July 24th, 2013, 03:06 PM
PHP/HTML5 Log In without a Database
I seem to be able to hand write HTML5 and CSS3 with my eyes closed, but I can't figure out some seemingly simple PHP...
I want to create an HTML5 Log In <form> that uses a separate PHP file to perform the process of checking usernames and passwords with a text file (that is correct; no database). If the log in credentials are correct, the PHP would forward them to a page of my choice, if it is incorrect, it would post an alert (Username and/or Password is incorrect) above the Log In form.
I don't need the HTML code, as I will use something such as this:
I was working with the PHP from this ancient post, but I just couldn't get it work. If I used that post exactly how it was written and I inputted the username and password that I inputted in the text file (i.e. doctorzeigler:testpassword), it would come up each time as the incorrect password.
<form action="admin.php" method="POST">
<label for="username">Username:<span class="required">*</span></label>
<input type="text" id="username" name="username" placeholder="Username" required autofocus />
<label for="password">Password<span class="required">*</span></label>
<input type="text" id="password" name="password" placeholder="Password" required autofocus />
<center><input type="submit" value="Log In" id="login-button" /></center>
Additionally, if I wrote my form so that it accessed the PHP in a separate file, it would successfully log me in even if my log in credentials were incorrect!
NOTE: I do not need a sign-up form/page. Users will not be able to sign up as I will have full control over each and every user (which will only be about 8 people).
If someone could help me out, it would be greatly appreciated!!
Hopefully someday I'll learn enough where I can actually help someone in return . . .
July 24th, 2013, 03:53 PM
apart from the fact that you'll be using file functions instead of queries, this isn't different from writing a standard PHP authentication script. This means you'll need sessions and a strong password hashing algorithm.
Let's assume you store the user credentials in a JSON file, using the above password library:
Then the login script would look something like this:
Of course this is far from perfect, but you should get the idea.
require_once __DIR__ . '/lib/password.php'; // https://github.com/ircmaxell/password_compat
if ( !empty($_POST['username']) && !empty($_POST['password']) )
$user_file = file_get_contents('users.json');
$users = json_decode($user_file, true);
$logged_in = false;
if ( isset($users[$username]) )
$posted_password = $_POST['password'];
$hash = $users[$_POST['username']];
if ( strlen($posted_password) <= 72 && password_verify($posted_password, $hash) )
$_SESSION['username'] = $username;
$logged_in = true;
echo 'Logged in successfully';
echo 'Wrong credentials';
echo 'Missing credentials';
July 30th, 2013, 08:56 AM
Here I go again Jacques . . .
Surprise, surprise, I can't get this to work. I inputted my password into the bcrypt script, received the hash, and inputted it into the .json file. It looks like this:
When I input the username and (unhashed)password into my log in form, it tells me that I have the wrong credentials.
Below is the error I received, and what I did to rectify it:
I realized I had somehow deleted the '/' in "require_once __DIR__ . '/password.php';", so I fixed that.
Feel free to take a look yourself at my Admin Log In. User name is 'testuser' and the password is 'password'.
What the heck am I doing wrong this time? After fixing the error in the error log, I am not getting any more errors.
July 30th, 2013, 09:33 AM
Your JSON file is invalid, you didn't quote the strings.
July 30th, 2013, 09:48 AM
I had originally deleted the quotes because it didn't work with them, but I'm guessing the problem was somewhere else because that fixed it!
Originally Posted by Jacques1
Thank you so much for this!!!
EDIT: What lead me to think that the quotes were not supposed to be there (and that maybe you just put them there for the example) is that Dreamweaver doesn't recognize them as valid. Any more help I receive from you, I'll be sure to ignore Dreamweaver ;-)
July 30th, 2013, 10:08 AM
Well, then you need to investigate the problem. There's not much we can do, but you can check every single value. Do that. Use var_dump() to output the variables, starting with $user_file.
Originally Posted by DoctorZeigler
Also turn the error reporting all up with error_reporting(-1) at the top of the script.
That's what it's supposed to do. The function generates a random string and adds it to the actual password (called "salting"). So hashing the same password multiple times always results in a different hash. The salt is stored in the first 22 characters after the third "$", so in your case it's
Originally Posted by DoctorZeigler
Given the salt and the password, one can check the hash.
Salting is crucial for security. Without salting, a cracker can attack all users at once simply by trying out different passwords and checking if the result matches any database entry. It's also possible to precalculate the hashes. This is a huge problem with MD5 hashes, for example, because the hashes of all short strings are known and can be found via Google. So when you have an MD5 hash of some password, there's a good chance of finding out the password.
Long story short: If the hash doesn't change, you're in trouble.
July 30th, 2013, 10:45 AM
Thank you very much for explaining all of that to me!!
I see you started replying before I got it fixed. I threw the quotation marks in, it didn't work, and then I realized somewhere along the line I had re-copied and pasted your original PHP and didn't change the name of the .json file!
Thank you again for all of your help Jacques. I'm hoping I don't have to bother you (or anyone on here) for a little bit, but I can't make any guarentees.
I'll definitely be frequenting DevShed for quite a while in an attempt to help anyone I can (and of course ask any other questions I have); never have I received so much incredible help on any other forum!