Passwording a PHP page

10/07/2007, 05h00

I'm trying to password the 'update' page of a MySQL database that runs
on a company intranet w/Apache and PHP. I don't care about the
'entry' page to this database - just the 'update' page and want the
five people (or so) who may be doing updates, to enter only a password
and then write that password to the MySQL database field.

On my entry page as the last part of my form, I'm using;
<tr>
<td>Password:</td><td align="left"><input type="password"
name="password" size="15" maxlength="15" value=""></td>
</tr>
<tr>
<td colspan="4" align="center"><input type="submit"
value="Enter"></td>
</tr>
</table>
</form>

What I'm looking for is pointers on how to make the second page of
this work query work based on meeting the criteria of a password
element - i.e: 2nd page

$password = $_POST['password'];

if (!$password = 'password stored in database' allow write))
{
else echo PASSWORD must match file on record for this user;
}

I know this isn't the code precisely but am hopeful for any pointers
in making it happen. Again, I'm not looking for a complete login
since it IS an intranet - just looking to write to the database the
user who did the update (provided the password criteria was met).
TIA...

10/07/2007, 05h07

cover wrote:
> I'm trying to password the 'update' page of a MySQL database that runs
> on a company intranet w/Apache and PHP. I don't care about the
> 'entry' page to this database - just the 'update' page and want the
> five people (or so) who may be doing updates, to enter only a password
> and then write that password to the MySQL database field.
>
> On my entry page as the last part of my form, I'm using;
> <tr>
> <td>Password:</td><td align="left"><input type="password"
> name="password" size="15" maxlength="15" value=""></td>
> </tr>
> <tr>
> <td colspan="4" align="center"><input type="submit"
> value="Enter"></td>
> </tr>
> </table>
> </form>
>
> What I'm looking for is pointers on how to make the second page of
> this work query work based on meeting the criteria of a password
> element - i.e: 2nd page
>
> $password = $_POST['password'];
>
> if (!$password = 'password stored in database' allow write))
> {
> else echo PASSWORD must match file on record for this user;
> }
>

$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

echo "Wow, you know the password";

--

//Aho

10/07/2007, 05h39

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
wrote:

>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";

not sure if that's quite what I was looking for but I very much
appreciate your reply.

What if we want to allow any one of five people to update ANY record
in the db provided they have a password as verified by 'password_tbl'.
The entries won't have any password associate but when someone does an
update, we want to know who did it and write it to the database in the
'updater' field accordingly - thanks...

10/07/2007, 06h34

cover wrote:

> So as I look at this again, perhaps the user logs in their first name
> and in the table password_tbl a password exists that corresponds with
> their first name. So is that:
>
> $query="SELECT * FROM $table WHERE
> firstname_column='{$_POST['firstname']}'" AND;
> password_column='{$_POST['password']}'";
> $res=mysql_query($query);
> if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
> }
> echo "Wow, you know the password";

Yes, in the case you want that the user will be using both a login name and
password, if you only want a password, you have to see that the password is
unique, otherwise the users can be mixed up (while using login+pass the
likelihood is a lot less that you have two persons with the same login and
password, of course you should see to have only one user for each
username/login you use).

--

//Aho

10/07/2007, 14h48

On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.net>
wrote:

>Yes, in the case you want that the user will be using both a login name and
>password, if you only want a password, you have to see that the password is
>unique, otherwise the users can be mixed up (while using login+pass the
>likelihood is a lot less that you have two persons with the same login and
>password, of course you should see to have only one user for each
>username/login you use).

Would something like this work where there might be two tables, one
with the data you're trying to update and the second only holding the
user name and password where conditions had to be met at update.

mysql_query("UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id' AND WHERE password_tbl
updater_column='$updater' AND password_column='$password'") or
die("Update Error: ".mysql_error());

echo "Record Updated";
mysql_close();

The tricky part appears to be in adding AND WHERE so when 'id'
conditions have been met in the actions_tbl, updater and password
conditions must also be met in password_tbl - I dunno - still have a
syntax issue associated w/ the AND WHERE portion. ;-)

10/07/2007, 16h51

cover wrote:
> On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>> Yes, in the case you want that the user will be using both a login name and
>> password, if you only want a password, you have to see that the password is
>> unique, otherwise the users can be mixed up (while using login+pass the
>> likelihood is a lot less that you have two persons with the same login and
>> password, of course you should see to have only one user for each
>> username/login you use).
>
> Would something like this work where there might be two tables, one
> with the data you're trying to update and the second only holding the
> user name and password where conditions had to be met at update.

