Serious_Practitioner wrote:
> Good day, and thank you in advance for any help.
>
> I am a new MySQL user, and have just recently begun to learn something about
> PHP. I usually work with MS Access, and I can build databases, queries,
> table and so forth. So I think I understaqnd that stuff well enough to do
> most of what I want to do, but my project includes some stuff that I'm not
> familiar with.
>
> I am slowly working through the process of putting a small database on line
> for an organization that I help to run. The database will list events in
> certain geographic areas, and the user/visitor will be able to select the
> geographic area in which he or she has an interest. It is not going to be a
> huge pile of data.
>
> We (those of us who run the organization) do not want to spend a lot of time
> maintaining this data, and there will be a relatively small number of people
> who we will want to be able to set up an event. I would like to allow anyone
> with a password, or some other way to log in, to be able to put their own
> data in, and wait for someone from my organization to approve it. So, my
> question is this - what is the best way to keep invalid logins from getting
> to the input form? I guess I need to check the log-in data against another
> database - or do I? Any tutorials on this subject, or on DB security, in
> general, will be appreciated.
There at least two ways to achieve this:
a) Secure the directory with the input form with a .htaccess file if you
are running Apache.
b) Program a small login script with PHP. A pseudo PHP code would look
like this:
<?php
if user is not logged in
ask for user and password in login form
check user and password against database
if user and password matches
show input form
else
show login form again
?>
You can store the state of your user in PHP within a session()
For starting you can use something like this:
<?php
// Check user/password or show login form
if (isset($_POST['user']) && isset($_POST['pass'])
&& $_POST['user'] != '' && $_POST['pass'] != ''
&& !isset($_SESSION['handel_login'])) {
// Prevent SQL injection
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$sql = "SELECT email, pass
FROM login
WHERE email = '" . $user ."'
AND pass = '" . $pass ."'
";
$res = mysql_query("$sql")
or die("Wrong query: " . mysql_error());
// If we have exactly one result, the user/pass is correct
if (mysql_num_rows($res) == 1) {
$row = mysql_fetch_row($res);
$_SESSION['t_haendler_id'] = $row[0];
$_SESSION['handel_login'] = true;
// Show input form
require_once 'input_form.php';
} else {
// sleep(3);
$my_error = "Wrong login, please try again<br />";
unset($_SESSION);
session_destroy();
}
} else {
?>
<div class="content">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table>
<tr>
<td colspan="2" align="left">
<h2>Please login</h2></td>
</tr>
<tr>
<td align="right">
<b>Username:</b></td>
<td>
<input type="text" name="user" size="30" maxlength="80" /></td>
</tr>
<?php
if (isset($_POST['submit']) && isset($_POST['user']) && $_POST['user']
== '') {
?>
<tr>
<td> </td>
<td class="error">
Please provide username!</td>
</tr>
<?php
}
?>
<tr>
<td align="right">
<b>Passwort:</b></td>
<td>
<input type="password" name="pass" size="30" maxlength="20" /></td>
</tr>
<?php
if (isset($_POST['submit']) && isset($_POST['pass']) && $_POST['pass']
== '') {
?>
<tr>
<td> </td>
<td class="error">
Please provide password!</td>
</tr>
<?php
}
?>
<tr>
<td>
<input type="reset" name="reset" value="Reset" /></td>
<td>
<input type="submit" name="submit" value="Login" /></td>
</tr>
</table>
</form>
</div>
<?php
}
?>
Regards, Hakan