Passwording a PHP page
I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.
On my entry page as the last part of my form, I'm using;
<tr>
<td>Password:</td><td align="left"><input type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"><input type="submit"
value="Enter"></td>
</tr>
</table>
</form>
What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page
$password = $_POST['password'];
if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}
I know this isn't the code precisely but am hopeful for any pointers
in making it happen. Again, I'm not looking for a complete login
since it IS an intranet - just looking to write to the database the
user who did the update (provided the password criteria was met).
TIA...
Re: Passwording a PHP page
cover wrote:
> I'm trying to password the 'update' page of a MySQL database that runs
> on a company intranet w/Apache and PHP. I don't care about the
> 'entry' page to this database - just the 'update' page and want the
> five people (or so) who may be doing updates, to enter only a password
> and then write that password to the MySQL database field.
>
> On my entry page as the last part of my form, I'm using;
> <tr>
> <td>Password:</td><td align="left"><input type="password"
> name="password" size="15" maxlength="15" value=""></td>
> </tr>
> <tr>
> <td colspan="4" align="center"><input type="submit"
> value="Enter"></td>
> </tr>
> </table>
> </form>
>
> What I'm looking for is pointers on how to make the second page of
> this work query work based on meeting the criteria of a password
> element - i.e: 2nd page
>
> $password = $_POST['password'];
>
> if (!$password = 'password stored in database' allow write))
> {
> else echo PASSWORD must match file on record for this user;
> }
>
$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
--
//Aho
Re: Passwording a PHP page
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";
not sure if that's quite what I was looking for but I very much
appreciate your reply.
What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...
Re: Passwording a PHP page
On Mon, 09 Jul 2007 21:39:08 -0700, cover
<coverlandNOSPAM914 [at] yahoo.com> wrote:
>On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
>wrote:
>
>
>>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>>$res=mysql_query($query);
>>if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>>}
>>
>> echo "Wow, you know the password";
>
So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:
$query="SELECT * FROM $table WHERE
firstname_column='{$_POST['firstname']}'" AND;
password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
> not sure if that's quite what I was looking for but I very much
> appreciate your reply.
I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.
> What if we want to allow any one of five people to update ANY record
> in the db provided they have a password as verified by 'password_tbl'.
> The entries won't have any password associate but when someone does an
> update, we want to know who did it and write it to the database in the
> 'updater' field accordingly - thanks...
You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.
IMHO the following flow is a good one:
1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query
The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.
--
//Aho
Re: Passwording a PHP page
cover wrote:
> So as I look at this again, perhaps the user logs in their first name
> and in the table password_tbl a password exists that corresponds with
> their first name. So is that:
>
> $query="SELECT * FROM $table WHERE
> firstname_column='{$_POST['firstname']}'" AND;
> password_column='{$_POST['password']}'";
> $res=mysql_query($query);
> if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
> }
> echo "Wow, you know the password";
Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).
--
//Aho
Re: Passwording a PHP page
On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>Yes, in the case you want that the user will be using both a login name and
>password, if you only want a password, you have to see that the password is
>unique, otherwise the users can be mixed up (while using login+pass the
>likelihood is a lot less that you have two persons with the same login and
>password, of course you should see to have only one user for each
>username/login you use).
Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.
mysql_query("UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column='$updater' AND password_column='$password'") or
die("Update Error: ".mysql_error());
echo "Record Updated";
mysql_close();
The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>> Yes, in the case you want that the user will be using both a login name and
>> password, if you only want a password, you have to see that the password is
>> unique, otherwise the users can be mixed up (while using login+pass the
>> likelihood is a lot less that you have two persons with the same login and
>> password, of course you should see to have only one user for each
>> username/login you use).
>
> Would something like this work where there might be two tables, one
> with the data you're trying to update and the second only holding the
> user name and password where conditions had to be met at update.
> mysql_query("UPDATE actions_tbl SET date='$ud_date',
> targmonth='$ud_targmonth', targyear='$ud_targyear',
> assignedto='$ud_assignedto', datecomp='$ud_datecomp',
> status='$ud_status', referenceno='$ud_referenceno'
> WHERE id='$ud_id' AND WHERE password_tbl
> updater_column='$updater' AND password_column='$password'") or
> die("Update Error: ".mysql_error());
>
> echo "Record Updated";
> mysql_close();
No, that won't work, do
$pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}'
AND user_column='{$_POST['username']}'";
$res=mysql_query($pass_query);
if(mysql_num_rows($res)) {
$query="UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id'";
mysql_query($query);
$time=date('Y-m-d h:n');
shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log");
}
This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.
--
//Aho
Re: Passwording a PHP page
cover wrote:
> I'm trying to password the 'update' page of a MySQL database that runs
> on a company intranet w/Apache and PHP. I don't care about the
> 'entry' page to this database - just the 'update' page and want the
> five people (or so) who may be doing updates, to enter only a password
> and then write that password to the MySQL database field.
>
> On my entry page as the last part of my form, I'm using;
> <tr>
> <td>Password:</td><td align="left"><input type="password"
> name="password" size="15" maxlength="15" value=""></td>
> </tr>
> <tr>
> <td colspan="4" align="center"><input type="submit"
> value="Enter"></td>
> </tr>
> </table>
> </form>
>
> What I'm looking for is pointers on how to make the second page of
> this work query work based on meeting the criteria of a password
> element - i.e: 2nd page
>
> $password = $_POST['password'];
>
> if (!$password = 'password stored in database' allow write))
> {
> else echo PASSWORD must match file on record for this user;
> }
>
$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
--
//Aho
Re: Passwording a PHP page
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";
not sure if that's quite what I was looking for but I very much
appreciate your reply.
What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...
Re: Passwording a PHP page
On Mon, 09 Jul 2007 21:39:08 -0700, cover
<coverlandNOSPAM914 [at] yahoo.com> wrote:
>On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
>wrote:
>
>
>>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>>$res=mysql_query($query);
>>if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>>}
>>
>> echo "Wow, you know the password";
>
So as I look at this again, perhaps the user logs in their first name
and in the table password_tbl a password exists that corresponds with
their first name. So is that:
$query="SELECT * FROM $table WHERE
firstname_column='{$_POST['firstname']}'" AND;
password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
echo "Wow, you know the password";
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
> not sure if that's quite what I was looking for but I very much
> appreciate your reply.
I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.
> What if we want to allow any one of five people to update ANY record
> in the db provided they have a password as verified by 'password_tbl'.
> The entries won't have any password associate but when someone does an
> update, we want to know who did it and write it to the database in the
> 'updater' field accordingly - thanks...
You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.
IMHO the following flow is a good one:
1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query
The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.
--
//Aho
Re: Passwording a PHP page
cover wrote:
> So as I look at this again, perhaps the user logs in their first name
> and in the table password_tbl a password exists that corresponds with
> their first name. So is that:
>
> $query="SELECT * FROM $table WHERE
> firstname_column='{$_POST['firstname']}'" AND;
> password_column='{$_POST['password']}'";
> $res=mysql_query($query);
> if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
> }
> echo "Wow, you know the password";
Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).
--
//Aho
Re: Passwording a PHP page
On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>Yes, in the case you want that the user will be using both a login name and
>password, if you only want a password, you have to see that the password is
>unique, otherwise the users can be mixed up (while using login+pass the
>likelihood is a lot less that you have two persons with the same login and
>password, of course you should see to have only one user for each
>username/login you use).
Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.
mysql_query("UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column='$updater' AND password_column='$password'") or
die("Update Error: ".mysql_error());
echo "Record Updated";
mysql_close();
The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>> Yes, in the case you want that the user will be using both a login name and
>> password, if you only want a password, you have to see that the password is
>> unique, otherwise the users can be mixed up (while using login+pass the
>> likelihood is a lot less that you have two persons with the same login and
>> password, of course you should see to have only one user for each
>> username/login you use).
>
> Would something like this work where there might be two tables, one
> with the data you're trying to update and the second only holding the
> user name and password where conditions had to be met at update.
