annotate logintets/login.phps @ 10:3b52ac950753 boosterpack tip

going to try to fix this thing
author Robert McIntyre <rlm@mit.edu>
date Mon, 27 Sep 2010 17:24:06 -0400
parents 477258d09353
children
rev   line source
robert@0 1 <code><font color="#000000">
robert@0 2 <font color="#0000BB">&lt;?php
robert@0 3 </font><font color="#FF8000">/***********************
robert@0 4 Makes&nbsp;use&nbsp;of&nbsp;two&nbsp;MySQL&nbsp;tables.
robert@0 5
robert@0 6 users:
robert@0 7 CREATE&nbsp;TABLE&nbsp;`users`&nbsp;(
robert@0 8 &nbsp;&nbsp;`id`&nbsp;int(11)&nbsp;NOT&nbsp;NULL&nbsp;auto_increment,
robert@0 9 &nbsp;&nbsp;`username`&nbsp;varchar(20)&nbsp;default&nbsp;NULL,
robert@0 10 &nbsp;&nbsp;`password`&nbsp;varchar(40)&nbsp;default&nbsp;NULL,
robert@0 11 &nbsp;&nbsp;`fullname`&nbsp;varchar(30)&nbsp;default&nbsp;NULL,
robert@0 12 &nbsp;&nbsp;PRIMARY&nbsp;KEY&nbsp;&nbsp;(`id`)
robert@0 13 )&nbsp;TYPE=MyISAM
robert@0 14
robert@0 15 seeds:
robert@0 16 CREATE&nbsp;TABLE&nbsp;`seeds`&nbsp;(
robert@0 17 &nbsp;&nbsp;`id`&nbsp;int(11)&nbsp;NOT&nbsp;NULL&nbsp;auto_increment,
robert@0 18 &nbsp;&nbsp;`seed`&nbsp;timestamp(14)&nbsp;NOT&nbsp;NULL,
robert@0 19 &nbsp;&nbsp;PRIMARY&nbsp;KEY&nbsp;&nbsp;(`id`)
robert@0 20 )&nbsp;TYPE=MyISAM
robert@0 21
robert@0 22 */
robert@0 23
robert@0 24 //&nbsp;connect&nbsp;to&nbsp;mysql
robert@0 25 </font><font color="#0000BB">$mysql&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_connect</font><font color="#007700">(</font><font color="#DD0000">'localhost'</font><font color="#007700">,</font><font color="#DD0000">'###USERNAME###'</font><font color="#007700">,</font><font color="#DD0000">'###PASSWORD###'</font><font color="#007700">);
robert@0 26
robert@0 27 </font><font color="#FF8000">//&nbsp;fail&nbsp;on&nbsp;database&nbsp;errors
robert@0 28 </font><font color="#007700">if&nbsp;(!</font><font color="#0000BB">$mysql</font><font color="#007700">)&nbsp;{
robert@0 29 &nbsp;&nbsp;&nbsp;&nbsp;die(</font><font color="#DD0000">'false|Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;MySQL'</font><font color="#007700">);
robert@0 30 }
robert@0 31
robert@0 32 </font><font color="#FF8000">//&nbsp;connect&nbsp;to&nbsp;the&nbsp;database
robert@0 33 </font><font color="#0000BB">mysql_select_db</font><font color="#007700">(</font><font color="#DD0000">'jamesdam_ajaxlogin'</font><font color="#007700">,&nbsp;</font><font color="#0000BB">$mysql</font><font color="#007700">);
robert@0 34
robert@0 35 </font><font color="#FF8000">//&nbsp;one&nbsp;task&nbsp;of&nbsp;the&nbsp;server&nbsp;is&nbsp;to&nbsp;provide&nbsp;random&nbsp;values&nbsp;to&nbsp;hash&nbsp;with
robert@0 36 </font><font color="#007700">if&nbsp;(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'getseed'</font><font color="#007700">)
robert@0 37 {
robert@0 38 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'INSERT&nbsp;INTO&nbsp;seeds&nbsp;VALUES()'</font><font color="#007700">);&nbsp;</font><font color="#FF8000">//&nbsp;insert&nbsp;a&nbsp;new&nbsp;row&nbsp;with&nbsp;default&nbsp;values
robert@0 39 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 40 &nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;get&nbsp;the&nbsp;values&nbsp;from&nbsp;the&nbsp;row&nbsp;back
robert@0 41 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$result&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'SELECT&nbsp;id,&nbsp;seed&nbsp;FROM&nbsp;seeds&nbsp;ORDER&nbsp;BY&nbsp;id&nbsp;DESC&nbsp;LIMIT&nbsp;1'</font><font color="#007700">);
robert@0 42
robert@0 43 &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!</font><font color="#0000BB">$result</font><font color="#007700">)&nbsp;{&nbsp;</font><font color="#FF8000">//&nbsp;fail&nbsp;on&nbsp;error
robert@0 44 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">die(</font><font color="#DD0000">'false|'</font><font color="#007700">.</font><font color="#0000BB">mysql_error</font><font color="#007700">());
robert@0 45 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 46
