How to make an online PHP contact / phone book with simple PHP (no database)?

Nominal Animal · 07-10-2011, 06:55 AM

I've used pipe-delimited plain text data, since pipe (|) is rarely needed in normal text. It is trivial to parse in PHP. CSV is a bit more complex to handle, but not too bad either. For pipe-delimited plain text data, you could have each line describe one person: last name, first name, e-mail, link, and description, for example:

Code:

LastName | FirstName | firstname.lastname@example.com | http://www.example.com/~firstname.lastname/ | CTO of Example Co. |

If you put your contact list in above format into file path/to/list.txt then you'd only need one PHP page, for example something like

PHP Code:



<?PHP 
    header('Content-Type', 'text/html; charset=UTF-8'); 
?><html><head><title> List </title><style type="text/css"> 
 
    p.search, p.error { 
    border: 0px none; 
    padding: 0.5em 0.5em 0.5em 0.5em; 
    margin: 0.5em 0.5em 1.5em 0.5em; 
    text-align: center; 
    } 
 
    div.table { 
    border: 0px none; 
    padding: 0 auto 0 auto; 
    margin: 0 0 0 0; 
    text-align: center; 
    } 
 
    table { 
    border: 0px none; 
    padding: 0.5em 0.5em 0.5em 0.5em; 
    margin: 0.5em auto 1.5em auto; 
    } 
 
    th, td { 
    border: 0px none; 
    padding: 0.2em 0.6em 0.2em 0.6em; 
    margin: 0 0 0 0; 
    } 
    th { 
    font-weight: normal; 
    vertical-align: bottom; 
    border-bottom: 1px solid #cccccc; 
    } 
    td { 
    vertical-align: top; 
    } 
 
    td.firstname, th.firstname { 
    text-align: right; 
    padding-right: 0.1em; 
    } 
 
    td.lastname, th.lastname { 
    text-align: left; 
    padding-left: 0.1em; 
    } 
 
    td.email, th.email { 
    text-align: left; 
    } 
 
    td.description, th.description { 
    text-align: left; 
    } 
 
</style></head><body><?PHP 
 
$search = @preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/', '', @$_REQUEST['q']); 
$wordlist = @preg_split('/[\t\n\r ]+/', $search, -1, PREG_SPLIT_NO_EMPTY); 
 
$musthave = array(); 
$wonthave = array(); 
if (count($wordlist) > 0) 
    foreach ($wordlist as $w) 
        if (substr($w, 0, 1) == "-" && strlen($w) > 1) 
            $wonthave[] = substr($w, 1); 
        else 
        if (substr($w, 0, 1) == "+" && strlen($w) > 1) 
            $musthave[] = substr($w, 1); 
        else 
            $musthave[] = $w;             
if (count($wonthave) < 1) $wonthave = FALSE; 
if (count($musthave) < 1) $musthave = FALSE; 
 
 
echo '<form method="post" action="', @$_SERVER['REQUEST_URI'], '" accept-charset="utf-8">' 
   , '<p class="search"><input class="text" name="q" type="text" maxlength="128" value="', htmlentities($search, ENT_QUOTES, "UTF-8"), '">' 
   , '<input class="submit" type="submit" value="Search"></p></form>'; 
 
$list = array(); 
$lines = @file_get_contents('/path/to/list.txt'); 
if ($lines !== FALSE) { 
    $lines = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/', '', $lines); 
    $lines = preg_split('/[\r\n]+/', $lines, -1, PREG_SPLIT_NO_EMPTY); 
    sort($lines, SORT_LOCALE_STRING); 
    foreach ($lines as $entry) { 
 
        if ($wonthave !== FALSE) 
            foreach ($wonthave as $string) 
                if (stripos($entry, $string) !== FALSE) 
                    continue 2; 
 
        if ($musthave !== FALSE) { 
            $found = FALSE; 
            foreach ($musthave as $string) 
                if (stripos($entry, $string) !== FALSE) { 
                    $found = TRUE; 
                    break; 
                } 
            if (!$found) 
                continue; 
        } 
 