> mysql_query("UPDATE actions_tbl SET date='$ud_date',
> targmonth='$ud_targmonth', targyear='$ud_targyear',
> assignedto='$ud_assignedto', datecomp='$ud_datecomp',
> status='$ud_status', referenceno='$ud_referenceno'
> WHERE id='$ud_id' AND WHERE password_tbl
> updater_column='$updater' AND password_column='$password'") or
> die("Update Error: ".mysql_error());
>
> echo "Record Updated";
> mysql_close();
No, that won't work, do
$pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}'
AND user_column='{$_POST['username']}'";
$res=mysql_query($pass_query);
if(mysql_num_rows($res)) {
$query="UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id'";
mysql_query($query);
$time=date('Y-m-d h:n');
shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log");
}
This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.
--
//Aho
Re: Passwording a PHP page
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";
I started over... Can't seem to get anything but the 'sorry, wrong
password'.
The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'
This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.
Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.
I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.
if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.
'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}
Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
>
> I started over... Can't seem to get anything but the 'sorry, wrong
> password'.
Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag
<form method="post" ...> => $_POST
<form method="get" ...> => $_GET
For testing, you can put the following in your script where you receive the form
echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);
This way you will see the values sent to the page, really useful when debugging.
> The form writes to a database called 'actions' and a table called
> 'actions_tbl' and I'd like to continue to write to that table but only
> if, the name and password that are queried on the write are consistent
> with a name and password stored within the same database but another
> table called 'password_tbl'
// we have checked the empty values
$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
// your old code here
I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).
> This particular form is an update form used to update existing records
> into the 'actions_tbl' table. I'd like to add two text fields to the
> update form ('text' and 'password') and write that to an additional
> field I'll be adding in actions_tbl ('updated_by') to know who did the
> update.
You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.
> I'd thought that perhaps somewhat the reverse of not allowing an empty
> field to be processed might be on track but realize that a query will
> have to be included to actually check the name and password against
> what's in password_tbl so my empty field code as follows won't work
> but here it is if it should help someone looking for that particular
> fix.
>
> if (!$source || !$type || !$area)
> {
> echo 'You have not entered all the required fields for this data
> entry.
'
> .'Please click the browser BACK button, complete the form
> and try again.';
> exit;
> }
PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.
if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}
I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.
--
//Aho
Re: Passwording a PHP page
On Wed, 11 Jul 2007 06:32:46 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>I hope this leads you in the right direction, time for me to get to work and
>don't have much time over for ng there.
I'll take a look at this and look for a solution. Hey, thanks very
much for your replies - appreciate it very much... Be well.
Re: Passwording a PHP page
On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";
I started over... Can't seem to get anything but the 'sorry, wrong
password'.
The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'
This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.
Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.
I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should help someone looking for that particular
fix.
if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.
'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}
Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol
Re: Passwording a PHP page
cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user [at] example.net>
> wrote:
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
>
> I started over... Can't seem to get anything but the 'sorry, wrong
> password'.
Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag
<form method="post" ...> => $_POST
<form method="get" ...> => $_GET
For testing, you can put the following in your script where you receive the form
echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);
This way you will see the values sent to the page, really useful when debugging.
> The form writes to a database called 'actions' and a table called
> 'actions_tbl' and I'd like to continue to write to that table but only
> if, the name and password that are queried on the write are consistent
> with a name and password stored within the same database but another
> table called 'password_tbl'
// we have checked the empty values
$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
// your old code here
I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).
> This particular form is an update form used to update existing records
> into the 'actions_tbl' table. I'd like to add two text fields to the
> update form ('text' and 'password') and write that to an additional
> field I'll be adding in actions_tbl ('updated_by') to know who did the
> update.
You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.
> I'd thought that perhaps somewhat the reverse of not allowing an empty
> field to be processed might be on track but realize that a query will
> have to be included to actually check the name and password against
> what's in password_tbl so my empty field code as follows won't work
> but here it is if it should help someone looking for that particular
> fix.
>
> if (!$source || !$type || !$area)
> {
> echo 'You have not entered all the required fields for this data
> entry.