robert@0 47 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$row&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">);&nbsp;</font><font color="#FF8000">//&nbsp;only&nbsp;one&nbsp;row&nbsp;so&nbsp;take&nbsp;the&nbsp;first&nbsp;row
robert@0 48 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">echo(</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">].</font><font color="#DD0000">'|'</font><font color="#007700">.</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]);&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;write&nbsp;back&nbsp;the&nbsp;data&nbsp;in&nbsp;form&nbsp;id|random_value
robert@0 49 </font><font color="#007700">}
robert@0 50
robert@0 51 </font><font color="#FF8000">//&nbsp;the&nbsp;other&nbsp;task&nbsp;of&nbsp;the&nbsp;server&nbsp;is&nbsp;to&nbsp;check&nbsp;a&nbsp;username/password&nbsp;combination
robert@0 52
robert@0 53 </font><font color="#007700">else&nbsp;if&nbsp;(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'checklogin'</font><font color="#007700">)&nbsp;{
robert@0 54 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;formulate&nbsp;query&nbsp;for&nbsp;username&nbsp;&nbsp;&nbsp;&nbsp;
robert@0 55 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$sql&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#DD0000">'SELECT&nbsp;*&nbsp;FROM&nbsp;users&nbsp;WHERE&nbsp;username&nbsp;=&nbsp;\''&nbsp;</font><font color="#007700">.&nbsp;</font><font color="#0000BB">mysql_real_escape_string</font><font color="#007700">(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'username'</font><font color="#007700">])&nbsp;.&nbsp;</font><font color="#DD0000">'\''</font><font color="#007700">;
robert@0 56 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$result&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">);
robert@0 57 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 58 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;fail&nbsp;on&nbsp;sql&nbsp;failure
robert@0 59 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">if&nbsp;(!</font><font color="#0000BB">$result</font><font color="#007700">)&nbsp;&nbsp;{
robert@0 60 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(</font><font color="#DD0000">'false|Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;login&nbsp;database.&nbsp;&nbsp;Please&nbsp;try&nbsp;again'</font><font color="#007700">);
robert@0 61 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 62 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 63 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;get&nbsp;the&nbsp;first&nbsp;user&nbsp;with&nbsp;username&nbsp;in&nbsp;the&nbsp;table&nbsp;(should&nbsp;only&nbsp;be&nbsp;one)
robert@0 64 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$user_row&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">);
robert@0 65
robert@0 66 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;if&nbsp;there&nbsp;isn't&nbsp;one
robert@0 67 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">if&nbsp;(!</font><font color="#0000BB">$user_row</font><font color="#007700">)
robert@0 68 &nbsp;&nbsp;&nbsp;&nbsp;{
robert@0 69 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;then&nbsp;the&nbsp;username&nbsp;doesn't&nbsp;exist,&nbsp;but&nbsp;don't&nbsp;let&nbsp;the&nbsp;user&nbsp;know&nbsp;that&nbsp;this&nbsp;is&nbsp;the&nbsp;problem
robert@0 70 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;rather&nbsp;inform&nbsp;them&nbsp;more&nbsp;vaguely&nbsp;that&nbsp;the&nbsp;combination&nbsp;is&nbsp;incorrect;&nbsp;prevents&nbsp;someone&nbsp;from
robert@0 71 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;fishing&nbsp;for&nbsp;valid&nbsp;usernames
robert@0 72 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid&nbsp;username&nbsp;and&nbsp;password&nbsp;combination.'</font><font color="#007700">);
robert@0 73 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 74 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 75 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;formulate&nbsp;query&nbsp;for&nbsp;random&nbsp;timestamp&nbsp;for&nbsp;given&nbsp;id