        $fields = explode('|', $entry . '|||||', 6); 
        $list[] = array( 
            'firstname' => trim($fields[1]), 
            'lastname' => trim($fields[0]), 
            'email' => trim($fields[2]), 
            'link' => trim($fields[3]), 
            'description' => trim($fields[4]) 
        ); 
    } 
} else { 
    echo "Cannot read 'list.txt'."; 
} 
 
if (count($list) > 0) { 
    echo '<div class="table"><table class="list">' 
       , '<tr class="header">' 
       , "<th class=\"firstname\">First name</th>" 
       , "<th class=\"lastname\">Last name</th>" 
       , "<th class=\"email\">E-mail</th>" 
       , "<th class=\"description\">Description</th>" 
       , "</tr>\n\n"; 
 
    foreach ($list as $entry) { 
 
        if (strlen(@$entry['email']) > 0) { 
            $email = '<a href="mailto:' . htmlentities($entry['email'], ENT_QUOTES, "UTF-8") . '">'; 
            $endemail = '</a>'; 
        } else { 
            $email = ''; 
            $endemail = ''; 
        } 
 
        if (strlen(@$entry['link']) > 0) { 
            $link = '<a href="' . htmlentities($entry['link'], ENT_QUOTES, "UTF-8") . '">'; 
            $endlink = '</a>'; 
        } else { 
            $link = ''; 
            $endlink = ''; 
        } 
 
        if (strlen(@$entry['description']) > 0) 
            $description = $link . htmlentities($entry['description'], ENT_COMPAT, "UTF-8") . $endlink; 
        else 
            $description = $link . '<i>No description</i>' . $endlink; 
 
        echo '<tr class="entry">' 
           , "<td\n class=\"firstname\">" 
           , $email, htmlentities(@$entry['firstname'], ENT_COMPAT, "UTF-8"), $endemail 
           , "</td><td\n class=\"lastname\">" 
           , $email, htmlentities(@$entry['lastname'], ENT_COMPAT, "UTF-8"), $endemail 
           , "</td><td\n class=\"email\">" 
           , htmlentities(@$entry['email'], ENT_COMPAT, "UTF-8"), '&nbsp;' 
           , "</td><td\n class=\"link\">" 
           , $description 
           , "</td></tr>\n\n"; 
    } 
    echo "</table></div>\n"; 
} else 
    echo '<p class="error">No matching entries found.</p>'; 
 
?></body></html>

The above PHP is much more complex than absolutely necessary, and I deliberately made it too ugly to use as-is in real life. I only wanted to show some useful techniques. This script is very tolerant of its input: you don't need to care which newline convention is used, or escape any special characters in the data (even < or >), as the script will do those for you. With this field order it will sort the names in ascending order based on last name.

The search box takes one or more keywords to search for. You can put a + in front of each keyword, or a - to invert the selection (meaning any entries that have that keyword will be dropped from the list). Note that the keyword matching is done when parsing, simply because this way you can check each entry (line) with a single function call per keyword.

It is a good idea to separate parsing and display. Note how easily you can extend or modify the input format: you just modify the parsing loop. Named fields (in the PHP array) make the output loop easier to read, too.

The display foreach loop may look a bit complex, but the if clauses are there only to help make the names links to the e-mail address, and the description a link to the possible home page.

If there is interest for some open collaboration here, and somebody writes an example layout in standards-compliant CSS and HTML, perhaps with ideas on other useful search or display features, I might be willing to rewrite the above PHP with lots of comments and easier to read code. If so, do start a new thread in the Programming section. (And drop me a private message if I don't notice it.)

theNbomr · 07-10-2011, 01:05 PM

I once started out on a project of a similar scope and complexity as your address-book project. It was a web interface to a data-set which I would occasionally update, but mostly browse. I was using Perl, not PHP, but I think that is irrelevant. Not long into the project, I realized that the use of an SQL database actually simplified the project enormously. The amount of ready-made code that suddenly becomes at your disposal is a huge productivity boost, IMHO. I was able to use offline general-purpose tools to manage the data and observe that my data was being correctly updated, as well as repair mistakes in the database in parallel with the development process. In addition, I was able to use the database to extract info that I had not previously envisioned, and use the data in ways that were outside the original scope of the project (maybe not so important for an address book).
If the SQL database is available to you, I would suggest that you at least consider it for use in your project.
--- rod.

