473,320 Members | 1,926 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Passwording a PHP page

I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.

On my entry page as the last part of my form, I'm using;
<tr>
<td>Password:</td><td align="left"><input type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"><input type="submit"
value="Enter"></td>
</tr>
</table>
</form>

What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page

$password = $_POST['password'];

if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}
I know this isn't the code precisely but am hopeful for any pointers
in making it happen. Again, I'm not looking for a complete login
since it IS an intranet - just looking to write to the database the
user who did the update (provided the password criteria was met).
TIA...
Jul 10 '07 #1
11 1522
cover wrote:
I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.

On my entry page as the last part of my form, I'm using;
<tr>
<td>Password:</td><td align="left"><input type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"><input type="submit"
value="Enter"></td>
</tr>
</table>
</form>

What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page

$password = $_POST['password'];

if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}
$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";
--

//Aho
Jul 10 '07 #2
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.net>
wrote:

>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";
not sure if that's quite what I was looking for but I very much
appreciate your reply.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...
Jul 10 '07 #3
On Mon, 09 Jul 2007 21:39:08 -0700, cover
<co****************@yahoo.comwrote:
>On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.net>
wrote:

>>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";
So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:

$query="SELECT * FROM $table WHERE
firstname_column='{$_POST['firstname']}'" AND;
password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
Jul 10 '07 #4
cover wrote:
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.net>
wrote:

>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

not sure if that's quite what I was looking for but I very much
appreciate your reply.
I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...
You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.

IMHO the following flow is a good one:

1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query

The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.
--

//Aho
Jul 10 '07 #5
cover wrote:
So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:

$query="SELECT * FROM $table WHERE
firstname_column='{$_POST['firstname']}'" AND;
password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

--

//Aho
Jul 10 '07 #6
On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <us**@example.net>
wrote:
>Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).
Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.

mysql_query("UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column='$updater' AND password_column='$password'") or
die("Update Error: ".mysql_error());

echo "Record Updated";
mysql_close();

The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)
Jul 10 '07 #7
cover wrote:
On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <us**@example.net>
wrote:
>Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.
mysql_query("UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column='$updater' AND password_column='$password'") or
die("Update Error: ".mysql_error());

echo "Record Updated";
mysql_close();
No, that won't work, do

$pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}'
AND user_column='{$_POST['username']}'";
$res=mysql_query($pass_query);
if(mysql_num_rows($res)) {
$query="UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id'";
mysql_query($query);
$time=date('Y-m-d h:n');
shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log");
}

This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.
--

//Aho
Jul 10 '07 #8
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

I started over... Can't seem to get anything but the 'sorry, wrong
password'.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.

Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.

I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol
Jul 11 '07 #9
cover wrote:
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <us**@example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";


I started over... Can't seem to get anything but the 'sorry, wrong
password'.
Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag

<form method="post" ... =$_POST
<form method="get" ... =$_GET

For testing, you can put the following in your script where you receive the form

echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);

This way you will see the values sent to the page, really useful when debugging.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'
// we have checked the empty values

$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

// your old code here

I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update.
You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.
I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.

if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}
I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.

--

//Aho
Jul 11 '07 #10
On Wed, 11 Jul 2007 06:32:46 +0200, "J.O. Aho" <us**@example.net>
wrote:
>I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.
I'll take a look at this and look for a solution. Hey, thanks very
much for your replies - appreciate it very much... Be well.
Jul 11 '07 #11
cover ha scritto:
I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.

On my entry page as the last part of my form, I'm using;
<tr>
<td>Password:</td><td align="left"><input type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"><input type="submit"
value="Enter"></td>
</tr>
</table>
</form>

What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page

$password = $_POST['password'];

if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}
I know this isn't the code precisely but am hopeful for any pointers
in making it happen. Again, I'm not looking for a complete login
since it IS an intranet - just looking to write to the database the
user who did the update (provided the password criteria was met).
TIA...

DO NOT use php.net example to authenticate user

db table:

id (aurto increment)
user varchar 25(unique)
password varchar (30)
casual_number (30)

login:
select * from utenti WHERE user=POST[user]
....
if(md5(POST[password].$row[casual_number])===$row[password]){
$_SESSION[ok]=true;
}else{
echo "wrong password";
$_SESSION[ok]=false;
}

in any page .php
<?php
session_start();
if(@$_SESSION[ok]==false){
// empty,false and hide empty
header('Location: http://www.example.com/login.php');
exit;
}

echo "proctected page";

?>



Jul 24 '07 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Michael Brennan-White | last post by:
If I submit my for using a get action the resulting page loads . If I use a post action I get an error page saying "The page cannot be found". I am calling the originating page!!! This happens...
4
by: Michael Lamb | last post by:
Hello! I am having trouble passwor protecting a page! i want a simple script that will allow me to have more than one 'account' but will also hide the destination page within the script. Any...
7
by: Chris | last post by:
I have a PHP query for a MySQL database that I'd like to restrict access to. It's linked from a .htm webpage with other links on a company intranet site. Does anyone know of any PHP code...
0
by: Nathan | last post by:
Hi, I seem to having a peculiar problem with the display of odd and even pages in XSL-FO. Here is a small background of the problem. My xsl stylesheet mentions my fo:layout-master-set as ...
2
by: James | last post by:
I've been to websites where if I navigate off a form, trying to get back to it by hitting the back button gives me a page which says "Warning, page has expired". It doesn't display the page. I've...
4
by: Kevin Phifer | last post by:
Ok, before anyone freaks out, I have a solution I need to create that gathers content from maybe different places. Each one can return a <form> in the html, so its the classic can't have more than...
2
by: John Lau | last post by:
Hi, Is there documentation that talks about the page lifecycle, the lifecycle of controls on the page, and the rendering of inline code, in a single document? Thanks, John
6
by: MooreSmnith | last post by:
When I navigate to the next page using Response.Rediect("MyNextPage.aspx") current page Page_Load event is called. What I may wrongly understood is that post back will happen whenever there is any...
1
by: Lenard Gunda | last post by:
Hi! I have the following problem. From my main page, when someone clicks a button, it uses client side javascript to open another .aspx page. This page displays content, based on what the...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.