> mysql_query("UPDATE actions_tbl SET date='$ud_date',
> targmonth='$ud_targmonth', targyear='$ud_targyear',
> assignedto='$ud_assignedto', datecomp='$ud_datecomp',
> status='$ud_status', referenceno='$ud_referenceno'
> WHERE id='$ud_id' AND WHERE password_tbl
> updater_column='$updater' AND password_column='$password'") or
> die("Update Error: ".mysql_error());
>
> echo "Record Updated";
> mysql_close();

No, that won't work, do

$pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}'
AND user_column='{$_POST['username']}'";
$res=mysql_query($pass_query);
if(mysql_num_rows($res)) {
$query="UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id'";
mysql_query($query);
$time=date('Y-m-d h:n');
shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log");
}

This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.

--

//Aho

11/07/2007, 02h55

On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
wrote:

>$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>$res=mysql_query($query);
>if(!mysql_num_rows($res)) {
> echo "sorry, the wrong password";
> exit;
>}
>
> echo "Wow, you know the password";

I started over... Can't seem to get anything but the 'sorry, wrong
password'.

The form writes to a database called 'actions' and a table called
'actions_tbl' and I'd like to continue to write to that table but only
if, the name and password that are queried on the write are consistent
with a name and password stored within the same database but another
table called 'password_tbl'

This particular form is an update form used to update existing records
into the 'actions_tbl' table. I'd like to add two text fields to the
update form ('text' and 'password') and write that to an additional
field I'll be adding in actions_tbl ('updated_by') to know who did the
update. That update person would have to enter a name and password
into the form that is pre-stored in password_tbl to be successful.

Upon writing to the database table actions_tbl, the name and password
would be checked via query of password_tbl to ensure whomever was in
the database and authorized to do an update. The existing update form
works great but again, there could be issues in not knowing who did
the update which leads to the desire to issue a basic login name and
password that would have to be used for updating records in the db.

I'd thought that perhaps somewhat the reverse of not allowing an empty
field to be processed might be on track but realize that a query will
have to be included to actually check the name and password against
what's in password_tbl so my empty field code as follows won't work
but here it is if it should someone looking for that particular
fix.

if (!$source || !$type || !$area)
{
echo 'You have not entered all the required fields for this data
entry.<br />'
.'Please click the browser BACK button, complete the form
and try again.';
exit;
}

Anyway, thanks for the pointers and sorry if it seems like I'm getting
into rambling here - frustration coming through... lol

11/07/2007, 05h32

cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
>
> I started over... Can't seem to get anything but the 'sorry, wrong
> password'.

Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag

<form method="post" ...> => $_POST
<form method="get" ...> => $_GET

For testing, you can put the following in your script where you receive the form

echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);

This way you will see the values sent to the page, really useful when debugging.

> The form writes to a database called 'actions' and a table called
> 'actions_tbl' and I'd like to continue to write to that table but only
> if, the name and password that are queried on the write are consistent
> with a name and password stored within the same database but another
> table called 'password_tbl'

// we have checked the empty values

$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

// your old code here

I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).

> This particular form is an update form used to update existing records
> into the 'actions_tbl' table. I'd like to add two text fields to the
> update form ('text' and 'password') and write that to an additional
> field I'll be adding in actions_tbl ('updated_by') to know who did the
> update.

You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.

> I'd thought that perhaps somewhat the reverse of not allowing an empty
> field to be processed might be on track but realize that a query will
> have to be included to actually check the name and password against
> what's in password_tbl so my empty field code as follows won't work
> but here it is if it should someone looking for that particular
> fix.
>
> if (!$source || !$type || !$area)
> {
> echo 'You have not entered all the required fields for this data
> entry.<br />'
> .'Please click the browser BACK button, complete the form
> and try again.';
> exit;
> }

PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.

if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}

I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.

--

//Aho

10/07/2007, 05h00	#1
cover Messages: n/a Hébergeur:	Passwording a PHP page I'm trying to password the 'update' page of a MySQL database that runs on a company intranet w/Apache and PHP. I don't care about the 'entry' page to this database - just the 'update' page and want the five people (or so) who may be doing updates, to enter only a password and then write that password to the MySQL database field. On my entry page as the last part of my form, I'm using; <tr> <td>Password:</td><td align="left"><input type="password" name="password" size="15" maxlength="15" value=""></td> </tr> <tr> <td colspan="4" align="center"><input type="submit" value="Enter"></td> </tr> </table> </form> What I'm looking for is pointers on how to make the second page of this work query work based on meeting the criteria of a password element - i.e: 2nd page $password = $_POST['password']; if (!$password = 'password stored in database' allow write)) { else echo PASSWORD must match file on record for this user; } I know this isn't the code precisely but am hopeful for any pointers in making it happen. Again, I'm not looking for a complete login since it IS an intranet - just looking to write to the database the user who did the update (provided the password criteria was met). TIA...

