Storing Passwords Before we can begin coding with PHP, we need to first take a brief look at passwords. There are many different ways to manage and store a user's login ID and passwords, but one common method is to store them in a database. For security purposes, the passwords themselves should not be stored in the database in a plain text manner. Instead, the password can be processed by a one-way, irreversible encryption or hashing function and then the jumbled result is what is actually stored. That means the password supplied later will need to be encrypted/hashed before we compare it with the stored value. If they both match then we know the password is good. PHP's sha1 function should suffice for our purposes. It accepts a string and returns a 40 character hexadecimal hash representation. This hash cannot be converted back to the original string. The following is an example of sha1 in action: We'll assume for this tutorial that a database table named Users exists which stores the username and passwords hashed with the sha1 function. It's common mistake to not make the password column large enough to store the entire hash. Using sha1, the column should be 40 characters.
Getting the User Login An HTML form is used to obtain the user's login credentials. The form displays 2 input fields--one to obtain the login ID and another to obtain the password. The userid input field accepts the user's login id while the password field will accept the user's password. The password field might show asterisks or dots as the value is entered, but remember that the form will send it's data in clear text. A secure connection should be made using HTTPS. For more information on that subject see my tutorial Generating Your Own Security Certificates For Use With Apache/HTTPS. The form here submits its information to a script named validate.php as specified by the form's action attribute. It's that script that will be responsible for checking the user's login ID and password in the database and allowing the user to continue.
Processing the Login The actual authentication can take place once we have the user's login ID and password. We need to encrypt or hash the password the same way it was initially done. $user = $_POST["userid"]; $pass = sha1($_POST["password"]); With the ID and password value, we can query the database for any matching records. The following SQL statement is designed to return records where the login ID and password hash match. SELECT * FROM Users WHERE User = '$user' AND Password = '$pass' If the query returns a record set then the login credentials are valid and the user may have access to the protected information. If the query fails to return a record then the credentials are invalid and access is denied. The validate.php script that would accomplish all of that might resemble the following: Instead of simply echoing "Access Granted" or "Access Denied" as shown here, your script can set cookies or start sessions, redirect the user to the login form or perform whatever else is needed.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment