I'm trying to create a very simple login for only one or two users, the username and password are stored in "admin.txt" the text file is formatted like: username password __ I cannot seem to have the username and password register... Thanks for the help!!
// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
$sql = fopen("../admin8183/users/admin.txt", "r");
while (!feof($sql)) {
$myusername = fgets($sql);
$mypassword = fgets($sql);
$line = fgets($sql);
$myusername = trim($myusername);
$mypassword = trim($mypassword);
}
// counting rows
$admin=count(file("../admin8183/users/admin.txt"));
if($admin==1){
// Register $myusername, $mypassword and redirect to file "sendmessage.php"
session_register("myusername");
session_register("mypassword");
header("location:sendmessage.php");
}
else {
echo "Wrong Username or Password";
}
p.s. I am sure that there are a few things wrong with my code, and that there are more efficient ways of accomplishing my goal, this is my first stab at creating a login in php... Thanks for your help!
-
First, I must say this is the wrong way to acomplish your task, The offer on the comment to use htpasswd is very right.
As for your code:
- You are using the same
$myusernamevariable when reading from$_POSTand from the file. You need to use seperate variables and compare then. - You expect the file to have 3 rows (3 gets), yet you register only if it has 1 row)
Update:
Since you can't use htpasswd, i highly recommend hashing your password. Either if you save it in a file or hardcoded, it is a good practice. As @silky pointed out, sha1/md5 are no better then plain text, so here is an implementation of sha256 for PHP.
Also, don't save your password/username in the sessoion, as @pygorex1 pointed out, use a different variable for marking the user as logged-in.
Ryan : 1 and 2. are good points ill re evaluate that however, as I said to the other comment, I cannot access my server settings...Noon Silk : Avoid SHA1 if you can, it's considered weak and soon-to-be-dead: http://valerieaurora.org/hash.htmlAm : md5 then......?Noon Silk : Oh dear, MD5 is most definitely dead; you must use SHA-2 or up (sometime in the near future we should see a SHA-3 class being released, but for now, SHA-2 is pretty much the only option).Am : can't seem to find sha-2 for phpNoon Silk : Am: Then SHA-1 will be acceptable, but just note it down to upgrade when SHA-2 for php becomes available :) (I'd think there is some sort of SHA-256 impl for PHP somewhere, though.)Am : @silky: thanks for the link, i`ll go change my own functions now...From Am - You are using the same
-
Well, it would seem that fgets() gets an entire line: http://php.net/manual/en/function.fgets.php
so you are putting the entire line
username passwordinto$mysuernameand then the next line into$mypasswordand so on.From zipcodeman -
There's several problems with this script:
- $myusername, $mypassword - first these variables are being initialized from $_POST data, then overwritten with the file contents. I don't see any checking of the user-submitted password against the password in the file.
- The password file is being loaded in twice - once via fopen/fgets and again via file. This is wasteful - load the file only once via file()
- The following lines:
$admin=count(file("../admin8183/users/admin.txt")); ... if($admin==1)will allow anyone access as long as the password file contains only one line. Which will never occur if the username/password are on separate lines. Worse yet, this check is independent of user input. - The password is being saved in the session. At the very least, if the username and password are correct, a session variable called
$_SESSION['logged_in']should be set to true. - Is the password being stored in an encrypted format? At a minimum the password should be stored as a SHA1/MD5 hash.
session_registeris deprecated.
Building a secure user authentication scheme is hard. As others have noted, try using basic Apache authentication. Here's a decent tutorial:
http://www.nexcess.net/support/tutorials/misc-tools/htaccess-authentication/
From pygorex1
0 comments:
Post a Comment