Inquiry from almost total newbie
This is a discussion on Inquiry from almost total newbie within the MySQL Database forums, part of the Database Forums category; Good day, and thank you in advance for any help. I am a new MySQL user, and have just recently ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-11-2005
|
|||
|
|||
Inquiry from almost total newbie
Good day, and thank you in advance for any help.
I am a new MySQL user, and have just recently begun to learn something about PHP. I usually work with MS Access, and I can build databases, queries, table and so forth. So I think I understaqnd that stuff well enough to do most of what I want to do, but my project includes some stuff that I'm not familiar with. I am slowly working through the process of putting a small database on line for an organization that I help to run. The database will list events in certain geographic areas, and the user/visitor will be able to select the geographic area in which he or she has an interest. It is not going to be a huge pile of data. We (those of us who run the organization) do not want to spend a lot of time maintaining this data, and there will be a relatively small number of people who we will want to be able to set up an event. I would like to allow anyone with a password, or some other way to log in, to be able to put their own data in, and wait for someone from my organization to approve it. So, my question is this - what is the best way to keep invalid logins from getting to the input form? I guess I need to check the log-in data against another database - or do I? Any tutorials on this subject, or on DB security, in general, will be appreciated. Thanks... Steve E. 
|
|
10-11-2005
|
|||
|
|||
|
Re: Inquiry from almost total newbie
Serious_Practitioner wrote:
> Good day, and thank you in advance for any help. > > I am a new MySQL user, and have just recently begun to learn something about > PHP. I usually work with MS Access, and I can build databases, queries, > table and so forth. So I think I understaqnd that stuff well enough to do > most of what I want to do, but my project includes some stuff that I'm not > familiar with. > > I am slowly working through the process of putting a small database on line > for an organization that I help to run. The database will list events in > certain geographic areas, and the user/visitor will be able to select the > geographic area in which he or she has an interest. It is not going to be a > huge pile of data. > > We (those of us who run the organization) do not want to spend a lot of time > maintaining this data, and there will be a relatively small number of people > who we will want to be able to set up an event. I would like to allow anyone > with a password, or some other way to log in, to be able to put their own > data in, and wait for someone from my organization to approve it. So, my > question is this - what is the best way to keep invalid logins from getting > to the input form? I guess I need to check the log-in data against another > database - or do I? Any tutorials on this subject, or on DB security, in > general, will be appreciated. There at least two ways to achieve this: a) Secure the directory with the input form with a .htaccess file if you are running Apache. b) Program a small login script with PHP. A pseudo PHP code would look like this: <?php if user is not logged in ask for user and password in login form check user and password against database if user and password matches show input form else show login form again ?> You can store the state of your user in PHP within a session() For starting you can use something like this: <?php // Check user/password or show login form if (isset($_POST['user']) && isset($_POST['pass']) && $_POST['user'] != '' && $_POST['pass'] != '' && !isset($_SESSION['handel_login'])) { // Prevent SQL injection $user = mysql_real_escape_string($_POST['user']); $pass = mysql_real_escape_string($_POST['pass']); $sql = "SELECT email, pass FROM login WHERE email = '" . $user ."' AND pass = '" . $pass ."' "; $res = mysql_query("$sql") or die("Wrong query: " . mysql_error()); // If we have exactly one result, the user/pass is correct if (mysql_num_rows($res) == 1) { $row = mysql_fetch_row($res); $_SESSION['t_haendler_id'] = $row[0]; $_SESSION['handel_login'] = true; // Show input form require_once 'input_form.php'; } else { // sleep(3); $my_error = "Wrong login, please try again<br />"; unset($_SESSION); session_destroy(); } } else { ?> <div class="content"> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table> <tr> <td colspan="2" align="left"> <h2>Please login</h2></td> </tr> <tr> <td align="right"> <b>Username:</b></td> <td> <input type="text" name="user" size="30" maxlength="80" /></td> </tr> <?php if (isset($_POST['submit']) && isset($_POST['user']) && $_POST['user'] == '') { ?> <tr> <td> </td> <td class="error"> Please provide username!</td> </tr> <?php } ?> <tr> <td align="right"> <b>Passwort:</b></td> <td> <input type="password" name="pass" size="30" maxlength="20" /></td> </tr> <?php if (isset($_POST['submit']) && isset($_POST['pass']) && $_POST['pass'] == '') { ?> <tr> <td> </td> <td class="error"> Please provide password!</td> </tr> <?php } ?> <tr> <td> <input type="reset" name="reset" value="Reset" /></td> <td> <input type="submit" name="submit" value="Login" /></td> </tr> </table> </form> </div> <?php } ?> Regards, Hakan
