Jump to content

Login Script & Security


SFB
 Share

Recommended Posts

I have made a login script but anyone that wanted to could easily decode it. I keep the things like passwords and usernames and stuff in a txt file. i tried to protect it with .htaccess but it appeared not to work. I dont have access to much on the server. I am hosted by dcole.ath.cx and he wont give me any non web place for a file. I dont know how to use any databases and dont really feel like figureing out how to. so bassically i want a txt file lets say userdata.txt to not display content in somone's browser. I think the dcole server is a windows one if that helps anyone. I figured out a way that might work but it isnt very good coding. I have hidden all my userdata in a php file in a multi line comment. then I take the data out of the comment and use it. its a lot of work and doesnt seem much safer. sorry i dont have an example of a non working .htaccess file at the moment.

Link to comment
Share on other sites

With something like this the first thing you have to do is make a .htpasswd file. In this file you put the username and encryped password of the users you want to be able to look at the file. The use this tool http://www.tools.dynamicdrive.com/password/ to make the usernames and passwords. Then in your .htaccess file do the following

AuthUserFile /usr/local/you/safedir/.htpasswdAuthGroupFile /dev/nullAuthName EnterPasswordAuthType Basicrequire user Username you specified in .htpasswd file

The first line is the full server path to your htpasswd file. If you have installed scripts on your server, you should be familiar with this. Please note that this is not a URL, this is a server path. Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which you don't want to do.Require user is where you enter the username of those who you want to have access to that portion of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.AuthName is the name of the area you want to access.I hope this answered your question

Link to comment
Share on other sites

Forget the comment, just put it in a PHP script and set a bunch of variables. If you are talking about users, you can make an array of users or something. Just set the variables, nothing will show up in output, and you won't have to do any text processing to get the information.

Link to comment
Share on other sites

You can save yourself a headache by just writing it in PHP

<?php//you can do something like this (option 1):$users = array();$newuser = array();$newuser['username'] = "xxx";$newuser['password'] = "yyy";$users[] = $newuser;$newuser = array();$newuser['username'] = "zzz";$newuser['password'] = "123";$users[] = $newuser;//or something like this (option 2):$username = "xxx";$password = "yyy";$users[$username] = $password;$username = "zzz";$password = "123";$users[$username] = $password;?>

etc. Then you include that file, and go through the list.

<?phpinclude("users.php");//option 1for ($i = 0; $i < count($users); $i++){  if ($users[$i]['username'] == $the_user_youre_looking_for)  {    if ($users[$i]['password'] == $the_users_password)      $password_correct = true;    else      $password_correct = false;  }}//option 2if ($users[$the_user_youre_looking_for] == $the_users_password){  $password_correct = true;}else{  $password_correct = false;}?>

Viewing the users.php file in the browser would not show any output (no user info), and you don't need to mess with permissions.

Link to comment
Share on other sites

The way i am doing it now is very similar ony i use fopen and explode to make some arrays what i do currently looks like this is the userdata.php file (all usernames, passwords, and emails are made up

<?php<||>//<->sfb<->ru6g8oz<->john<->jones<->snowfort@gmail//<->mittens<->123456789<-><-><->dogs_drue@gmail.com//<->patches<->987654321<-><-><->cool_cat@gmail.com<||>?>

this is the login script it still needs some work after the password and username match but you can get the idea

<?php$userlogedin = "FALSE";$username = $_POST["username"];$password = $_POST["password"];if($username != "")){$file = fopen("/Inetpub/wwwroot/sfb/testfiles/login3/userdata.php", "r");$filesize = filesize("/Inetpub/wwwroot/sfb/testfiles/login3/userdata.php");$text = fread($file, $filesize);fclose($file);$users = explode("<||>", $text);$lines = explode("\n", $users[1]);$size = sizeof($lines);for($i = 0; $i < $size; $i++){$userdata = explode("<->", $lines[$i]);if(($userdata[1] == $username) and ($userdata[2] == $password)){$email = $userdata[3];$username = $userdat[1];$userlogedin = "TRUE";print"$username<br>$email<br>";}}}if($userlogedin == "TRUE"){print"The password and username match";}else{print"the username and password do <u>not</u> match!";}print"  <br><br>this is the login page";?>

i just dont like useing a php file to store data in. so if all possible i want to put it in a txt file so my data would look like

sfb<->ru6g8oz<->john<->jones<->snowfort@gmailmittens<->123456789<-><-><->dogs_drue@gmail.compatches<->987654321<-><-><->cool_cat@gmail.com

