Mercurial > boosterpack
view logintets/login.php @ 0:477258d09353 boosterpack
[svn r1] initial import
author | robert |
---|---|
date | Sun, 30 Aug 2009 02:19:26 -0400 |
parents | |
children |
line wrap: on
line source
1 <code><font color="#000000">2 <font color="#0000BB"><?php3 </font><font color="#FF8000">/***********************4 Makes use of two MySQL tables.6 users:7 CREATE TABLE `users` (8 `id` int(11) NOT NULL auto_increment,9 `username` varchar(20) default NULL,10 `password` varchar(40) default NULL,11 `fullname` varchar(30) default NULL,12 PRIMARY KEY (`id`)13 ) TYPE=MyISAM15 seeds:16 CREATE TABLE `seeds` (17 `id` int(11) NOT NULL auto_increment,18 `seed` timestamp(14) NOT NULL,19 PRIMARY KEY (`id`)20 ) TYPE=MyISAM22 */24 // connect to mysql25 </font><font color="#0000BB">$mysql </font><font color="#007700">= </font><font color="#0000BB">mysql_connect</font><font color="#007700">(</font><font color="#DD0000">'localhost'</font><font color="#007700">,</font><font color="#DD0000">'###USERNAME###'</font><font color="#007700">,</font><font color="#DD0000">'###PASSWORD###'</font><font color="#007700">);27 </font><font color="#FF8000">// fail on database errors28 </font><font color="#007700">if (!</font><font color="#0000BB">$mysql</font><font color="#007700">) {29 die(</font><font color="#DD0000">'false|Could not connect to MySQL'</font><font color="#007700">);30 }32 </font><font color="#FF8000">// connect to the database33 </font><font color="#0000BB">mysql_select_db</font><font color="#007700">(</font><font color="#DD0000">'jamesdam_ajaxlogin'</font><font color="#007700">, </font><font color="#0000BB">$mysql</font><font color="#007700">);35 </font><font color="#FF8000">// one task of the server is to provide random values to hash with36 </font><font color="#007700">if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'getseed'</font><font color="#007700">)37 {38 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'INSERT INTO seeds VALUES()'</font><font color="#007700">); </font><font color="#FF8000">// insert a new row with default values39 40 // get the values from the row back41 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'SELECT id, seed FROM seeds ORDER BY id DESC LIMIT 1'</font><font color="#007700">);43 if (!</font><font color="#0000BB">$result</font><font color="#007700">) { </font><font color="#FF8000">// fail on error44 </font><font color="#007700">die(</font><font color="#DD0000">'false|'</font><font color="#007700">.</font><font color="#0000BB">mysql_error</font><font color="#007700">());45 }47 </font><font color="#0000BB">$row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">); </font><font color="#FF8000">// only one row so take the first row48 </font><font color="#007700">echo(</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">].</font><font color="#DD0000">'|'</font><font color="#007700">.</font><font color="#0000BB">$row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]); </font><font color="#FF8000">// write back the data in form id|random_value49 </font><font color="#007700">}51 </font><font color="#FF8000">// the other task of the server is to check a username/password combination53 </font><font color="#007700">else if (</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'task'</font><font color="#007700">]==</font><font color="#DD0000">'checklogin'</font><font color="#007700">) {54 </font><font color="#FF8000">// formulate query for username 55 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM users WHERE username = \'' </font><font color="#007700">. </font><font color="#0000BB">mysql_real_escape_string</font><font color="#007700">(</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'username'</font><font color="#007700">]) . </font><font color="#DD0000">'\''</font><font color="#007700">;56 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">);57 58 </font><font color="#FF8000">// fail on sql failure59 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) {60 die(</font><font color="#DD0000">'false|Could not connect to login database. Please try again'</font><font color="#007700">);61 }62 63 </font><font color="#FF8000">// get the first user with username in the table (should only be one)64 </font><font color="#0000BB">$user_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">);66 </font><font color="#FF8000">// if there isn't one67 </font><font color="#007700">if (!</font><font color="#0000BB">$user_row</font><font color="#007700">)68 {69 </font><font color="#FF8000">// then the username doesn't exist, but don't let the user know that this is the problem70 // rather inform them more vaguely that the combination is incorrect; prevents someone from71 // fishing for valid usernames72 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">);73 }74 75 </font><font color="#FF8000">// formulate query for random timestamp for given id76 </font><font color="#0000BB">$sql </font><font color="#007700">= </font><font color="#DD0000">'SELECT * FROM seeds WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">];77 </font><font color="#0000BB">$result </font><font color="#007700">= </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#0000BB">$sql</font><font color="#007700">);79 </font><font color="#FF8000">// die if no value for given id80 </font><font color="#007700">if (!</font><font color="#0000BB">$result</font><font color="#007700">) {81 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">);82 }84 </font><font color="#FF8000">// get the first (only) seed85 </font><font color="#0000BB">$seed_row </font><font color="#007700">= </font><font color="#0000BB">mysql_fetch_assoc</font><font color="#007700">(</font><font color="#0000BB">$result</font><font color="#007700">);86 87 </font><font color="#FF8000">// fail if no row88 </font><font color="#007700">if (!</font><font color="#0000BB">$seed_row</font><font color="#007700">) {89 die(</font><font color="#DD0000">'false|Unknown error (hacking attempt).'</font><font color="#007700">);90 }91 92 </font><font color="#FF8000">// if the md5 hashes are equal to those generated by the clientside js93 </font><font color="#007700">if (</font><font color="#0000BB">md5</font><font color="#007700">(</font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'password'</font><font color="#007700">] . </font><font color="#0000BB">$seed_row</font><font color="#007700">[</font><font color="#DD0000">'seed'</font><font color="#007700">]) == </font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'hash'</font><font color="#007700">]) {94 </font><font color="#FF8000">// logged in95 </font><font color="#007700">echo(</font><font color="#DD0000">'true|' </font><font color="#007700">. </font><font color="#0000BB">$user_row</font><font color="#007700">[</font><font color="#DD0000">'fullname'</font><font color="#007700">]);97 </font><font color="#FF8000">// now remove the random key that was made for this request98 </font><font color="#0000BB">mysql_query</font><font color="#007700">(</font><font color="#DD0000">'DELETE FROM s WHERE id=' </font><font color="#007700">. (int)</font><font color="#0000BB">$_GET</font><font color="#007700">[</font><font color="#DD0000">'id'</font><font color="#007700">]); 99 }100 else101 {102 </font><font color="#FF8000">// not logged in.. incorrect password103 </font><font color="#007700">die(</font><font color="#DD0000">'false|Invalid username and password combination.'</font><font color="#007700">);104 }105 }106 </font><font color="#0000BB">?></font>107 </font>108 </code>