10/07/2007, 05h07	#2
J.O. Aho Messages: n/a Hébergeur:	Re: Passwording a PHP page cover wrote: > I'm trying to password the 'update' page of a MySQL database that runs > on a company intranet w/Apache and PHP. I don't care about the > 'entry' page to this database - just the 'update' page and want the > five people (or so) who may be doing updates, to enter only a password > and then write that password to the MySQL database field. > > On my entry page as the last part of my form, I'm using; > <tr> > <td>Password:</td><td align="left"><input type="password" > name="password" size="15" maxlength="15" value=""></td> > </tr> > <tr> > <td colspan="4" align="center"><input type="submit" > value="Enter"></td> > </tr> > </table> > </form> > > What I'm looking for is pointers on how to make the second page of > this work query work based on meeting the criteria of a password > element - i.e: 2nd page > > $password = $_POST['password']; > > if (!$password = 'password stored in database' allow write)) > { > else echo PASSWORD must match file on record for this user; > } > $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'"; $res=mysql_query($query); if(!mysql_num_rows($res)) { echo "sorry, the wrong password"; exit; } echo "Wow, you know the password"; -- //Aho

10/07/2007, 05h39	#3
cover Messages: n/a Hébergeur:	Re: Passwording a PHP page On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net> wrote: >$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'"; >$res=mysql_query($query); >if(!mysql_num_rows($res)) { > echo "sorry, the wrong password"; > exit; >} > > echo "Wow, you know the password"; not sure if that's quite what I was looking for but I very much appreciate your reply. What if we want to allow any one of five people to update ANY record in the db provided they have a password as verified by 'password_tbl'. The entries won't have any password associate but when someone does an update, we want to know who did it and write it to the database in the 'updater' field accordingly - thanks...

10/07/2007, 06h34	#4
J.O. Aho Messages: n/a Hébergeur:	Re: Passwording a PHP page cover wrote: > So as I look at this again, perhaps the user logs in their first name > and in the table password_tbl a password exists that corresponds with > their first name. So is that: > > $query="SELECT * FROM $table WHERE > firstname_column='{$_POST['firstname']}'" AND; > password_column='{$_POST['password']}'"; > $res=mysql_query($query); > if(!mysql_num_rows($res)) { > echo "sorry, the wrong password"; > exit; > } > echo "Wow, you know the password"; Yes, in the case you want that the user will be using both a login name and password, if you only want a password, you have to see that the password is unique, otherwise the users can be mixed up (while using login+pass the likelihood is a lot less that you have two persons with the same login and password, of course you should see to have only one user for each username/login you use). -- //Aho

10/07/2007, 14h48	#5
cover Messages: n/a Hébergeur:	Re: Passwording a PHP page On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.net> wrote: >Yes, in the case you want that the user will be using both a login name and >password, if you only want a password, you have to see that the password is >unique, otherwise the users can be mixed up (while using login+pass the >likelihood is a lot less that you have two persons with the same login and >password, of course you should see to have only one user for each >username/login you use). Would something like this work where there might be two tables, one with the data you're trying to update and the second only holding the user name and password where conditions had to be met at update. mysql_query("UPDATE actions_tbl SET date='$ud_date', targmonth='$ud_targmonth', targyear='$ud_targyear', assignedto='$ud_assignedto', datecomp='$ud_datecomp', status='$ud_status', referenceno='$ud_referenceno' WHERE id='$ud_id' AND WHERE password_tbl updater_column='$updater' AND password_column='$password'") or die("Update Error: ".mysql_error()); echo "Record Updated"; mysql_close(); The tricky part appears to be in adding AND WHERE so when 'id' conditions have been met in the actions_tbl, updater and password conditions must also be met in password_tbl - I dunno - still have a syntax issue associated w/ the AND WHERE portion. ;-)

10/07/2007, 16h51	#6
J.O. Aho Messages: n/a Hébergeur:	Re: Passwording a PHP page cover wrote: > On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.net> > wrote: > >> Yes, in the case you want that the user will be using both a login name and >> password, if you only want a password, you have to see that the password is >> unique, otherwise the users can be mixed up (while using login+pass the >> likelihood is a lot less that you have two persons with the same login and >> password, of course you should see to have only one user for each >> username/login you use). > > Would something like this work where there might be two tables, one > with the data you're trying to update and the second only holding the > user name and password where conditions had to be met at update. > mysql_query("UPDATE actions_tbl SET date='$ud_date', > targmonth='$ud_targmonth', targyear='$ud_targyear', > assignedto='$ud_assignedto', datecomp='$ud_datecomp', > status='$ud_status', referenceno='$ud_referenceno' > WHERE id='$ud_id' AND WHERE password_tbl > updater_column='$updater' AND password_column='$password'") or > die("Update Error: ".mysql_error()); > > echo "Record Updated"; > mysql_close(); No, that won't work, do $pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}' AND user_column='{$_POST['username']}'"; $res=mysql_query($pass_query); if(mysql_num_rows($res)) { $query="UPDATE actions_tbl SET date='$ud_date', targmonth='$ud_targmonth', targyear='$ud_targyear', assignedto='$ud_assignedto', datecomp='$ud_datecomp', status='$ud_status', referenceno='$ud_referenceno' WHERE id='$ud_id'"; mysql_query($query); $time=date('Y-m-d h:n'); shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >> /path/to/sqlupdate.log"); } This way you check if the user is allowed to make the update and up do the update and then register the update to the logfile. -- //Aho