Link to comment
Share on other sites

A PHP file is infinitely more secure than a plain text file. Most of my applications import data in external files, configuration settings, database passwords, things like that. But it doesn't make sense to hide things in comments and then use file and string functions to read the data, you might as well instead just cut out the middle step and set up the data to be PHP variables from the start, that way you can just include the file and go from there, you don't need to open the file and process it. Am I making sense?Your code would change to something like this:

<?php$users = array();$newuser = array();$newuser['username'] = "sfb";$newuser['password'] = "ru6g8oz";$newuser['first'] = "john";$newuser['last'] = "jones";$newuser['email'] = "snowfort@gmail";$users[] = $newuser;$newuser = array();$newuser['username'] = "mittens";$newuser['password'] = "123456789";$newuser['first'] = "";$newuser['last'] = "";$newuser['email'] = "dogs_drue@gmail.com";$users[] = $newuser;$newuser = array();$newuser['username'] = "patches";$newuser['password'] = "987654321";$newuser['first'] = "";$newuser['last'] = "";$newuser['email'] = "cool_cat@gmail.com";$users[] = $newuser;//$users now has 3 records?>

<?php$userlogedin = false;$username = $_POST["username"];$password = $_POST["password"];if($username != ""){  require_once("users.php"); //include the file that contains the user records  $size = count($users);  for ($i = 0; $i < $size; $i++)  {    if (($users[$i]['username'] == $username) and ($users[$i]['password'] == $password))    {      $email = $users[$i]['email'];      $userlogedin = true;      echo "{$username}<br>{$email}<br>";    }  }}if($userlogedin){  print"The password and username match";}else{  print"the username and password do <u>not</u> match!";}print"  <br><br>this is the login page";?>

Just look at how much code it eliminates, and how much easier it is to understand what's going on.

Link to comment
Share on other sites

ok my only problem is that when I include or require another php file, the variables and arrays and most other things seem to be just for that page. i can use them in the page i am including them in. do you get this or not? lets say i make a script that gets the person's ip address. then I use include() or require() and test it out. I get the ip address of the server not the visitor and lets say i also set a variable had their ip in it and wanted to print it on my page the variable acts as if it wasn't set. If you need a better clarification i could try and explain it again.

Link to comment
Share on other sites

It sounds like you have scope issues.Scope is sort of the 'range of vision' that each function has. So take this for example:

<?php#this is the root PHP code (scope 0)$some_var = array();global $another_var;$another_var = "test";$still_another = "test2";function func1(){  #this is a new scope block.  variables defined inside func1 are only available inside func1  global $another_var;  //use the global copy of another_var  if (!isset($some_var))    echo "some_var is not set in this scope";  echo $another_var;  //will print "test"  echo $still_another;  //will not print anything}?>

Hopefully you can sort of see what's going on. There are 'global' variables and 'local' variables. Global variables are visible everywhere, but local variables are only visible in the scope they are declared in. Since func1 has it's own scope, it cannot see the $still_another variable because that variable is a local variable in another scope. However, it can see $another_var because $another_var was declared to be a global variable (with the 'global' keyword).When you include or require a file, it brings all of the code in the new file into the same scope where the include or require statement shows up. So if you have your include/require at the top of the page, the included code will be in the global scope. In order to use the global copy of the variable (like the users array), if you use it in a function you need to declare the variable globally. All this sounds confusing, but it's pretty easy.

<?phprequire_once("users.php");$size = count($users); //same scope, we can use $usersfunction login_user($username, $password){  global $users; //make sure we are using the global version  $size = count($users);  //this will work, we are using the global version of $users}?>

http://www.php.net/manual/en/language.variables.scope.phpAlso, if you are trying to get the user's IP but you are getting the server's IP, you are looking for the wrong thing (the user's IP will never equal the server's IP). $_SERVER['SERVER_ADDR'] gets the server IP, $_SERVER['REMOTE_ADDR'] gets the user's IP.http://www.php.net/manual/en/reserved.vari...ariables.server

Link to comment
Share on other sites

ok thanks for all the help. Currently my site is down and probably will be for another week. dan from the dcole server was moving servers and tried to take the hard drive from the old server and put it into the new one. I knew he was planning this when i talked to him at school but when i came home the server was offline before i could backup my data. it ended up in that dan lost lots of data and his server isnt working. he is waiting for mitch but mitch is too bussy to fix it. I should really get my own server. i wish i could show you an example of when i was getting the server's ip but the server is down. it was happening because i had it print the variable on the file that was being included. i was also using include(http://mysite/example.php) which was dumb. thanks again for all your help!

