TABLE users
(
name varchar(25) PRIMARY KEY,
password varchar(40)
);
inser INTO users VALUES
(
‘krillz’,
sha1(‘asdf’)
);
And now the PHP code:
/*
secret.php - holds the secret message
and the controll code.
*/
//Create short names for the POST var.
@ $name = $_POST[‘name’];
@ $pass = $_POST[‘password’];
if( !isset($_POST[‘name’]) || !isset($_POST[‘password’]) ){
//The visitor hasn’t logged in or forgot to fill one field.
//I’ll escape from php as we’ll be having alot of html
?>
<h1>You need to login!</h1>
<form method=“POST” action=“secret.php”>
<table>
<tr>
<th>Username:</th>
<td><input type=“text” name=“name” /></td>
</tr>
<tr>
<th>Password:</th>
<td><input type=“password” name=“password” /></td>
</tr>
<tr>
<td><input type=“submit” value=“Log me in!” /></td>
</tr>
</table>
</form>
<?php
}
else{
//connect to the MySQL server
@ $conn = new mysqli(‘localhost’, ‘username’, ‘password’, ‘database’);
//See if the connection was successfull
if(!$conn){
echo ‘Couldn\’t connect to the database’;
exit;
}
//Query the database to see if it’s a member
$result = $conn->query(“Select * from users where name = ‘$name’ and password = sha1(’$password’)”);
//check if any errors occured
if(!$result){
echo ‘The query couldn\’t be run’;
exit;
}
//check if the login data existed
if($result->num_rows() > 0){
//Everything went ok!
echo ‘You can now see the secret message!’;
echo ‘You are the chosen one :D’;
}
else{
//The password or/and username was not correct!
echo ‘Sorry you can\’t see the secret text!’;
echo ‘You are not the chosen one :(’;
}
}
?>
Now this is a very basic login script, and that’s all we’ll be working with for now, in the next article I’ll be adding security measures to it.
But for now I’ll just settle with explaining what some of the code does, for you out there that don’t know PHP so well right now.
I might add that I’m writing my code to work on PHP5 so if you have lower version the code won’t work…
The code is in my opinion very easy, so it shouldn’t be any problems at all to follow and understand it.
The code begins with checking if the $_POST variables were set; if not the login form is shown.
Otherwise the validation of the login data begins, a connection to the MySQL server is established and the query is carried out.
Not that we are encrypting the supplied password as the passwords in the database are also encrypted using the SHA-1 f unction.
Next step is to see if the username and password were the correct ones, I did it in a control statement using the following logic operation:
$result->num_rows() > 0
Basically if the username and password supplied is found in the database the number of rows found will be one, unless you have double set of the same username and password in your database.
If the login information supplied doesn’t exist in the database the result will logically be 0.
This way we do not have to write a lot of code to determine that, unfortunately I’ve seen people who wrote up to ten lines of code to check whether the login information was found in the database.
That’s basically what needs to be explained, as I said a very simple script, come back tomorrow when I’ll be adding security to it.
Leave a Reply