PHP Username & Password Detection From PSQL Database

PHP Username & Password Detection From PSQL Database

am 07.04.2004 10:59:50 von Yasmine Kedoo

Hi.

I am just beginning to work with PHP & PSQL so forgive me if i make simple
mistakes. :-)

I created my PSQL database via telnet on my university's database server. I
have no problems retrieving and displaying certain data using PHP, but i am
unable to recognise a username and password entered via a predefined
authentication variable, $PHP_AUTH_USER.

The script must recognise the username: 'yamkedoo', and password: 'yasmine'.
In the database, the username & password columns are spelt exactly as:
'username' & 'password'. The database name is 'yamkedoo', and the table name
is 'PatPerInfo', as can be seen from the following code:

if(!isset($PHP_AUTH_USER))
{
Header("WWW-Authenticate: Basic realm=\"Authentication\"");
Header( "HTTP/1.0 401 Unauthorized");

echo "No Login\n";
exit;
}
else
{
echo "User: $PHP_AUTH_USER
";
echo "Password: $PHP_AUTH_PW
";
}
$database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
user=yamkedoo password=yamkedoo");

if(!$database)
{
print "Connection to database failed.";
}

else
{
$selectquery = "SELECT * FROM PatPerInfo";
$result = pg_exec($database, $selectquery);

$maxrows = pg_numrows($result);
$maxfields = pg_numfields($result);

for ($rw = 0; $rw < $maxrows; $rw++)
{
$username = pg_Result($result,$rw,0);
$password = pg_Result($result,$rw,1);

if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
{
$auth = 1;
}
}

echo $auth;
}

if($auth==0)
{
print "Access Denied
\n";
exit;
}


?>

After the username and password, i get the following error: Parse error:
parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.

Please view te following link:
http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what is
happening.
Only once has the authentication window appeared, and has not done so since.
It only gives the error as seen at the link.

Can anyone help?

Thank You :-)

____________________________________________________________ _____
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger


---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Re: PHP Username & Password Detection From PSQL Database

am 07.04.2004 11:18:08 von Viorel Dragomir

This is a multi-part message in MIME format.

------=_NextPart_000_0089_01C41C9A.632DBE20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

:)
For start you need ) here:
if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW)) )
----- Original Message -----=20
From: Yasmine Kedoo=20
To: pgsql-php@postgresql.org=20
Sent: Wednesday, April 07, 2004 11:59 AM
Subject: [PHP] PHP Username & Password Detection From PSQL Database


Hi.

I am just beginning to work with PHP & PSQL so forgive me if i make simpl=
e=20
mistakes. :-)

I created my PSQL database via telnet on my university's database server.=
I=20
have no problems retrieving and displaying certain data using PHP, but i =
am=20
unable to recognise a username and password entered via a predefined=20
authentication variable, $PHP_AUTH_USER.

The script must recognise the username: 'yamkedoo', and password: 'yasmin=
e'.=20
In the database, the username & password columns are spelt exactly as:=20
'username' & 'password'. The database name is 'yamkedoo', and the table n=
ame=20
is 'PatPerInfo', as can be seen from the following code:

if(!isset($PHP_AUTH_USER))
{
Header("WWW-Authenticate: Basic realm=3D\"Authentication\"");
Header( "HTTP/1.0 401 Unauthorized");

echo "No Login\n";
exit;
}
else
{
echo "User: $PHP_AUTH_USER
";
echo "Password: $PHP_AUTH_PW
";
}
$database =3D pg_connect("host=3Dpgdbs.inf.brad.ac.uk dbname=3Dyamkedoo=
=20
user=3Dyamkedoo password=3Dyamkedoo");

if(!$database)
{
print "Connection to database failed.";
}

else
{
$selectquery =3D "SELECT * FROM PatPerInfo";
$result =3D pg_exec($database, $selectquery);

$maxrows =3D pg_numrows($result);
$maxfields =3D pg_numfields($result);

for ($rw =3D 0; $rw < $maxrows; $rw++)
{
$username =3D pg_Result($result,$rw,0);
$password =3D pg_Result($result,$rw,1);

if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
{
$auth =3D 1;
}
}

echo $auth;
}

if($auth==0)
{
print "Access Denied
\n";
exit;
}


?>

After the username and password, i get the following error: Parse error:=
=20
parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.