'
> .'Please click the browser BACK button, complete the form
> and try again.';
> exit;
> }
PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.
if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}
I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.
--
//Aho
Re: Passwording a PHP page
On Wed, 11 Jul 2007 06:32:46 +0200, "J.O. Aho" <user [at] example.net>
wrote:
>I hope this leads you in the right direction, time for me to get to work and
>don't have much time over for ng there.
I'll take a look at this and look for a solution. Hey, thanks very
much for your replies - appreciate it very much... Be well.
Re: Passwording a PHP page
cover ha scritto:
> I'm trying to password the 'update' page of a MySQL database that runs
> on a company intranet w/Apache and PHP. I don't care about the
> 'entry' page to this database - just the 'update' page and want the
> five people (or so) who may be doing updates, to enter only a password
> and then write that password to the MySQL database field.
>
> On my entry page as the last part of my form, I'm using;
> <tr>
> <td>Password:</td><td align="left"><input type="password"
> name="password" size="15" maxlength="15" value=""></td>
> </tr>
> <tr>
> <td colspan="4" align="center"><input type="submit"
> value="Enter"></td>
> </tr>
> </table>
> </form>
>
> What I'm looking for is pointers on how to make the second page of
> this work query work based on meeting the criteria of a password
> element - i.e: 2nd page
>
> $password = $_POST['password'];
>
> if (!$password = 'password stored in database' allow write))
> {
> else echo PASSWORD must match file on record for this user;
> }
>
>
> I know this isn't the code precisely but am hopeful for any pointers
> in making it happen. Again, I'm not looking for a complete login
> since it IS an intranet - just looking to write to the database the
> user who did the update (provided the password criteria was met).
> TIA...
DO NOT use php.net example to authenticate user
db table:
id (aurto increment)
user varchar 25(unique)
password varchar (30)
casual_number (30)
login:
select * from utenti WHERE user=POST[user]
....
if(md5(POST[password].$row[casual_number])===$row[password]) {
$_SESSION[ok]=true;
}else{
echo "wrong password";
$_SESSION[ok]=false;
}
in any page .php
<?php
session_start();
if( [at] $_SESSION[ok]==false){
// empty,false and hide empty
header('Location: http://www.example.com/login.php');
exit;
}
echo "proctected page";
?>
Re: Passwording a PHP page
cover ha scritto:
> I'm trying to password the 'update' page of a MySQL database that runs
> on a company intranet w/Apache and PHP. I don't care about the
> 'entry' page to this database - just the 'update' page and want the
> five people (or so) who may be doing updates, to enter only a password
> and then write that password to the MySQL database field.
>
> On my entry page as the last part of my form, I'm using;
> <tr>
> <td>Password:</td><td align="left"><input type="password"
> name="password" size="15" maxlength="15" value=""></td>
> </tr>
> <tr>
> <td colspan="4" align="center"><input type="submit"
> value="Enter"></td>
> </tr>
> </table>
> </form>
>
> What I'm looking for is pointers on how to make the second page of
> this work query work based on meeting the criteria of a password
> element - i.e: 2nd page
>
> $password = $_POST['password'];
>
> if (!$password = 'password stored in database' allow write))
> {
> else echo PASSWORD must match file on record for this user;
> }
>
>
> I know this isn't the code precisely but am hopeful for any pointers
> in making it happen. Again, I'm not looking for a complete login
> since it IS an intranet - just looking to write to the database the
> user who did the update (provided the password criteria was met).
> TIA...
DO NOT use php.net example to authenticate user
db table:
id (aurto increment)
user varchar 25(unique)
password varchar (30)
casual_number (30)
login:
select * from utenti WHERE user=POST[user]
....
if(md5(POST[password].$row[casual_number])===$row[password]) {
$_SESSION[ok]=true;
}else{
echo "wrong password";
$_SESSION[ok]=false;
}
in any page .php
<?php
session_start();
if( [at] $_SESSION[ok]==false){
// empty,false and hide empty
header('Location: http://www.example.com/login.php');
exit;
}
echo "proctected page";
?>
PHP » alt.php » Passwording a PHP page