Link to comment
Share on other sites

i have recently bought a domian for an online game i need to know how to to get the user stuff up i know everything else i dont know what to do for when a new user registers he gets his own seperate account to use how do i do that

Link to comment
Share on other sites

scotty, you should make your own topic or search for what you need.you might want to research using sessions.SFB, what I have done is at the bottom of the included file you put this:

return $somevar;

then in the other file do this:

$newvar = require_once("yourfile.php");

change the vars to your need. I have actually only used this with include, but it should work.LG

Link to comment
Share on other sites

I should really get my own server. 
If you are serious about developing, then you should. There's no reason not to either, you can get a lot of space for as little as $2/month ($24/year). Look at geekhosting.com or something like that.
Link to comment
Share on other sites

ok let me say this once again my site is down. i cant test things now. It seems like if i put the include at the verry top insted of somwhere in the middle it should work. one of the reasons it wasnt working was because i went include (http://snowforts.ath.cx/whatever) so the server was only getting the output not the php with all the variables in it. just a little note include and require are bassically the same but they are a little different. for what i am doing they should act the same. i prefer include over require but i use both.

Link to comment
Share on other sites

Include and require are identical except how they handle errors. Include will issue a warning, and require will issue a fatal error. If you have configuration settings or function definitions or something being included in your file, you can use include_once or require_once, and the file will only be included if it hasn't already been included.If you are including PHP scripts though, you need to use the file path, not the http path. If the files are in the same folder, you do include("file.php");, or if it's in a relative folder you could do include("../includes/file.php"); or whatever. You can also write the entire path, but if you're on a hosted server it's sometimes difficult to find the true path. You would want to use a script to either call the phpinfo() function or do a nl2br(print_r($_SERVER)); and look for the variable that has the file path in it.

Link to comment
Share on other sites

hey i was working on a regester script. is there a good way to write datat before the ?> in a php file? that is the main reason i was using a txt file but this way seems like it will work if i can write data before the ?>

Link to comment
Share on other sites

Just store it all in variables. Look at post #7. There's no reason to store raw data in a PHP script if you have to parse the file and read all the data. Just store it in variables and save yourself a headache. When you save the file, you just write out all the same PHP code.

Link to comment
Share on other sites

how do i store the data in variables in file? you make it seem like i dont even have to write to that file. if there is a better way to add the variables to the file that the variables are sored in please tell me now!

Link to comment
Share on other sites

Well, if you are saving your data in a file, then ultimately you do have to write the file. The variables thing is to save you the headache of reading everything back in. You can also create your own little data management class to help you write the file automatically, but yeah, you will have to write the data to the file, you just write PHP code instead of the raw data. So, using my example from post 7, the code would be something like this:

$str = "<" . "?php\n";$str .= "\$users = array();\n\n";for_each_user{  $str .= "\$newuser = array();\n";  $str .= "\$newuser['username'] = \"" . $username . "\";\n";  $str .= "\$newuser['password'] = \"" . $password . "\";\n";  $str .= "\$newuser['first'] = \"" . $first . "\";\n";  $str .= "\$newuser['last'] = \"" . $last . "\";\n";  $str .= "\$newuser['email'] = \"" . $email . "\";\n";  $str .= "\$users[] = \$newuser;\n\n";}$str .= "?" . ">";//write $str to the file

So, yeah, if you are storing your data in a file there's really no way to get around actually writing the file, you have to do that regardless. But if you do it this way, you don't have to do any extra work to read all the data in.

Link to comment
Share on other sites

  • 2 weeks later...
Well, if you are saving your data in a file, then ultimately you do have to write the file.  The variables thing is to save you the headache of reading everything back in.  You can also create your own little data management class to help you write the file automatically, but yeah, you will have to write the data to the file, you just write PHP code instead of the raw data.  So, using my example from post 7, the code would be something like this:
$str = "<" . "?php\n";$str .= "\$users = array();\n\n";for_each_user{  $str .= "\$newuser = array();\n";  $str .= "\$newuser['username'] = \"" . $username . "\";\n";  $str .= "\$newuser['password'] = \"" . $password . "\";\n";  $str .= "\$newuser['first'] = \"" . $first . "\";\n";  $str .= "\$newuser['last'] = \"" . $last . "\";\n";  $str .= "\$newuser['email'] = \"" . $email . "\";\n";  $str .= "\$users[] = \$newuser;\n\n";}$str .= "?" . ">";//write $str to the file

So, yeah, if you are storing your data in a file there's really no way to get around actually writing the file, you have to do that regardless.  But if you do it this way, you don't have to do any extra work to read all the data in.