Please view te following link:=20
http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what is=
=20
happening.
Only once has the authentication window appeared, and has not done so sin=
ce.=20
It only gives the error as seen at the link.

Can anyone help?

Thank You :-)

____________________________________________________________ _____
It's fast, it's easy and it's free. Get MSN Messenger today!=20
http://www.msn.co.uk/messenger


---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
------=_NextPart_000_0089_01C41C9A.632DBE20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








:)

For start you need ) here:

if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_=
AUTH_PW))=20
)

style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LE=
FT: #000000 2px solid; MARGIN-RIGHT: 0px">
----- Original Message -----

style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">Fro=
m:=20
Yasm=
ine=20
Kedoo
To: l.org=20
href=3D"mailto:pgsql-php@postgresql.org">pgsql-php@postgresq l.org IV>
Sent: Wednesday, April 07, 2004 11=
:59=20
AM

Subject: [PHP] PHP Username &=
=20
Password Detection From PSQL Database


Hi.

I am just beginning to work with PHP & PSQL=
so=20
forgive me if i make simple
mistakes. :-)

I created my PSQL=20
database via telnet on my university's database server. I
have no pro=
blems=20
retrieving and displaying certain data using PHP, but i am
unable to=
=20
recognise a username and password entered via a predefined
authentica=
tion=20
variable, $PHP_AUTH_USER.

The script must recognise the username:=
=20
'yamkedoo', and password: 'yasmine'.
In the database, the username &a=
mp;=20
password columns are spelt exactly as:
'username' & 'password'. T=
he=20
database name is 'yamkedoo', and the table name
is 'PatPerInfo', as c=
an be=20
seen from the following=20
code:

if(!isset($PHP_AUTH_USER))
{
Header("WWW-Authenticate:=
=20
Basic realm=3D\"Authentication\"");
Header( "HTTP/1.0 401=20
Unauthorized");

echo "No Login\n";
exit;
}
else
{
e=
cho=20
"User: $PHP_AUTH_USER<BR>";
echo "Password:=20
$PHP_AUTH_PW<BR>";
}
<?PHP
$database =
pg_connect("host=3Dpgdbs.inf.brad.ac.uk dbname=3Dyamkedoo
user=3Dyamk=
edoo=20
password=3Dyamkedoo");

if(!$database)
    =
=20
{
        print "Connection to data=
base=20
failed.";
    =20
}

else
       =20
            &=
nbsp; =20
{
       =20
            &=
nbsp; =20
$selectquery =3D "SELECT * FROM=20
PatPerInfo";
         =20
            &=
nbsp; =20
$result =3D pg_exec($database, $selectquery);

$maxrows =
pg_numrows($result);
        &=
nbsp; =20
$maxfields =
pg_numfields($result);

       &=
nbsp; =20
for ($rw =3D 0; $rw < $maxrows; $rw++)
     =20
{
   $username =3D pg_Result($result,$rw,0);
$password =
=
pg_Result($result,$rw,1);

if( trim($PHP_AUTH_USER) == trim($us=
ername)=20
&& (trim($PHP_AUTH_PW))
{
  $auth =
1;
}
          =
=20
            &=
nbsp;   =20
}

     echo=20
$auth;
}

     =20
if($auth==0)
     {
    =
; print=20
"Access Denied<BR>\n";
    =20
exit;
     }


?>

After the use=
rname=20
and password, i get the following error: Parse error:
parse error in=
=20
/home/webpages/yamkedoo/Tests/referrals2.php on line 44.

Please vi=
ew te=20
following link:
href=3D"http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referral s2.php">http:=
//www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php=20
to see what is
happening.
Only once has the authentication window=
=20
appeared, and has not done so since.
It only gives the error as seen =
at=20
the link.

Can anyone help?

