Mercurial > boosterpack
comparison logintets/login.php @ 0:477258d09353 boosterpack
[svn r1] initial import
author | robert |
---|---|
date | Sun, 30 Aug 2009 02:19:26 -0400 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
-1:000000000000 | 0:477258d09353 |
---|---|
1 <code><font color="#000000"> | |
2 <font color="#0000BB"><?php | |
3 </font><font color="#FF8000">/*********************** | |
4 Makes use of two MySQL tables. | |
5 | |
6 users: | |
7 CREATE TABLE `users` ( | |
8 `id` int(11) NOT NULL auto_increment, | |
9 `username` varchar(20) default NULL, | |
10 `password` varchar(40) default NULL, | |
11 `fullname` varchar(30) default NULL, | |
12 PRIMARY KEY (`id`) | |
13 ) TYPE=MyISAM | |
14 | |
15 seeds: | |
16 CREATE TABLE `seeds` ( | |
17 `id` int(11) NOT NULL auto_increment, | |
18 `seed` timestamp(14) NOT NULL, | |
19 PRIMARY KEY (`id`) | |
20 ) TYPE=MyISAM | |
21 | |
22 */ | |
23 | |
24 // connect to mysql | |
25 </font><font color="#0000BB">$mysql </font><font color="#007700">= </font><font color="#0000BB">mysql_connect</font><font color="#007700">(</font><font color="#DD0000">'localhost'</font><font color="#007700">,</font><font color="#DD0000">'###USERNAME###'</font><font color="#007700">,</font><font color="#DD0000">'###PASSWORD###'</font><font color="#007700">); | |
26 | |
27 </font><font color="#FF8000">// fail on database errors | |
28 </font><font color="#007700">if (!</font><font color="#0000BB">$mysql</font><font color="#007700">) { | |
29 die(</font><font color="#DD0000">'false|Could not connect to MySQL'</font><font color="#007700">); | |
30 } | |
31 | |
32 </font><font color="#FF8000">// connect to the database | |
33 </font><font color="#0000BB">mysql_select_db</font><font color="#007700">(</font><font color="#DD0000">'jamesdam_ajaxlogin'</font><font color="#007700">, </font><font color="#0000BB">$mysql</font><font color="#007700">); | |
34 | |
35 </font><font color="#FF8000">// one task of the server is to provide random values to hash with | |
36 </font><font color="#007700">if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'getseed'</font><font color="#007700">) | |
37 { | |
38 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'INSERT INTO seeds VALUES()'</font><font color="#007700">); </font><font color="#FF8000">// insert a new row with default values | |
39 | |
40 // get the values from the row back | |
41 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'SELECT id, seed FROM seeds ORDER BY id DESC LIMIT 1'</font><font color="#007700">); | |
42 | |
43 if (!</font><font color="#0000BB">$result</font><font color="#007700">) { </font><font color="#FF8000">// fail on error | |
44 </font><font color="#007700">die(</font><font color="#DD0000">'false|'</font><font color="#007700">.</font><font color="#0000BB">mysql_error</font><font color="#007700">()); | |
45 } | |
46 | |
47 </font><font color="#0000BB">$row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); </font><font color="#FF8000">// only one row so take the first row | |
48 </font><font color="#007700">echo(</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">].</font><font color="#DD0000">'|'</font><font color="#007700">.</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]); </font><font color="#FF8000">// write back the data in form id|random_value | |
49 </font><font color="#007700">} | |
50 | |
51 </font><font color="#FF8000">// the other task of the server is to check a username/password combination | |
52 | |
53 </font><font color="#007700">else if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'checklogin'</font><font color="#007700">) { | |
54 </font><font color="#FF8000">// formulate query for username | |
55 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM users WHERE username = \'' </font><font color="#007700">. </font><font color="#0000BB">mysql_real_escape_string</font><font color="#007700">(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'username'</font><font color="#007700">]) . </font><font color="#DD0000">'\''</font><font color="#007700">; | |
56 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">); | |
57 | |
58 </font><font color="#FF8000">// fail on sql failure | |
59 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) { | |
60 die(</font><font color="#DD0000">'false|Could not connect to login database. Please try again'</font><font color="#007700">); | |
61 } | |
62 | |
63 </font><font color="#FF8000">// get the first user with username in the table (should only be one) | |
64 </font><font color="#0000BB">$user_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); | |
65 | |
66 </font><font color="#FF8000">// if there isn't one | |
67 </font><font color="#007700">if (!</font><font color="#0000BB">$user_row</font><font color="#007700">) | |
68 { | |
69 </font><font color="#FF8000">// then the username doesn't exist, but don't let the user know that this is the problem | |
70 // rather inform them more vaguely that the combination is incorrect; prevents someone from | |
71 // fishing for valid usernames | |
72 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">); | |
73 } | |
74 | |
75 </font><font color="#FF8000">// formulate query for random timestamp for given id | |
76 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM seeds WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]; | |
77 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">); | |
78 | |
79 </font><font color="#FF8000">// die if no value for given id | |
80 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) { | |
81 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">); | |
82 } | |
83 | |
84 </font><font color="#FF8000">// get the first (only) seed | |
85 </font><font color="#0000BB">$seed_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); | |
86 | |
87 </font><font color="#FF8000">// fail if no row | |
88 </font><font color="#007700">if (!</font><font color="#0000BB">$seed_row</font><font color="#007700">) { | |
89 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">); | |
90 } | |
91 | |
92 </font><font color="#FF8000">// if the md5 hashes are equal to those generated by the clientside js | |
93 </font><font color="#007700">if (</font><font color="#0000BB">md5</font><font color="#007700">(</font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'password'</font><font color="#007700">] . </font><font color="#0000BB">$seed_row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]) == </font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'hash'</font><font color="#007700">]) { | |
94 </font><font color="#FF8000">// logged in | |
95 </font><font color="#007700">echo(</font><font color="#DD0000">'true|' </font><font color="#007700">. </font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'fullname'</font><font color="#007700">]); | |
96 | |
97 </font><font color="#FF8000">// now remove the random key that was made for this request | |
98 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'DELETE FROM s WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]); | |
99 } | |
100 else | |
101 { | |
102 </font><font color="#FF8000">// not logged in.. incorrect password | |
103 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">); | |
104 } | |
105 } | |
106 </font><font color="#0000BB">?></font> | |
107 </font> | |
108 </code> |