LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   need help with this php code (https://www.linuxquestions.org/questions/programming-9/need-help-with-this-php-code-419122/)

lakivel 02-24-2006 10:45 AM
need help with this php code
 
I heed to have a login form for my web server. I have found and modificated this script but still i can't log in into mu server. Please can anyone help me with this script and tell me were do i go wrong. I need to do this through flat-file, not database.

Let start:

I have a file pass.txt in my /home directory. (/home/pass.txt) and the contents of this file are:

cat pass.txt

joe:ai890d
jane:29hj0jk
mary:fsSS92
bob:2NNg8ed
dilbert:a76zFs

where username and passwords are separeted with (:). And here is the script:

<?php

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Read the entire file into the variable $file_contents

$filename = '/home/pass.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );

// Place the individual lines from the file contents into an array.

$lines = explode ( "\n", $file_contents );

// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

foreach ( $lines as $line ) {

list( $username, $password ) = explode( ':', $line );

if ( ( $username == "$PHP_AUTH_USER" ) &&
( $password == "$PHP_AUTH_PW" ) ) {

// A match is found, meaning the user is authenticated.
// Stop the search.

$auth = true;
break;

}
}

}

if ( ! $auth ) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

echo '<P>You are authorized!</P>';
}

?>


The problem is that when i enter any of this usernames or passwords i can't login to my server. Can someone help me?

Thanks in advance.

doc.nice 02-24-2006 12:06 PM
if the passwords are hashes, you have to create a hash of $PHP_AUTH_PW too.

simply insert
echo "<p>clientpwd: #$password#<br />clientuser: #$username#<br />";
echo "dbpwd: #$PHP_AUTH_PW<br />dbuser: #$PHP_AUTH_USER#<br /></p>";
and/or
echo "<p>match found</p>";

in youtr script to debug it. (but don't forget to remove those lines later, they will
show your password-file to the client!)


btw. if you don't need this particular password file format, you can use
a php include file, wich is much easier:

File pass.txt:
PHP Code:
<?php
$PASSWD["joe"] = "ai890d";
$PASSWD["jane"] = "29hj0jk";
$PASSWD["mary"] = "fsSS92";
$PASSWD["bob"] = "2NNg8ed";
$PASSWD["dilbert"] = "a76zFs";
?>
now your password-check would be:
PHP Code:
$auth false// Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

require_once('/home/pass.txt');
/* check if password for the requested user is defined (not empty) in password-file and
 * specified password is the same as stored one
 */
$auth = (($PASSWD["$PHP_AUTH_USER"] == "$PHP_AUTH_PW") && ($PASSWD["$PHP_AUTH_USER"]));

if ( ! $auth ) {
  header'WWW-Authenticate: Basic realm="Private"' );
  header'HTTP/1.0 401 Unauthorized' );
  echo 'All your Base are belong to us.';
  /* this exit is unneeded, as long as everything else is between "else {" and "}" */
  //exit;
} else {
  echo '<P>You are authorized!</P>';

ps: please do *not* rely completely on my script, there may be security holes
in it, just made rough thoughts about this.


All times are GMT -5. The time now is 08:18 AM.