I am confused on how this works. do i just use this for the new user or do i include the userdata.php file and it will re write it for me. i realize i will have to add a fwrite and the things that go with that function. I want a way to write data to this file without opening it taking the data and then removing parts and placing them back after i add the new data. This sounds confusing but i hope you will understand.
Link to comment
Share on other sites

o well i will clarify myself by telling you what i do in my scriptfirst i open the file then i read itthen i remove the end of php (?>)then i add the new arraythen i place the end php symbol (?>) at the endthe i write the data over the exzisting file. i dont want to do it this way. somehow i want to take the data i have and just write a file. mabey somehow i could include my userdata.php file and then rewrite the exzistign arays and then add the new one.

Link to comment
Share on other sites

i dont want to do it this way. somehow i want to take the data i have and just write a file
That's all you need to do. When you include the file, it creates an array called $users that contains all the users, right? So you can use the code I gave you last time to create a function that writes the file. You don't need to read what's in the file, you are overwriting it each time with the current $users array.
function write_users(){  global $users;  $str = "<" . "?php\n";  $str .= "\$users = array();\n\n";  for ($i = 0; $i < count($users); $i++)  {    $str .= "\$newuser = array();\n";    $str .= "\$newuser['username'] = \"" . $users[$i]['username'] . "\";\n";    $str .= "\$newuser['password'] = \"" . $users[$i]['password'] . "\";\n";    $str .= "\$newuser['first'] = \"" . $users[$i]['first'] . "\";\n";    $str .= "\$newuser['last'] = \"" . $users[$i]['last'] . "\";\n";    $str .= "\$newuser['email'] = \"" . $users[$i]['email'] . "\";\n";    $str .= "\$users[] = \$newuser;\n\n";  }  $str .= "?" . ">";  if (!$handle = fopen("users.php", "w"))   {    echo "Cannot open the users file for writing";    exit;  }  if (fwrite($handle, $str) === FALSE)   {    echo "Cannot write to the users file";    exit;  }   fclose($handle);}

Then you can just make a call to write_users() whenever you want to save.

Link to comment
Share on other sites

That's all you need to do.  When you include the file, it creates an array called $users that contains all the users, right?  So you can use the code I gave you last time to create a function that writes the file.  You don't need to read what's in the file, you are overwriting it each time with the current $users array.
function write_users(){  global $users;  $str = "<" . "?php\n";  $str .= "\$users = array();\n\n";  for ($i = 0; $i < count($users); $i++)  {    $str .= "\$newuser = array();\n";    $str .= "\$newuser['username'] = \"" . $users[$i]['username'] . "\";\n";    $str .= "\$newuser['password'] = \"" . $users[$i]['password'] . "\";\n";    $str .= "\$newuser['first'] = \"" . $users[$i]['first'] . "\";\n";    $str .= "\$newuser['last'] = \"" . $users[$i]['last'] . "\";\n";    $str .= "\$newuser['email'] = \"" . $users[$i]['email'] . "\";\n";    $str .= "\$users[] = \$newuser;\n\n";  }  $str .= "?" . ">";  if (!$handle = fopen("users.php", "w"))   {    echo "Cannot open the users file for writing";    exit;  }  if (fwrite($handle, $str) === FALSE)   {    echo "Cannot write to the users file";    exit;  }   fclose($handle);}

Then you can just make a call to write_users() whenever you want to save.

so all i would have to do is add include('userdata.php'); somwhere in the file and then when i want to save a new user i could call the function. I got another question too. i never really understood how something like
  $str = "<" . "?php\n"; $str .= "\$users = array();\n\n"; for ($i = 0; $i < count($users); $i++) {   $str .= "\$newuser = array();\n";   $str .= "\$newuser['username'] = \"" . $users[$i]['username'] . "\";\n";

works. what is the purpose of the str .="stuff" I understand the purpose in the first line so php doesnt think you are starting another php thing inside of itself. well i guess what i want is a link to something that explains the .= and "stuff" . "otherstuff" and how to properly use them

Link to comment
Share on other sites

The period (.) is the "string concatenation" operator. It joins two strings. A string is any sequence of characters inside quotes (""). These are all strings:"123""something""something else"If you have this:$str = "Hello " . "world";You get the string "Hello world" inside $str. The period joins the two. And when you combine one operator with the equals (like .=), it is just shorthand. These two statements do the same thing:$str = $str . "next word";$str .= "next word";So I could rewrite this:$str .= "\$users = array();\n\n";as this:$str = $str . "\$users = array();\n\n";You can also combine other operators. This:$i += 10;is the same as this:$i = $i + 10;http://www.php.net/manual/en/language.operators.php

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...