Xeratul · 07-10-2011, 01:13 PM

Quote:

Originally Posted by Wim Sturkenboom

Do you want to maintain locally and read from the web? My first thought would be csv. Might do the trick if you don't have 'one-to-many' relationships. You probably can export your contacts to csv and ftp them to the web. php has support for csv (fgetcsv (read) from version 4, fputcsv (write) from version 5.1.0).

Just be cautious: make sure that the whole world isn't able to access your address book. I for one will not be very amused if 'my' phone number or email address can be pulled from your addressbook and is going to be used for spam. '.htaccess' can help to limit access and I strongly suggest https so info can't be sniffed (but OK, I'm paranoid).

Really https? I didnt know. man... I am so worried now. - You are twice actually very right. I think cvs is highly great and https, I have no idea how to do that. HTACCESS I use it already but not https

Quote:

I could do something like this:

<?php

if(isset($_POST['submit']))
{

$name = $_POST['Fname'];
$lastname = $_POST['Lname'];
$emailsubmit = $_POST['Lemail'];
echo "User Has submitted the form and entered this name : <b> $name $lastname $emailsubmit </b>";
echo "<br>You can use the following form again to enter a new name.";

// here I should put something to store the CVS

?>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
First Name:<input type="text" size="5" maxlength="255" name="Fname"> <br />
Last Name:<input type="text" size="5" maxlength="255" name="Lname"> <br />
Email address:<input type="text" size="10" maxlength="255" name="Lemail"> <br />
<input type="submit" name="submit" value="Submit Email"><br>
</form>

Quote:

Example
<?php
$list = array
(
"Peter,Griffin,Oslo,Norway",
"Glenn,Quagmire,Oslo,Norway",
);

$file = fopen("contacts.csv","w");

foreach ($list as $line)
{
fputcsv($file,split(',',$line));
}

fclose($file); ?>

Xeratul · 07-10-2011, 01:37 PM

Quote:

Originally Posted by Nominal Animal

I've used pipe-delimited plain text data, since pipe (|) is rarely needed in normal text. It is trivial to parse in PHP. CSV is a bit more complex to handle, but not too bad either. For pipe-delimited plain text data, you could have each line describe one person: last name, first name, e-mail, link, and description, for example:

Code:

LastName | FirstName | firstname.lastname@example.com | http://www.example.com/~firstname.lastname/ | CTO of Example Co. |

If you put your contact list in above format into file path/to/list.txt then you'd only need one PHP page, for example something like

PHP Code:



<?PHP
    header('Content-Type', 'text/html; charset=UTF-8');
?><html><head><title> List </title><style type="text/css">

    p.search, p.error {
    border: 0px none;
    padding: 0.5em 0.5em 0.5em 0.5em;
    margin: 0.5em 0.5em 1.5em 0.5em;
    text-align: center;
    }

    div.table {
    border: 0px none;
    padding: 0 auto 0 auto;
    margin: 0 0 0 0;
    text-align: center;
    }

    table {
    border: 0px none;
    padding: 0.5em 0.5em 0.5em 0.5em;
    margin: 0.5em auto 1.5em auto;
    }

    th, td {
    border: 0px none;
    padding: 0.2em 0.6em 0.2em 0.6em;
    margin: 0 0 0 0;
    }
    th {
    font-weight: normal;
    vertical-align: bottom;
    border-bottom: 1px solid #cccccc;
    }
    td {
    vertical-align: top;
    }

    td.firstname, th.firstname {
    text-align: right;
    padding-right: 0.1em;
    }

    td.lastname, th.lastname {
    text-align: left;
    padding-left: 0.1em;
    }

    td.email, th.email {
    text-align: left;
    }

    td.description, th.description {
    text-align: left;
    }

</style></head><body><?PHP

$search = @preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/', '', @$_REQUEST['q']);
$wordlist = @preg_split('/[\t\n\r ]+/', $search, -1, PREG_SPLIT_NO_EMPTY);

