The final script in our gift registry application is
the first the user sees. It shows the guest a login
<form>
in which he can enter his username
and password. The source of the script is shown in Example 11-5, and its output is shown in Figure 11-2.
When the guest has entered his credentials and clicks on the Log In
button, the script is re-requested to validate the credentials. If
the username already exists in the people
table,
the password is validated. If the password matches, the session
variable $user
is registered with the
guest’s people_id
as its value.
Then the header( )
function with the
Location:
parameter is used to redirect the
browser to the presents.php script, along with a
welcome message. If the password doesn’t match, then
the script is re-requested, and an error message is shown.
If the username doesn’t exist, it is added to the
people
table along with the user-supplied
password. This allows a new guest to use the system, decide on his
own username and password, and log in. For applications in which
security is important, the usernames and passwords would be added to
the people
table by an administrator.
Passwords are
encrypted. The PHP library
function crypt(
)
is a
one-way encryption function that takes two parameters: the string to
be encrypted and a salt. The salt in our example
is two characters from the username. It adds security by ensuring
that a password is encrypted to a different string when it is
provided by different users. Because crypt( )
is
one-way, the encrypted string cannot be decoded. Therefore, when a
returning user attempts to log in, the password
they’ve supplied is encrypted and compared to the
stored string: if they’re the same, the password is
correct.
The gift registry application isn’t secure. Passwords are transferred between the web browser and web server as unencrypted text. While this isn’t important for a simple application, additional security and authentication features are often required in web database applications. For such applications, communications should be encrypted by a secure sockets layer (SSL) software package that can be added to a web server.
<?php // Show the user the login screen for the application, or // try and log the user in. // // Three optional parameters: // (1) $login name that has been entered into the <form> // (2) $password that has been entered into the <form> // (3) $message to display // Include database parameters include "db.inc"; // Pre-process the user data for security $user = clean($user, 30); $passwd = clean($passwd, 30); // Start a session session_start( ); // Has the user entered a username and password? if (isset($message) || empty($login) || empty($passwd)) { // No, they haven't, so show them a <form> ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Sam and Rowe's Wedding Gift Registry</title> </head> <body bgcolor=#ffffff> <h2>Sam and Rowe's Wedding Gift Registry</h2> <?php // If an error message is stored, show it... if (isset($message)) echo "<h3><font color="red">{$message}</font></h3>"; ?> (if you've not logged in before, make up a username and password) <form action="index.php" method="POST"> <br>Please enter a username: <input type="text" name="login"> <br>Please enter a password: <input type="password" name="passwd"> <br><input type="submit" value="Log in"> </form><br> <?php require "disclaimer"; ?> </body> </html> <?php } else { // Connect to the MySQL DBMS - credentials are in the file db.inc if (!($connection = @ mysql_pconnect($hostName, $username, $password))) showerror( ); // Use the wedding database if (!mysql_select_db($databaseName, $connection)) showerror( ); // Create a query to find any rows that match the username the user entered $query = "SELECT people_id, passwd FROM people WHERE people_id = "{$login}""; // Run the query through the connection if (!($result = @ mysql_query($query, $connection))) showerror( ); // Were there any matching rows? if (mysql_num_rows($result) == 0) { // No. So insert the new username and password into the table $query = "INSERT INTO people SET people_id = "{$login}", passwd = "" . crypt($passwd, substr($user, 0, 2)) . """; // Run the query if (!($result = @ mysql_query($query, $connection))) showerror( ); } else { // Yes. So fetch the matching row $row = @ mysql_fetch_array($result); // Does the user-supplied password match the password in the table? if (crypt($passwd, substr($login, 0, 2)) != $row["passwd"]) { // No, so create an error message $message = "This user exists, but the password is incorrect. Choose another username, or fix the password."; // Now, redirect the browser to the current page header("Location: index.php?message=" . urlencode($message)); exit; } } // Save the user's login name in the session if (!session_is_registered("user")) session_register("user"); $user = $login; $message = "Welcome! Please select gift suggestions from the list to add" . " to your shopping list!"; // Everything went ok. Redirect to the presents.php page. header("Location: presents.php?message=" . urlencode($message)); } ?>