A,login,system,that,uses,PostgreSQL

Mert 9/1/2016 0

A login system that uses PostgreSQL This is a simple script for a login system that uses a PostgreSQL database (It could quite easily be changed to use MySql or any other database if you choose). As well as having a username and a password the user has there own zone (I did this so I could dynamically make a page depending on what user and so they could have duplicate usernames if in a different zone (I have set different zones for a different company))

PHP
<?php 

// I have used * to hide certian detail 

// web site script is used on 
// i.e. http://www.example.com/ would be $site = "http://www.example.com/"; 
$site = "*******";   

// checks to see if id is pass to script 
If(!isset($_GET['id'])){ 
    // I was gonna put the redirect in a function but it isn't 
    // neccessary and maybe done in the next version 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 

    // you must have unauthorised.htm in the route of your site, i.e. 
    //http://www.example.com/unauthorised.htm 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

// checks if id is only made up of numbers 
If(!ereg("^[0-9]{1,}$", $_GET['id'])){ 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

session_start(); 

// sets id var from what was sent to page 
// id will be there zone 
$id = $_GET['id']; 

// checks if user has tried to logon before in the same session 
If(!session_is_registered("authrealm"))    { 
    // sets id in a session var 
    session_register(authrealm); 
    $authrealm = $_GET['id']; 
} 

// checks if user is trying to logon to a different company page 
If($authrealm != $_GET['id']){ 
    // resets username and password to blank 
    $PHP_AUTH_USER = ''; 
    unset($PHP_AUTH_USER); 
    $PHP_AUTH_PW = ''; 
    unset($PHP_AUTH_PW); 
    $authrealm = $_GET['id']; 
} 

If(!IsSet($PHP_AUTH_USER)){ 
    // if username hasn't been set before for this realm, prompts 
    //user for username/password 
    Header("WWW-Authenticate: Basic realm=\"$id\""); 
    Header('Status: 401 Unauthorized'); 
    exit; 
} 

// opens database connection 
$connstr = "dbname=**** user=****"; 
$dbh = pg_connect($connstr); 

// sets the SQL statment to recive the user/password for that id $sql = 
"SELECT * FROM **** WHERE **** = '$authrealm'"; 

// executes the SQL statment on the database 
$passdb = pg_exec($dbh, $sql); 

// if database connection failed send to unauthorised page 
If(!$passdb){ 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

// if there is no entry in the database for this id then redirect to 
//unauthorised page 
If(pg_numrows($passdb) == '0'){ 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

$data = pg_fetch_row($passdb, 0); 

// if there is no entry in the database for this id then redirect to 
//unauthorised page 
If(!$data){ 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

// sets username into var $login 
$login = $data[1]; 

//sets a key for the md5 hash (replace stars with numbers execpt the 
//first one) 

// example would be $key = (($id * 9347^7) / 7849^5); 
$key = (($id * ****^*) / ****^*); 

// encrypts the password 
$hash = md5($id.$PHP_AUTH_PW.$key); 

// returns encrypted password from database 
$pass = $data[2]; 

// checks username/password entered against the ones in the database 
//if correct continues on, if wrong redirects you to the unauthorised page 
If((!$PHP_AUTH_USER == '$login') || (!$pass == '$hash')){ 
    Header("Content-type: text/html"); 
    Header("Status: 302 Moved"); 
    Header("Location: $site/unauthorised.htm"); 
    exit; 
} 

pg_close($dbh); 

?> 

if you can think of any improvments they would be much appericated but 
remember i'm not a security expert and i'm sure this has holes in it, for 
instance if you are not using ssl then the passwords are sent in plain 
text so you may need to use a java applet to encrypt the password before 
it is sent.
 

Report Bug

Please Login to Report Bug

Reported Bugs

Comments

Please Login to Comment

Comments