$musthave = array();
$wonthave = array();
if (count($wordlist) > 0)
    foreach ($wordlist as $w)
        if (substr($w, 0, 1) == "-" && strlen($w) > 1)
            $wonthave[] = substr($w, 1);
        else
        if (substr($w, 0, 1) == "+" && strlen($w) > 1)
            $musthave[] = substr($w, 1);
        else
            $musthave[] = $w;            
if (count($wonthave) < 1) $wonthave = FALSE;
if (count($musthave) < 1) $musthave = FALSE;


echo '<form method="post" action="', @$_SERVER['REQUEST_URI'], '" accept-charset="utf-8">'
   , '<p class="search"><input class="text" name="q" type="text" maxlength="128" value="', htmlentities($search, ENT_QUOTES, "UTF-8"), '">'
   , '<input class="submit" type="submit" value="Search"></p></form>';

$list = array();
$lines = @file_get_contents('/path/to/list.txt');
if ($lines !== FALSE) {
    $lines = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/', '', $lines);
    $lines = preg_split('/[\r\n]+/', $lines, -1, PREG_SPLIT_NO_EMPTY);
    sort($lines, SORT_LOCALE_STRING);
    foreach ($lines as $entry) {

        if ($wonthave !== FALSE)
            foreach ($wonthave as $string)
                if (stripos($entry, $string) !== FALSE)
                    continue 2;

        if ($musthave !== FALSE) {
            $found = FALSE;
            foreach ($musthave as $string)
                if (stripos($entry, $string) !== FALSE) {
                    $found = TRUE;
                    break;
                }
            if (!$found)
                continue;
        }

        $fields = explode('|', $entry . '|||||', 6);
        $list[] = array(
            'firstname' => trim($fields[1]),
            'lastname' => trim($fields[0]),
            'email' => trim($fields[2]),
            'link' => trim($fields[3]),
            'description' => trim($fields[4])
        );
    }
} else {
    echo "Cannot read 'list.txt'.";
}

if (count($list) > 0) {
    echo '<div class="table"><table class="list">'
       , '<tr class="header">'
       , "<th class=\"firstname\">First name</th>"
       , "<th class=\"lastname\">Last name</th>"
       , "<th class=\"email\">E-mail</th>"
       , "<th class=\"description\">Description</th>"
       , "</tr>\n\n";

    foreach ($list as $entry) {

        if (strlen(@$entry['email']) > 0) {
            $email = '<a href="mailto:' . htmlentities($entry['email'], ENT_QUOTES, "UTF-8") . '">';
            $endemail = '</a>';
        } else {
            $email = '';
            $endemail = '';
        }

        if (strlen(@$entry['link']) > 0) {
            $link = '<a href="' . htmlentities($entry['link'], ENT_QUOTES, "UTF-8") . '">';
            $endlink = '</a>';
        } else {
            $link = '';
            $endlink = '';
        }

        if (strlen(@$entry['description']) > 0)
            $description = $link . htmlentities($entry['description'], ENT_COMPAT, "UTF-8") . $endlink;
        else
            $description = $link . '<i>No description</i>' . $endlink;

        echo '<tr class="entry">'
           , "<td\n class=\"firstname\">"
           , $email, htmlentities(@$entry['firstname'], ENT_COMPAT, "UTF-8"), $endemail
           , "</td><td\n class=\"lastname\">"
           , $email, htmlentities(@$entry['lastname'], ENT_COMPAT, "UTF-8"), $endemail
           , "</td><td\n class=\"email\">"
           , htmlentities(@$entry['email'], ENT_COMPAT, "UTF-8"), '&nbsp;'
           , "</td><td\n class=\"link\">"
           , $description
           , "</td></tr>\n\n";
    }
    echo "</table></div>\n";
} else
    echo '<p class="error">No matching entries found.</p>';

?></body></html>

The above PHP is much more complex than absolutely necessary, and I deliberately made it too ugly to use as-is in real life. I only wanted to show some useful techniques. This script is very tolerant of its input: you don't need to care which newline convention is used, or escape any special characters in the data (even < or >), as the script will do those for you. With this field order it will sort the names in ascending order based on last name.

The search box takes one or more keywords to search for. You can put a + in front of each keyword, or a - to invert the selection (meaning any entries that have that keyword will be dropped from the list). Note that the keyword matching is done when parsing, simply because this way you can check each entry (line) with a single function call per keyword.

It is a good idea to separate parsing and display. Note how easily you can extend or modify the input format: you just modify the parsing loop. Named fields (in the PHP array) make the output loop easier to read, too.

The display foreach loop may look a bit complex, but the if clauses are there only to help make the names links to the e-mail address, and the description a link to the possible home page.

If there is interest for some open collaboration here, and somebody writes an example layout in standards-compliant CSS and HTML, perhaps with ideas on other useful search or display features, I might be willing to rewrite the above PHP with lots of comments and easier to read code. If so, do start a new thread in the Programming section. (And drop me a private message if I don't notice it.)

Wow. What a technology this PHP, nice !

I put that php into contact.php, then chmod and got an error

Code:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

we could do that as in the JPG for the contact book as in the file in attachement...
Then we cross the contact adn overwrite the all thing...

Here is my own made code:

Quote:

<?php

function getRealIpAddr() {
if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip=$_SERVER['HTTP_CLIENT_IP']; // share internet
} elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip=$_SERVER['HTTP_X_FORWARDED_FOR']; // pass from proxy
} else {
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}

if(isset($_POST['submit']))
{
$ipreal = getRealIpAddr(); // Get the visitor's IP
$ip = $_SERVER['REMOTE_ADDR'];
$pagina = $_SERVER['REQUEST_URI'];
$varb = $_SERVER['REMOTE_ADDR'];
$varc = $_SERVER['HTTP_USER_AGENT'];
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$datum = date("d-m-y / H:i:s");

$name = $_POST['Fname'];
$lastname = $_POST['Lname'];
$emailsubmit = $_POST['Lemail'];
echo "User Has submitted the form and entered this name : <b> $name $lastname $emailsubmit </b>";
echo "<br>You can use the following form again to enter a new name.";

$file = fopen("contacts.csv","a");
$invoegen = $name . "," . $lastname . "," . $emailsubmit . "<br><br>";
fwrite($file, $invoegen);
fclose($file);

}

?>

<html>
<head>
<FONT FACE="Arial, Helvetica, Geneva">

<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title></title>
</head>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
First Name:<input type="text" size="5" maxlength="255" name="Fname"> <br />
Last Name:<input type="text" size="5" maxlength="255" name="Lname"> <br />
Email address:<input type="text" size="10" maxlength="255" name="Lemail"> <br />
<input type="submit" name="submit" value="Submit Email"><br>
</form>

it simply create an CVS but the problem is the LF and CR which are not working

Xeratul · 07-10-2011, 04:18 PM

OK, I have coded something that works, but very simply. It works, it can be used already for saving

"Editing" : I have no idea how to make it. To check the record Number, and remove it... - well, maybe someone would know...

Best regards
Please find hte code.

For the package contactbook_csv.tar.gz. Just simply rename the log to tar.gz extension. Then you can unpack. Copy to your website, and please use the right permissions.

HTTPS and EDIT WOULD BE GREAT...

Xeratul · 07-10-2011, 04:36 PM

Vers 0.0002

I have an issue with the comments, when the user enters LF CR ...

Code:

<?php



function nltobrfix($inString)
    {
        return preg_replace("%\n%", "<br>", $inString);
    }

function getRealIpAddr() {
  if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
    $ip=$_SERVER['HTTP_CLIENT_IP']; // share internet
  } elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; // pass from proxy
  } else {
    $ip=$_SERVER['REMOTE_ADDR'];
  }
  return $ip;
}


if(isset($_POST['submit']))
{
        $ipreal = getRealIpAddr(); // Get the visitor's IP
        $ip = $_SERVER['REMOTE_ADDR'];
        $pagina = $_SERVER['REQUEST_URI'];
        $varb = $_SERVER['REMOTE_ADDR'];
        $varc = $_SERVER['HTTP_USER_AGENT']; 
        $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
        $datum = date("d-m-y / H:i:s");