Thank You=20
:-)

____________________________________________________________ __=
___
It's=20
fast, it's easy and it's free. Get MSN Messenger today!
href=3D"http://www.msn.co.uk/messenger">http://www.msn.co.uk /messenger >


---------------------------(end=20
of broadcast)---------------------------
TIP 9: the planner will ignor=
e=20
your desire to choose an index scan if your
    &n=
bsp;=20
joining column's datatypes do not match

------=_NextPart_000_0089_01C41C9A.632DBE20--

Re: PHP Username & Password Detection From PSQL Database

am 07.04.2004 11:35:22 von Andrew McMillan

On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> Hi.
>
> I am just beginning to work with PHP & PSQL so forgive me if i make simple
> mistakes. :-)
>
> I created my PSQL database via telnet on my university's database server. I
> have no problems retrieving and displaying certain data using PHP, but i am
> unable to recognise a username and password entered via a predefined
> authentication variable, $PHP_AUTH_USER.
>
> The script must recognise the username: 'yamkedoo', and password: 'yasmine'.
> In the database, the username & password columns are spelt exactly as:
> 'username' & 'password'. The database name is 'yamkedoo', and the table name
> is 'PatPerInfo', as can be seen from the following code:

The example in the PHP manual is:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "

Hello {$_SERVER['PHP_AUTH_USER']}.

";
echo "

You entered {$_SERVER['PHP_AUTH_PW']} as your
password.

";
}
?>

A couple of notes:

1) You have starts (like in the example above). Lowercase is also a lot more normal
(although probably uppercase still works).

2) The example above shows the syntax for more recent PHP versions, with
some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER']
rather than $PHP_AUTH_USER) whether the older syntax you have used below
will work will depend on how the installation was configured, to some
extent, as well as the version you are using.


>
> if(!isset($PHP_AUTH_USER))
> {
> Header("WWW-Authenticate: Basic realm=\"Authentication\"");
> Header( "HTTP/1.0 401 Unauthorized");
>
> echo "No Login\n";
> exit;
> }
> else
> {
> echo "User: $PHP_AUTH_USER
";
> echo "Password: $PHP_AUTH_PW
";
> }
> > $database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
> user=yamkedoo password=yamkedoo");
>
> if(!$database)
> {
> print "Connection to database failed.";
> }
>
> else
> {
> $selectquery = "SELECT * FROM PatPerInfo";
> $result = pg_exec($database, $selectquery);
>
> $maxrows = pg_numrows($result);
> $maxfields = pg_numfields($result);
>
> for ($rw = 0; $rw < $maxrows; $rw++)
> {

Just as a suggestion you might want to consider:

$row = pg_fetch_object($result, $rw);
if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) )
{
...

Actually, though, you can get the database to do it:

$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
$selectquery = "SELECT * FROM PatPerInfo
WHERE trim(username) = '$auth_user'
AND trim(password) = '$auth_pass'";

$result = pg_exec( ...


Doing it this way you can simply see if you got back exactly one row,
and if you did then that should be the correct user record - no need for
PHP to inefficiently loop through all of the table looking.


> $username = pg_Result($result,$rw,0);
> $password = pg_Result($result,$rw,1);
>

Aren't you missing a comparison on the line below?

> if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
> {
> $auth = 1;
> }
> }
>
> echo $auth;
> }
>
> if($auth==0)
> {
> print "Access Denied
\n";
> exit;
> }
>
>
> ?>
>
> After the username and password, i get the following error: Parse error:
> parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.
>
> Please view te following link:
> http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what is
> happening.
> Only once has the authentication window appeared, and has not done so since.
> It only gives the error as seen at the link.

Once you have provided the correct credentials to basic auth, your web
browser will repeatedly provide them each time until you exit the
browser or cancel them.

Most sites don't use Basic Authentication like the above - generally
some form of session is maintained through URL rewriting or cookies
since that allows a lot more control (and graphical design) fitting the
login process more smoothly into the web page.

Regards,
Andrew.

------------------------------------------------------------ -------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
http://survey.net.nz/ - any more questions?
------------------------------------------------------------ -------------


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: PHP Username & Password Detection From PSQL Database

am 07.04.2004 16:16:57 von Yasmine Kedoo

Hi again.