11/07/2007, 02h55	#7
cover Messages: n/a Hébergeur:	Re: Passwording a PHP page On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net> wrote: >$query="SELECT * FROM table WHERE password_column='{$_POST['password']}'"; >$res=mysql_query($query); >if(!mysql_num_rows($res)) { > echo "sorry, the wrong password"; > exit; >} > > echo "Wow, you know the password"; I started over... Can't seem to get anything but the 'sorry, wrong password'. The form writes to a database called 'actions' and a table called 'actions_tbl' and I'd like to continue to write to that table but only if, the name and password that are queried on the write are consistent with a name and password stored within the same database but another table called 'password_tbl' This particular form is an update form used to update existing records into the 'actions_tbl' table. I'd like to add two text fields to the update form ('text' and 'password') and write that to an additional field I'll be adding in actions_tbl ('updated_by') to know who did the update. That update person would have to enter a name and password into the form that is pre-stored in password_tbl to be successful. Upon writing to the database table actions_tbl, the name and password would be checked via query of password_tbl to ensure whomever was in the database and authorized to do an update. The existing update form works great but again, there could be issues in not knowing who did the update which leads to the desire to issue a basic login name and password that would have to be used for updating records in the db. I'd thought that perhaps somewhat the reverse of not allowing an empty field to be processed might be on track but realize that a query will have to be included to actually check the name and password against what's in password_tbl so my empty field code as follows won't work but here it is if it should someone looking for that particular fix. if (!$source \|\| !$type \|\| !$area) { echo 'You have not entered all the required fields for this data entry.<br />' .'Please click the browser BACK button, complete the form and try again.'; exit; } Anyway, thanks for the pointers and sorry if it seems like I'm getting into rambling here - frustration coming through... lol

11/07/2007, 05h32	#8
J.O. Aho Messages: n/a Hébergeur:	Re: Passwording a PHP page cover wrote: > On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net> > wrote: > >> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'"; >> $res=mysql_query($query); >> if(!mysql_num_rows($res)) { >> echo "sorry, the wrong password"; >> exit; >> } >> >> echo "Wow, you know the password"; > > > I started over... Can't seem to get anything but the 'sorry, wrong > password'. Forms can be sent in to different ways, POST or GET, this you adjust with the method-option in the form-tag <form method="post" ...> => $_POST <form method="get" ...> => $_GET For testing, you can put the following in your script where you receive the form echo "$_POST: "; var_dump($_POST); echo "$_GET: "; var_dump($_GET); This way you will see the values sent to the page, really useful when debugging. > The form writes to a database called 'actions' and a table called > 'actions_tbl' and I'd like to continue to write to that table but only > if, the name and password that are queried on the write are consistent > with a name and password stored within the same database but another > table called 'password_tbl' // we have checked the empty values $query="SELECT * FROM password_tbl WHERE password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'"; $res=mysql_query($query); if(!mysql_num_rows($res)) { echo "sorry, the wrong password"; exit; } // your old code here I should say it can be good to process the $_POST['password'] and $_POST['user'] before using the values, checking that no one is trying to inject SQL code (don't know how bad people working at your job place). > This particular form is an update form used to update existing records > into the 'actions_tbl' table. I'd like to add two text fields to the > update form ('text' and 'password') and write that to an additional > field I'll be adding in actions_tbl ('updated_by') to know who did the > update. You will need to use an ALTER TABLE, I suggest you create a test table first and test on it first before you get on the live table. When you added the columns it's just do it the same way as before. > I'd thought that perhaps somewhat the reverse of not allowing an empty > field to be processed might be on track but realize that a query will > have to be included to actually check the name and password against > what's in password_tbl so my empty field code as follows won't work > but here it is if it should someone looking for that particular > fix. > > if (!$source \|\| !$type \|\| !$area) > { > echo 'You have not entered all the required fields for this data > entry.<br />' > .'Please click the browser BACK button, complete the form > and try again.'; > exit; > } PHP has the empty() function which is used to check values, as values like "false", "0" will generate a "true" in your if case. if(empty($source) \|\| empty($type) \|\| empty($area)) { echo 'You didn't enter all the needed values'; exit; } I hope this leads you in the right direction, time for me to get to work and don't have much time over for ng there. -- //Aho

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email