    $name = $_POST['Fname'];
    $lastname = $_POST['Lname'];
    $emailsubmit = $_POST['Lemail'];
    $Laddress = $_POST['Laddress'];
    $Lrecord = $_POST['Lrecord'];
    $Lphone = $_POST['Lphone'];
    $Lgsm = $_POST['Lgsm'];
    $Lnotes = $_POST['Lnotes'];

    echo "User Has submitted the form and entered this name : <b> $name  $lastname $emailsubmit  </b>";


	$file = fopen("contacts.csv","a");
        $invman = $Lrecord . "," . $name . "," . $lastname . "," . $Laddress . "," .  $emailsubmit . ","  . $Lphone . "," . $Lgsm . "," . $Lnotes . "\n" ;
        fwrite($file, $invman);
        fclose($file);



}


?>



<html>
<head>
<FONT FACE="Arial, Helvetica, Geneva"> 
	
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title></title>
</head>

	<style type="text/css">
		
    body {background-image:url('header-blue.jpg');background-repeat:repeat-x;background-position:top left;}
    table#maintable th {text-align:center;border:1px solid #ccc;font-size:12px;background:#739fce;color:#fff;}
    table#birthdays th {color:#fff;background:#739fce;margin:25px;border:1px solid #ccc;}
      </style>

                     <div id="header">
                                <a href="."><img src="title.png" title="Addressbook" alt="Addressbook" id="logo" /></a>
                        </div>

<br>
<br>


<p>
<font size="5" face="arial" color="black">
Contact / Phonebook to CSV  <br>
<hr />
</font>
</p>


<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
        Number of record:<input type="text" size="5" maxlength="255"  name="Lrecord"> <br />
        First Name:<input type="text" size="5" maxlength="255"  name="Fname"> <br />
        Last Name:<input type="text" size="5" maxlength="255"  name="Lname"> <br /> 
        Adress :<input type="text" size="5" maxlength="255"  name="Laddress"> <br />
        Email address:<input type="text" size="10" maxlength="255"  name="Lemail"> <br />
        Fixe Phone:<input type="text" size="10" maxlength="255"  name="Lphone"> <br />
        Gsm Phone:<input type="text" size="10" maxlength="255"  name="Lgsm"> <br /> 
	your notes:<BR>
	<TEXTAREA NAME="Lnotes" COLS=40 ROWS=6></TEXTAREA>

	<input type="submit" name="submit" value="Save to new  Contact"><br>
</form>



<?php
$file_handle = fopen("contacts.csv", "r");
while (!feof($file_handle)) {
$line_of_text = fgets($file_handle);
print $line_of_text . "<BR>";
}
fclose($file_handle);


?>

theNbomr · 07-10-2011, 05:48 PM

Quote:

Originally Posted by Xeratul

OK, I have coded something that works, but very simply. It works, it can be used already for saving

"Editing" : I have no idea how to make it. To check the record Number, and remove it... - well, maybe someone would know...

You've already reached the point where SQL starts to pay off.

Code:

update addressbook set email='joe@some.isp' where firstname='Joe' and lastname='Smith';

The classic actions of a web database application: Create, Read, Update, Delete (CRUD). The create and read parts are easy; after that it takes more work. I don't know how big your database is, but if is less than a megabyte, I would simply read it in as an in-memory data structure, modify or output according to the HTTP request, and write it back to disk when done. File locking, somehow.

--- rod.

Nominal Animal · 07-11-2011, 10:22 AM

Quote:

Originally Posted by theNbomr

You've already reached the point where SQL starts to pay off.

I agree.

I would also like to point out that you (Xeratul) really should think about authentication and access controls at this point, too. You basically have four possibilities:

Let Apache handle both authentication and access control
Basic authentication (HTTP Basic authentication) is easy to implement, but logout is problematic: usually the credentials persist until you close the browser. (I know of one way to do logout in a way that works with all browsers, but it will pop up a small window asking the user for another username and password; the user needs to click either OK or Cancel. Very confusing to the user.)
Do authentication in PHP, but access control within Apache
Usually this means you use a cryptographically secure authentication cookie tied to the user, session, and IP address. Your own PHP script will construct the cookie when the user logs in, and an Apache module grants access only to users with a valid such cookie. I've used mod_auth_tkt, but there are a number of viable Apache modules you could use.
Do authentication and access control in PHP
This is the do-it-yourself option.
Security is difficult to develop from scratch. It is not easy to make a secure authentication and access control mechanism. Even the simplest error can render the mechanism ineffective. I personally find it extremely repellent when people and organisations use sloppy, it's-good-enough approach to maintaining my privacy; that is why I always recommend using the strongest security measures that are feasible for you, even if the "feel" overblown or paranoid.
Usually it translates to using known reliable code, and not rolling your own.
Cookie-based authentication happens to be not too difficult to implement in PHP safely, mainly because it has SHA1 built-in (and much stronger cryptographic hash functions in the hash module (built in for PHP-5.1.2 and later), and encryption/decryption routines in the Mcrypt module). I'll detail that further below.
User password checking is sensitive. Assuming you are sane, you will store user passwords as salted hashes, but I'll detail that too further below. At login, the user password is transmitted in cleartext; this means you either need to use HTTPS (a secure, encrypted connection, which should be nearly impossible to eavesdrop on), or a small login app (Javascript for example) to hash the user password prior to transmission.
Because hashing the password at the client end means you need to use a layered approach to salting and hashing, it gets even more complex.. so normally you just use HTTPS instead.
Note that if you switch to HTTP after login, an attacker might be able to steal the rest of the session (pretend to be you, logged on); using HTTPS that is nearly impossible.
Do authentication in PHP, but access control in an auto-prepended PHP file
You can use the auto_prepend_file directive in php.ini to auto-include a library file, which verifies the authentication cookie, and sets some PHP variables (username etc.) if successful. If there is no cookie, or the cookie has expired, the auto-prepended PHP file can produce or redirect to a login page.
This is a bit more complex to set up, but very easy to use afterwards.
The only thing you need in every PHP page is something like if(strlen(@$User)<1)exit(1); at the very beginning, to make sure the page errors out if the autoincluded PHP file was not executed for some reason.

Hash functions are functions which take some data (called a plaintext), and process it into a single large fixed-size number (the hash). Cryptographic hash functions are those that do the process in such a way that you cannot use the result (hash) to find what the original data (the plaintext) was. You can only make guesses, compute their hashes, and compare that to the one you're searching for. Since a 128-bit hash has 340282366920938463463374607431768211456 and a 256-bit hash 115792089237316195423570985008687907853269984665640564039457584007913129639936 possible values, it is going to take a very long time to find a match, even if you can check billions of hashes each second.

Since a bad guy can create a library for a large number of typical passwords, hash salting is used. Instead of just hashing the password, you sprinkle it with salt before hashing -- salt being some random number or string, which is saved along with the hash value. Usually you also apply the hash function a number of times, just to make life difficult for any attackers. Here is an example of how to generate a 72-bit salt and 160-bit SHA-1 hash pair in PHP:

PHP Code:



$Password = '[I]This is the secret password the user has supplied[/I]'; 
$Salt = sprintf("%06x%06x%06x", mt_rand(0, 16777215), mt_rand(0, 16777215), mt_rand(0, 16777215)); 
$Hash = sha1($Salt . $Password, TRUE); 
for ($i = 0; $i < 998; $i++) 
    $Hash = sha1($Hash, TRUE); 
$Hash = sha1($Hash, FALSE);

To check a password, you look up the $Salt and $Hash for that user first:

PHP Code:



$Salt = '[I]the known salt value[/I]'; 
$Hash = '[I]the known hash result[/I]'; 
$Password = '[I]This is the secret password the user has supplied[/I]'; 
$Test = sha1($Salt . $Password, TRUE); 
for ($i = 0; $i < 998; $i++) 
    $Test = sha1($Test, TRUE); 
$Test = sha1($Test, FALSE); 
if (strcmp($Hash, $Test) === 0) { 
    /* $Password was correct */ 
} else { 
    /* $Password was incorrect */ 
}