robert@0 76 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$sql&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#DD0000">'SELECT&nbsp;*&nbsp;FROM&nbsp;seeds&nbsp;WHERE&nbsp;id='&nbsp;</font><font color="#007700">.&nbsp;(int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">];
robert@0 77 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$result&nbsp;</font><font color="#007700">=&nbsp;&nbsp;</font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">);
robert@0 78
robert@0 79 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;die&nbsp;if&nbsp;no&nbsp;value&nbsp;for&nbsp;given&nbsp;id
robert@0 80 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">if&nbsp;(!</font><font color="#0000BB">$result</font><font color="#007700">)&nbsp;{
robert@0 81 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(</font><font color="#DD0000">'false|Unknown&nbsp;error&nbsp;(hacking&nbsp;attempt).'</font><font color="#007700">);
robert@0 82 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 83
robert@0 84 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;get&nbsp;the&nbsp;first&nbsp;(only)&nbsp;seed
robert@0 85 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">$seed_row&nbsp;</font><font color="#007700">=&nbsp;</font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">);
robert@0 86 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 87 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;fail&nbsp;if&nbsp;no&nbsp;row
robert@0 88 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">if&nbsp;(!</font><font color="#0000BB">$seed_row</font><font color="#007700">)&nbsp;{
robert@0 89 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(</font><font color="#DD0000">'false|Unknown&nbsp;error&nbsp;(hacking&nbsp;attempt).'</font><font color="#007700">);
robert@0 90 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 91 &nbsp;&nbsp;&nbsp;&nbsp;
robert@0 92 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;if&nbsp;the&nbsp;md5&nbsp;hashes&nbsp;are&nbsp;equal&nbsp;to&nbsp;those&nbsp;generated&nbsp;by&nbsp;the&nbsp;clientside&nbsp;js
robert@0 93 &nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">if&nbsp;(</font><font color="#0000BB">md5</font><font color="#007700">(</font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'password'</font><font color="#007700">]&nbsp;.&nbsp;</font><font color="#0000BB">$seed_row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">])&nbsp;==&nbsp;</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'hash'</font><font color="#007700">])&nbsp;{
robert@0 94 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;logged&nbsp;in
robert@0 95 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">echo(</font><font color="#DD0000">'true|'&nbsp;</font><font color="#007700">.&nbsp;&nbsp;</font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'fullname'</font><font color="#007700">]);
robert@0 96
robert@0 97 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;now&nbsp;remove&nbsp;the&nbsp;random&nbsp;key&nbsp;that&nbsp;was&nbsp;made&nbsp;for&nbsp;this&nbsp;request
robert@0 98 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'DELETE&nbsp;FROM&nbsp;s&nbsp;WHERE&nbsp;id='&nbsp;</font><font color="#007700">.&nbsp;(int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
robert@0 99 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 100 &nbsp;&nbsp;&nbsp;&nbsp;else
robert@0 101 &nbsp;&nbsp;&nbsp;&nbsp;{
robert@0 102 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#FF8000">//&nbsp;not&nbsp;logged&nbsp;in..&nbsp;incorrect&nbsp;password
robert@0 103 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid&nbsp;username&nbsp;and&nbsp;password&nbsp;combination.'</font><font color="#007700">);
robert@0 104 &nbsp;&nbsp;&nbsp;&nbsp;}
robert@0 105 }
robert@0 106 </font><font color="#0000BB">?&gt;</font>
robert@0 107 </font>
robert@0 108 </code>