0

I'm trying to create a very simple login for only one or two users, the username and password are stored in "admin.txt" the text file is formatted like: username password __ I cannot seem to have the username and password register... Thanks for the help!!

        // username and password sent from form 
       $myusername=$_POST['username']; 
       $mypassword=$_POST['password'];



        $sql = fopen("../admin8183/users/admin.txt", "r");

                    while (!feof($sql)) {
                      $myusername = fgets($sql);
                      $mypassword = fgets($sql);
                      $line = fgets($sql);



         $myusername = trim($myusername);
         $mypassword = trim($mypassword);

                }
            //  counting  rows
         $admin=count(file("../admin8183/users/admin.txt"));

           if($admin==1){
        // Register $myusername, $mypassword and redirect to file "sendmessage.php"
         session_register("myusername");
         session_register("mypassword"); 
          header("location:sendmessage.php");
             }
              else {
            echo "Wrong Username or Password";
              }

p.s. I am sure that there are a few things wrong with my code, and that there are more efficient ways of accomplishing my goal, this is my first stab at creating a login in php... Thanks for your help!

Improve this question
6
  • 3
    You know, apache supports this in-built, you should just configure it as such. Check out the 'htpasswd' command, and relevant apache conf file entries. Commented Jan 7, 2010 at 0:10
  • 1
    $sql is a very misleading variable name here... Commented Jan 7, 2010 at 0:18
  • I wish I could use htpasswd, however Im programming from a directory and not the server, I am on an allocated space, I cannot modify server level settings... Commented Jan 7, 2010 at 0:20
  • 1
    If you only have two users then you may as well dispense with the text file and hard code the usernames / passwords. Commented Jan 7, 2010 at 0:23
  • 1
    Chris: That's pretty bad advice; at the very least the password file should be stored in a place that is definitely not web-accessible, if it's hard coded, the file is accessible, in the case of some strange issue that makes php files suddenly downloadable. Commented Jan 7, 2010 at 0:29

3 Answers 3

Reset to default
2

There's several problems with this script:

  • $myusername, $mypassword - first these variables are being initialized from $_POST data, then overwritten with the file contents. I don't see any checking of the user-submitted password against the password in the file.
  • The password file is being loaded in twice - once via fopen/fgets and again via file. This is wasteful - load the file only once via file()
  • The following lines: $admin=count(file("../admin8183/users/admin.txt")); ... if($admin==1) will allow anyone access as long as the password file contains only one line. Which will never occur if the username/password are on separate lines. Worse yet, this check is independent of user input.
  • The password is being saved in the session. At the very least, if the username and password are correct, a session variable called $_SESSION['logged_in'] should be set to true.
  • Is the password being stored in an encrypted format? At a minimum the password should be stored as a SHA1/MD5 hash.
  • session_register is deprecated.

Building a secure user authentication scheme is hard. As others have noted, try using basic Apache authentication. Here's a decent tutorial:

http://www.nexcess.net/support/tutorials/misc-tools/htaccess-authentication/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First, I must say this is the wrong way to acomplish your task, The offer on the comment to use htpasswd is very right.

As for your code:

  1. You are using the same $myusername variable when reading from $_POST and from the file. You need to use seperate variables and compare then.
  2. You expect the file to have 3 rows (3 gets), yet you register only if it has 1 row)

Update:

Since you can't use htpasswd, i highly recommend hashing your password. Either if you save it in a file or hardcoded, it is a good practice. As @silky pointed out, sha1/md5 are no better then plain text, so here is an implementation of sha256 for PHP.

Also, don't save your password/username in the sessoion, as @pygorex1 pointed out, use a different variable for marking the user as logged-in.

Improve this answer

5 Comments

1 and 2. are good points ill re evaluate that however, as I said to the other comment, I cannot access my server settings...
Avoid SHA1 if you can, it's considered weak and soon-to-be-dead: valerieaurora.org/hash.html
Oh dear, MD5 is most definitely dead; you must use SHA-2 or up (sometime in the near future we should see a SHA-3 class being released, but for now, SHA-2 is pretty much the only option).
can't seem to find sha-2 for php
Am: Then SHA-1 will be acceptable, but just note it down to upgrade when SHA-2 for php becomes available :) (I'd think there is some sort of SHA-256 impl for PHP somewhere, though.)
0

Well, it would seem that fgets() gets an entire line: http://php.net/manual/en/function.fgets.php

so you are putting the entire line username password into $mysuername and then the next line into $mypassword and so on.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.