#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1

    PHP/HTML5 Log In without a Database


    I seem to be able to hand write HTML5 and CSS3 with my eyes closed, but I can't figure out some seemingly simple PHP...

    I want to create an HTML5 Log In <form> that uses a separate PHP file to perform the process of checking usernames and passwords with a text file (that is correct; no database). If the log in credentials are correct, the PHP would forward them to a page of my choice, if it is incorrect, it would post an alert (Username and/or Password is incorrect) above the Log In form.

    I don't need the HTML code, as I will use something such as this:

    Code:
    <form action="admin.php" method="POST"> 
    
    <h1>Log In</h1>  
    
    <label for="username">Username:<span class="required">*</span></label>  
    <input type="text" id="username" name="username"  placeholder="Username" required autofocus />  
              
    <label for="password">Password<span class="required">*</span></label>  
    <input type="text" id="password" name="password"  placeholder="Password" required autofocus />  
                
    <center><input type="submit" value="Log In" id="login-button" /></center>
    </form>
    I was working with the PHP from this ancient post, but I just couldn't get it work. If I used that post exactly how it was written and I inputted the username and password that I inputted in the text file (i.e. doctorzeigler:testpassword), it would come up each time as the incorrect password.

    Additionally, if I wrote my form so that it accessed the PHP in a separate file, it would successfully log me in even if my log in credentials were incorrect!

    NOTE: I do not need a sign-up form/page. Users will not be able to sign up as I will have full control over each and every user (which will only be about 8 people).

    If someone could help me out, it would be greatly appreciated!!

    Hopefully someday I'll learn enough where I can actually help someone in return . . .
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    apart from the fact that you'll be using file functions instead of queries, this isn't different from writing a standard PHP authentication script. This means you'll need sessions and a strong password hashing algorithm.

    Let's assume you store the user credentials in a JSON file, using the above password library:

    users.json
    Code:
    {
    	"testuser": "$2y$10$XISQaNNTCQaEbeRO/cqmye6PMJzueaj02FC6wwo5nZbZyDPBd5V8O"
    }
    Then the login script would look something like this:

    PHP Code:
    <?php

    session_start
    ();

    require_once 
    __DIR__ '/lib/password.php';    // https://github.com/ircmaxell/password_compat


    if ( !empty($_POST['username']) && !empty($_POST['password']) )
    {
        
    $user_file file_get_contents('users.json');
        
    $users json_decode($user_filetrue);
        
        
    $username$_POST['username'];

        
    $logged_in false;
        if ( isset(
    $users[$username]) )
        {        
            
    $posted_password $_POST['password'];
            
    $hash $users[$_POST['username']];
            if ( 
    strlen($posted_password) <= 72 && password_verify($posted_password$hash) )
            {
                
    $_SESSION['username'] = $username;
                
    $logged_in true;
            }
        }
        if (
    $logged_in)
        {
            echo 
    'Logged in successfully';
        }
        else
        {
            echo 
    'Wrong credentials';
        }
    }
    else
    {
        echo 
    'Missing credentials';
    }
    Of course this is far from perfect, but you should get the idea.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Here I go again Jacques . . .

    Surprise, surprise, I can't get this to work. I inputted my password into the bcrypt script, received the hash, and inputted it into the .json file. It looks like this:

    Code:
    {
    	testuser: $2y$10$f1xppn0vmqOrS4t5J7DsX.nKvgubBJPWkCmmfAteY7CztwjMu2beG
    }
    When I input the username and (unhashed)password into my log in form, it tells me that I have the wrong credentials.

    Below is the error I received, and what I did to rectify it:
    [30-Jul-2013 07:04:01 America/Denver] PHP Warning: require_once(/home1/intelly1/public_html/adminpassword.php): failed to open stream: No such file or directory in /home1/intelly1/public_html/admin/admin.php on line 3
    I realized I had somehow deleted the '/' in "require_once __DIR__ . '/password.php';", so I fixed that.

    Feel free to take a look yourself at my Admin Log In. User name is 'testuser' and the password is 'password'.

    What the heck am I doing wrong this time? After fixing the error in the error log, I am not getting any more errors.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Your JSON file is invalid, you didn't quote the strings.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Originally Posted by Jacques1
    Your JSON file is invalid, you didn't quote the strings.
    I had originally deleted the quotes because it didn't work with them, but I'm guessing the problem was somewhere else because that fixed it!

    Thank you so much for this!!!

    -DZ

    EDIT: What lead me to think that the quotes were not supposed to be there (and that maybe you just put them there for the example) is that Dreamweaver doesn't recognize them as valid. Any more help I receive from you, I'll be sure to ignore Dreamweaver ;-)
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by DoctorZeigler
    I originally had the strings in quotes, but through attempting to solve this on my own, I deleted the quotes. I reimplemented the quotes just now, and it still doesn't work.
    Well, then you need to investigate the problem. There's not much we can do, but you can check every single value. Do that. Use var_dump() to output the variables, starting with $user_file.

    Also turn the error reporting all up with error_reporting(-1) at the top of the script.



    Originally Posted by DoctorZeigler
    I inputted 'password' multiple times, and each time I got a different hash.
    That's what it's supposed to do. The function generates a random string and adds it to the actual password (called "salting"). So hashing the same password multiple times always results in a different hash. The salt is stored in the first 22 characters after the third "$", so in your case it's

    Code:
    f1xppn0vmqOrS4t5J7DsX.
    Given the salt and the password, one can check the hash.

    Salting is crucial for security. Without salting, a cracker can attack all users at once simply by trying out different passwords and checking if the result matches any database entry. It's also possible to precalculate the hashes. This is a huge problem with MD5 hashes, for example, because the hashes of all short strings are known and can be found via Google. So when you have an MD5 hash of some password, there's a good chance of finding out the password.

    Long story short: If the hash doesn't change, you're in trouble.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    America (But which one?)
    Posts
    43
    Rep Power
    1
    Wow!

    Thank you very much for explaining all of that to me!!

    I see you started replying before I got it fixed. I threw the quotation marks in, it didn't work, and then I realized somewhere along the line I had re-copied and pasted your original PHP and didn't change the name of the .json file!

    Thank you again for all of your help Jacques. I'm hoping I don't have to bother you (or anyone on here) for a little bit, but I can't make any guarentees.

    I'll definitely be frequenting DevShed for quite a while in an attempt to help anyone I can (and of course ask any other questions I have); never have I received so much incredible help on any other forum!

IMN logo majestic logo threadwatch logo seochat tools logo