|
Article:
Password Protection with PHP, MySQL, and Session Variables by: Dan McConkey One of the great promises that actually came true when our Internet-enabled world reached the twenty-first century is efficient customer-to-business interaction. Each day, I find a new way to go through life's errands without ever waiting on hold for a bank teller, a pharmacist, or an insurance agent. I do it all online. Internet savvy consumers are coming to expect such web empowerment. And while these information transactions usually require some sort of private data traveling the ether, you, as the webmaster, bear the burden of keeping that data away from those who have no right to it. Since retina scans and brain wave signatures are still properties of James Bond flicks, we're stuck using plain old boring passwords. Is this really secure? Let's get this out of the way first. The only truly secure computer is one that's unplugged. Kind of like 'the only safe car is the one that sits in your garage.' Life is a risk/reward proposition and, let's face it, this (probably) isn't Fort Knox, we're securing. The security measures listed here are suitable for garden-variety data. I've used these schemes to write back-end website administration pages for online shopping carts. I've used them to write 'partner' pages where retailers can download ads and sales data from wholesalers. I wouldn't use them to secure credit card numbers, social security numbers, or nuclear launch codes. So what are PHP, MySQL, and session variables? PHP is a programming language used (in this case) to write HTML. MySQL is a database. Session variable are used by web servers to track information from one page on a domain to another. This article isn't a how-to for either technology. If you aren't very comfortable with them, you could just copy and paste the code samples in this article and build yourself a basic password protected website. You could also just read the Cliff's notes for Pride and Prejudice and get a C+ in literature class. Your choice. Let's get started with sessions It's often been said that the web is 'stateless', meaning that each web page is entirely independent, needing no other page to exist, and taking no information from the previous page. This is great for anonymous surfing from one site to the next, but it stinks for password protection. Consumers want password protected information, but they don't want to enter their password on every page. So we turn to our web server to keep track of a user while he's on our site. Ex. 1. <?php session_start(); ?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml'' xml:lang='en' lang='en'> <head><title>Dan McConkey's Free Web Marketing Guide</title></head> <body> <p>Dan McConkey's Free Web Marketing Guide</p> </body> </html> end Ex. 1 session_start() is a PHP function that looks to see if a session has already been started then does one of two things: 1. If a session has been started, it does nothing. 2. If a session has not been started, it begins one. It is important to note that session_start() must occur before any other PHP on the page, if you want it to work. Begin every password-protected page with it. Validation Now let's think basic validation. What sorts of things do we need to accomplish? * First, we need to check to see if the user has already logged in, so we don't ask for a password on every page. If our user has already logged in, we pass him or her through to the secure content. * If the user hasn't already logged in, we need him or her to do so. So we need to write a log-in form. * We need next to compare log-in form results with a known list of usernames and passwords. If the user checks out, we pass him or her along to the secure content. * If the user doesn't check out, we direct him or her back to the log-in screen. * Lastly, we need to provide the user the ability to log out. So let's start with a basic frame-work that we'll fill in later. Ex. 2 <?php // start session if not already started session_start(); // check to see if user just logged out if ( $log_out ) { } function write_log_in( $text ) { } // end write_log_in function function verify() { // check to see if they're already logged in // if yes, return true // if no, check to see if visitor has just tried to log on // if yes, verify password // if it worked, return true // if it didn't, send them back to log-in // if the user didn't just log-in, (s)he needs to } // end verify function ?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml'' xml:lang='en' lang='en'> <head><title>Dan McConkey's Free Web Marketing Guide</title></head> <body> <p>Dan McConkey's Free Web Marketing Guide</p> <?php // check for valid user if ( verify() ) { // begin secure content echo '<p>Clatu, verata, nicto</p>'; // end secure content } // end if ( verify() ) ?> </body> </html> End Ex. 2 As I said, this is just a frame-work. I like to start all my projects this way. It allows me to get a grand view of what I'm doing before getting mired down in the details. Basically, so far, all we've done is place some secret content inside an if statement. If the user is valid, we show the content, if not, we don't. Writing a log-in form The first thing we should flesh out is our log-in function. This is a basic form, with no bells and whistles, so it should be pretty straight forward. Ex 3 function write_log_in( $text ) { echo ' <p>$text</p> <form method='post' action=''> <p>User ID: <input type='text' name='user_name /></p> <p>Password: <input type='password' name='password' /></p> <p><input type='submit' value='Log In'></p> </form> '; } // end write_log_in function End Ex. 3 No problems, right? All this is is PHP writing a basic HTML log-in form. Two things are worth noting: 1. The method attribute to the <form> tag is 'post'. We could have used 'get
|