|
|
10-12-2005
|
|||
|
|||
|
Re: Inquiry from almost total newbie
"Hakan Kuecuekyilmaz" <hakan@lisas.de> wrote in message news:dih5b1$h06$01$1@news.t-online.com... > Serious_Practitioner wrote: >> Good day, and thank you in advance for any help. >> >> I am a new MySQL user, and have just recently begun to learn something >> about PHP. I usually work with MS Access, and I can build databases, >> queries, table and so forth. So I think I understaqnd that stuff well >> enough to do most of what I want to do, but my project includes some >> stuff that I'm not familiar with. >> >> I am slowly working through the process of putting a small database on >> line for an organization that I help to run. The database will list >> events in certain geographic areas, and the user/visitor will be able to >> select the geographic area in which he or she has an interest. It is not >> going to be a huge pile of data. >> >> We (those of us who run the organization) do not want to spend a lot of >> time maintaining this data, and there will be a relatively small number >> of people who we will want to be able to set up an event. I would like to >> allow anyone with a password, or some other way to log in, to be able to >> put their own data in, and wait for someone from my organization to >> approve it. So, my question is this - what is the best way to keep >> invalid logins from getting to the input form? I guess I need to check >> the log-in data against another database - or do I? Any tutorials on this >> subject, or on DB security, in general, will be appreciated. > > > There at least two ways to achieve this: > > a) Secure the directory with the input form with a .htaccess file if you > are running Apache. > > b) Program a small login script with PHP. A pseudo PHP code would look > like this: > > <?php > > if user is not logged in > ask for user and password in login form > check user and password against database > if user and password matches > show input form > else > show login form again > ?> > > You can store the state of your user in PHP within a session() > > For starting you can use something like this: > <?php > // Check user/password or show login form > if (isset($_POST['user']) && isset($_POST['pass']) > && $_POST['user'] != '' && $_POST['pass'] != '' > && !isset($_SESSION['handel_login'])) { > > // Prevent SQL injection > $user = mysql_real_escape_string($_POST['user']); > $pass = mysql_real_escape_string($_POST['pass']); > > $sql = "SELECT email, pass > FROM login > WHERE email = '" . $user ."' > AND pass = '" . $pass ."' > "; > $res = mysql_query("$sql") > or die("Wrong query: " . mysql_error()); > > // If we have exactly one result, the user/pass is correct > if (mysql_num_rows($res) == 1) { > $row = mysql_fetch_row($res); > $_SESSION['t_haendler_id'] = $row[0]; > $_SESSION['handel_login'] = true; > // Show input form > require_once 'input_form.php'; > } else { > // sleep(3); > $my_error = "Wrong login, please try again<br />"; > unset($_SESSION); > session_destroy(); > } > } else { > ?> > <div class="content"> > <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> > <table> > <tr> > <td colspan="2" align="left"> > <h2>Please login</h2></td> > </tr> > <tr> > <td align="right"> > <b>Username:</b></td> > <td> > <input type="text" name="user" size="30" maxlength="80" /></td> > </tr> > <?php > if (isset($_POST['submit']) && isset($_POST['user']) && $_POST['user'] == > '') { > ?> > <tr> > <td> </td> > <td class="error"> > Please provide username!</td> > </tr> > <?php > } > ?> > <tr> > <td align="right"> > <b>Passwort:</b></td> > <td> > <input type="password" name="pass" size="30" maxlength="20" > /></td> > </tr> > <?php > if (isset($_POST['submit']) && isset($_POST['pass']) && $_POST['pass'] == > '') { > ?> > <tr> > <td> </td> > <td class="error"> > Please provide password!</td> > </tr> > <?php > } > ?> > <tr> > <td> > <input type="reset" name="reset" value="Reset" /></td> > <td> > <input type="submit" name="submit" value="Login" /></td> > </tr> > </table> > </form> > > </div> > <?php > } > ?> > > > Regards, Hakan Hi, Hakan - My goodness! Thanks so much. I have to study this, figure out what it does and how to modify it to suit my installation, but thank you EVER so much for the great start on a solution. Steve E.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 10:40 PM.
