Passwording a PHP page

cover wrote:

I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.

On my entry page as the last part of my form, I'm using;
<tr>
<td>Password: </td><td align="left"><i nput type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"> <input type="submit"
value="Enter"></td>
</tr>
</table>
</form>

What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page

$password = $_POST['password'];

if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}

$query="SELECT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";
--

//Aho

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>$query="SELE CT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_que ry($query);
if(!mysql_num_ rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

not sure if that's quite what I was looking for but I very much
appreciate your reply.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...

On Mon, 09 Jul 2007 21:39:08 -0700, cover
<co************ ****@yahoo.comw rote:

>On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>>$query="SELEC T * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_qu ery($query);
if(!mysql_num _rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:

$query="SELECT * FROM $table WHERE
firstname_colum n='{$_POST['firstname']}'" AND;
password_column ='{$_POST['password']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";

cover wrote:

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>$query="SELE CT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_que ry($query);
if(!mysql_num_ rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

not sure if that's quite what I was looking for but I very much
appreciate your reply.

I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...

You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.

IMHO the following flow is a good one:

1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query

The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.
--

//Aho

cover wrote:

So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:

$query="SELECT * FROM $table WHERE
firstname_colum n='{$_POST['firstname']}'" AND;
password_column ='{$_POST['password']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";

Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

--

//Aho

On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.

mysql_query("UP DATE actions_tbl SET date='$ud_date' ,
targmonth='$ud_ targmonth', targyear='$ud_t argyear',
assignedto='$ud _assignedto', datecomp='$ud_d atecomp',
status='$ud_sta tus', referenceno='$u d_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column= '$updater' AND password_column ='$password'") or
die("Update Error: ".mysql_error() );

echo "Record Updated";
mysql_close();

The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)

cover wrote:

On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.

mysql_query("UP DATE actions_tbl SET date='$ud_date' ,
targmonth='$ud_ targmonth', targyear='$ud_t argyear',
assignedto='$ud _assignedto', datecomp='$ud_d atecomp',
status='$ud_sta tus', referenceno='$u d_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column= '$updater' AND password_column ='$password'") or
die("Update Error: ".mysql_error() );

echo "Record Updated";
mysql_close();

No, that won't work, do

$pass_query="SE LECT * FROM table WHERE password_column ='{$_POST['password']}'
AND user_column='{$ _POST['username']}'";
$res=mysql_quer y($pass_query);
if(mysql_num_ro ws($res)) {
$query="UPDATE actions_tbl SET date='$ud_date' ,
targmonth='$ud_ targmonth', targyear='$ud_t argyear',
assignedto='$ud _assignedto', datecomp='$ud_d atecomp',
status='$ud_sta tus', referenceno='$u d_referenceno'
WHERE id='$ud_id'";
mysql_query($qu ery);
$time=date('Y-m-d h:n');
shell_exec("ech o \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log") ;
}

This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.
--

//Aho

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>$query="SELE CT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_que ry($query);
if(!mysql_num_ rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

I started over... Can't seem to get anything but the 'sorry, wrong
password'.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.

Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.

I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol

cover wrote:

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.n et>
wrote:

>$query="SELE CT * FROM table WHERE password_column ='{$_POST['password']}'";
$res=mysql_que ry($query);
if(!mysql_num_ rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

I started over... Can't seem to get anything but the 'sorry, wrong
password'.

Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag

<form method="post" ... =$_POST
<form method="get" ... =$_GET

For testing, you can put the following in your script where you receive the form

echo "$_POST: ";
var_dump($_POST );
echo "$_GET: ";
var_dump($_GET) ;

This way you will see the values sent to the page, really useful when debugging.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'

// we have checked the empty values

$query="SELECT * FROM password_tbl WHERE
password_column ='{$_POST['password']}' AND user_column='{$ _POST['user']}'";
$res=mysql_quer y($query);
if(!mysql_num_r ows($res)) {
echo "sorry, the wrong password";
exit;
}

// your old code here

I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update.

You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.

I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.

if(empty($sourc e) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}
I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.

--

//Aho