If you wanted to do login over insecure HTTP, you could use a Javascript implementation of SHA-1 to hash the user password in the client browser. In this case you'd normally use a multi-part salt, and two or more layers of hashing, so that an eavesdropper gets no information about the password or its properly salted hash. The client end can compute e.g. SHA1(SHA1(salt1+password+salt2)+cips+time+salt3)) where salt1, salt2 and salt3 are random strings provided by the server (salt1 and salt2 split to avoid both prefix and postfix attacks on SHA1), time is the UNIX time on the server, and cips is the client IP address as seen by the server (and optionally verified by the browser; it may not match if NAT is used). The login request contains the user name, hash value, salt1, salt2, salt3, time, and cips.
On the server end, you need to store salt1, salt2 and SHA1(salt1+password+salt2) for each user; the triplet should be unique for each user. The time should not be too old, to avoid a replay attack (by a later user on the same machine); perhaps a couple of minutes. salt3 should be a large random number.

If your salted hash user database is leaked, attackers gain access to your service only. The user passwords remain secure. (It would make a dictionary attack easier, but only against each user individually.) An eavesdropper can see all communications, but cannot use anything it sees to gain access (unless they can fake their IP address too). A man-in-the-middle attack (where the attacker sits between you and the server you're accessing) is still possible, but will yield only that session. However, a normal user has no way of determining with HTTP if the page they see in their browser is the genuine one and not a look-alike copy, so a man-in-the-middle can steal the user password using a decoy or "phishing" page.
Use HTTPS to avoid that risk.

Of course, it would be practically insane to do the above for each and every request. Instead, you check the password only at login, and if correct, give the user an authentication cookie. You obviously should make that cookie cryptographically secure, and tied to both the user and the IP address they're using; preferably the time and the session too (so that if they close their browser or stay inactive long enough they automatically log out too).

If you have a secure fast storage mechanism, say an SQL database, it is best to use just a very large random number (say, 256 bits) as the cookie, and just look each cookie value up in the storage. The cookie value is then a key to the user session data, which contains at least the user name, IP address, and time. For each request, you simply look up the triplet keyed by the cookie value, and verify that the IP address matches the client with the cookie, and that the time has not expired. (You'll probably want to update the time field now and then.)

You can do pretty secure standalone authentication cookies using encryption (Mcrypt module in PHP). I recommend using AES-128 (MCRYPT_RIJNDAEL_128) or AES-256 (MCRYPT_RIJNDAEL_256) in CBC mode. I'd use something like sha1(time+IP-address+secret+salt) as the encryption key, with time and salt stored in the cookie unencrypted, and secret being a secret string known only to the PHP scripts. An attacker can only use the cookie if they can use the same IP address as the victim user, or if they find out the secret.

You do not need to encrypt the authentication cookies, if the user credentials (all except the password) can be stored in plaintext in the cookie. I have used key:user:options:salt:hash as the cookie, with hash=sha1(IP-address:key:user:options:salt:secret) and key=UNIX time and secret a fixed secret value only known to the PHP scripts. The cookie is renewed with a new key every now and then; I recommend whenever a quarter of the expiry interval has passed. (It does add 25% uncertainty to the expiry interval.) The cookie can be stolen by someone having the same IP address (for example, same NAT with a bit of luck), or if they find out the secret.

To summarize: you need to consider how you will store not only your data, but access credentials too; and you need to consider where and how you will do authentication and access control. Using an SQL database is definitely simpler and easier for something like a contact list web app, but it is definitely doable with just (two) plain files. With SQL, the main problem is how to store the password for database access securely. With plain files, display is easy, but modification requires extra care; most of the examples shown on the web (flock() in PHP) are unreliable, and will only work in specific conditions.

theNbomr · 07-11-2011, 12:50 PM

FWIW, the addressbook web application is like the "Hello World" of web application development toolkits in the realm of Ruby-On-Rails and Django. The standard CRUD application will come with authentication/authorization/session-management built in, as well as potentially an administrator backdoor and other goodies. These normally require a SQL backend (sqlite is pretty simple to use for such an application) and developing your application will be trivial following a tutorial recipe.
--- rod.