Mercurial > boosterpack
comparison logintets/login.phps @ 0:477258d09353 boosterpack
[svn r1] initial import
| author | robert |
|---|---|
| date | Sun, 30 Aug 2009 02:19:26 -0400 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:477258d09353 |
|---|---|
| 1 <code><font color="#000000"> | |
| 2 <font color="#0000BB"><?php | |
| 3 </font><font color="#FF8000">/*********************** | |
| 4 Makes use of two MySQL tables. | |
| 5 | |
| 6 users: | |
| 7 CREATE TABLE `users` ( | |
| 8 `id` int(11) NOT NULL auto_increment, | |
| 9 `username` varchar(20) default NULL, | |
| 10 `password` varchar(40) default NULL, | |
| 11 `fullname` varchar(30) default NULL, | |
| 12 PRIMARY KEY (`id`) | |
| 13 ) TYPE=MyISAM | |
| 14 | |
| 15 seeds: | |
| 16 CREATE TABLE `seeds` ( | |
| 17 `id` int(11) NOT NULL auto_increment, | |
| 18 `seed` timestamp(14) NOT NULL, | |
| 19 PRIMARY KEY (`id`) | |
| 20 ) TYPE=MyISAM | |
| 21 | |
| 22 */ | |
| 23 | |
| 24 // connect to mysql | |
| 25 </font><font color="#0000BB">$mysql </font><font color="#007700">= </font><font color="#0000BB">mysql_connect</font><font color="#007700">(</font><font color="#DD0000">'localhost'</font><font color="#007700">,</font><font color="#DD0000">'###USERNAME###'</font><font color="#007700">,</font><font color="#DD0000">'###PASSWORD###'</font><font color="#007700">); | |
| 26 | |
| 27 </font><font color="#FF8000">// fail on database errors | |
| 28 </font><font color="#007700">if (!</font><font color="#0000BB">$mysql</font><font color="#007700">) { | |
| 29 die(</font><font color="#DD0000">'false|Could not connect to MySQL'</font><font color="#007700">); | |
| 30 } | |
| 31 | |
| 32 </font><font color="#FF8000">// connect to the database | |
| 33 </font><font color="#0000BB">mysql_select_db</font><font color="#007700">(</font><font color="#DD0000">'jamesdam_ajaxlogin'</font><font color="#007700">, </font><font color="#0000BB">$mysql</font><font color="#007700">); | |
| 34 | |
| 35 </font><font color="#FF8000">// one task of the server is to provide random values to hash with | |
| 36 </font><font color="#007700">if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'getseed'</font><font color="#007700">) | |
| 37 { | |
| 38 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'INSERT INTO seeds VALUES()'</font><font color="#007700">); </font><font color="#FF8000">// insert a new row with default values | |
| 39 | |
| 40 // get the values from the row back | |
| 41 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'SELECT id, seed FROM seeds ORDER BY id DESC LIMIT 1'</font><font color="#007700">); | |
| 42 | |
| 43 if (!</font><font color="#0000BB">$result</font><font color="#007700">) { </font><font color="#FF8000">// fail on error | |
| 44 </font><font color="#007700">die(</font><font color="#DD0000">'false|'</font><font color="#007700">.</font><font color="#0000BB">mysql_error</font><font color="#007700">()); | |
| 45 } | |
| 46 | |
| 47 </font><font color="#0000BB">$row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); </font><font color="#FF8000">// only one row so take the first row | |
| 48 </font><font color="#007700">echo(</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">].</font><font color="#DD0000">'|'</font><font color="#007700">.</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]); </font><font color="#FF8000">// write back the data in form id|random_value | |
| 49 </font><font color="#007700">} | |
| 50 | |
| 51 </font><font color="#FF8000">// the other task of the server is to check a username/password combination | |
| 52 | |
| 53 </font><font color="#007700">else if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'checklogin'</font><font color="#007700">) { | |
| 54 </font><font color="#FF8000">// formulate query for username | |
| 55 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM users WHERE username = \'' </font><font color="#007700">. </font><font color="#0000BB">mysql_real_escape_string</font><font color="#007700">(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'username'</font><font color="#007700">]) . </font><font color="#DD0000">'\''</font><font color="#007700">; | |
| 56 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">); | |
| 57 | |
| 58 </font><font color="#FF8000">// fail on sql failure | |
| 59 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) { | |
| 60 die(</font><font color="#DD0000">'false|Could not connect to login database. Please try again'</font><font color="#007700">); | |
| 61 } | |
| 62 | |
| 63 </font><font color="#FF8000">// get the first user with username in the table (should only be one) | |
| 64 </font><font color="#0000BB">$user_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); | |
| 65 | |
| 66 </font><font color="#FF8000">// if there isn't one | |
| 67 </font><font color="#007700">if (!</font><font color="#0000BB">$user_row</font><font color="#007700">) | |
| 68 { | |
| 69 </font><font color="#FF8000">// then the username doesn't exist, but don't let the user know that this is the problem | |
| 70 // rather inform them more vaguely that the combination is incorrect; prevents someone from | |
| 71 // fishing for valid usernames | |
| 72 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">); | |
| 73 } | |
| 74 | |
| 75 </font><font color="#FF8000">// formulate query for random timestamp for given id | |
| 76 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM seeds WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]; | |
| 77 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">); | |
| 78 | |
| 79 </font><font color="#FF8000">// die if no value for given id | |
| 80 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) { | |
| 81 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">); | |
| 82 } | |
| 83 | |
| 84 </font><font color="#FF8000">// get the first (only) seed | |
| 85 </font><font color="#0000BB">$seed_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); | |
| 86 | |
| 87 </font><font color="#FF8000">// fail if no row | |
| 88 </font><font color="#007700">if (!</font><font color="#0000BB">$seed_row</font><font color="#007700">) { | |
| 89 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">); | |
| 90 } | |
| 91 | |
| 92 </font><font color="#FF8000">// if the md5 hashes are equal to those generated by the clientside js | |
| 93 </font><font color="#007700">if (</font><font color="#0000BB">md5</font><font color="#007700">(</font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'password'</font><font color="#007700">] . </font><font color="#0000BB">$seed_row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]) == </font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'hash'</font><font color="#007700">]) { | |
| 94 </font><font color="#FF8000">// logged in | |
| 95 </font><font color="#007700">echo(</font><font color="#DD0000">'true|' </font><font color="#007700">. </font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'fullname'</font><font color="#007700">]); | |
| 96 | |
| 97 </font><font color="#FF8000">// now remove the random key that was made for this request | |
| 98 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'DELETE FROM s WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]); | |
| 99 } | |
| 100 else | |
| 101 { | |
| 102 </font><font color="#FF8000">// not logged in.. incorrect password | |
| 103 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">); | |
| 104 } | |
| 105 } | |
| 106 </font><font color="#0000BB">?></font> | |
| 107 </font> | |
| 108 </code> |