After a recommendation, i have changed my approach and i'm now using a html
form to accept the username and password.

Please view the following link:
http://www.cyber.brad.ac.uk/~yamkedoo/Tests/brandnew.html

The username 'yamkedoo' and password 'yasmine' will give Successful Login.
This works for all usernames and passwords in the database.

Though if a different password is used, Access Denied is printed as well as
an error, Warning: Unable to jump to row 0 on PostgreSQL result index 2 in
/home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable to
solve. This applies for all incorrect passwords. Please view my code:

#Connects to the database
$database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname = yamkedoo user =
yamkedoo password = yamkedoo");

if(!$database)
{
echo "Connection Failed
";
}

else
{
#assign formusername from html form to
$auth_user
#assign formpassword from html form to
$auth_pass
$auth_user = trim($formusername);
$auth_pass = trim($formpassword);

$query = "SELECT * FROM PatPerInfo WHERE trim(username) = '$auth_user' AND
trim(password) = '$auth_pass'";
$result = pg_exec($database, $query);
$row = pg_fetch_object($result, $rw);

if($row)
{
print "Successful Login\n";
}

else
{
print "Access Denied\n";
}
}

pg_close($database);

?>

If anyone can spot any mistakes, i will welcome suggestions ;-)

Thanx




>From: Andrew McMillan
>To: Yasmine Kedoo
>CC: pgsql-php@postgresql.org
>Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database
>Date: Wed, 07 Apr 2004 21:35:22 +1200
>
>On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> > Hi.
> >
> > I am just beginning to work with PHP & PSQL so forgive me if i make
>simple
> > mistakes. :-)
> >
> > I created my PSQL database via telnet on my university's database
>server. I
> > have no problems retrieving and displaying certain data using PHP, but i
>am
> > unable to recognise a username and password entered via a predefined
> > authentication variable, $PHP_AUTH_USER.
> >
> > The script must recognise the username: 'yamkedoo', and password:
>'yasmine'.
> > In the database, the username & password columns are spelt exactly as:
> > 'username' & 'password'. The database name is 'yamkedoo', and the table
>name
> > is 'PatPerInfo', as can be seen from the following code:
>
>The example in the PHP manual is:
>
> > if (!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="My Realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Text to send if user hits Cancel button';
> exit;
> } else {
> echo "

Hello {$_SERVER['PHP_AUTH_USER']}.

";
> echo "

You entered {$_SERVER['PHP_AUTH_PW']} as your
>password.

";
> }
>?>
>
>A couple of notes:
>
>1) You have >starts (like in the example above). Lowercase is also a lot more normal
>(although probably uppercase still works).
>
>2) The example above shows the syntax for more recent PHP versions, with
>some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER']
>rather than $PHP_AUTH_USER) whether the older syntax you have used below
>will work will depend on how the installation was configured, to some
>extent, as well as the version you are using.
>
>
> >
> > if(!isset($PHP_AUTH_USER))
> > {
> > Header("WWW-Authenticate: Basic realm=\"Authentication\"");
> > Header( "HTTP/1.0 401 Unauthorized");
> >
> > echo "No Login\n";
> > exit;
> > }
> > else
> > {
> > echo "User: $PHP_AUTH_USER
";
> > echo "Password: $PHP_AUTH_PW
";
> > }
> > > > $database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
> > user=yamkedoo password=yamkedoo");
> >
> > if(!$database)
> > {
> > print "Connection to database failed.";
> > }
> >
> > else
> > {
> > $selectquery = "SELECT * FROM PatPerInfo";
> > $result = pg_exec($database, $selectquery);
> >
> > $maxrows = pg_numrows($result);
> > $maxfields = pg_numfields($result);
> >
> > for ($rw = 0; $rw < $maxrows; $rw++)
> > {
>
>Just as a suggestion you might want to consider:
>
>$row = pg_fetch_object($result, $rw);
>if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
> trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) )
>{
> ...
>
>Actually, though, you can get the database to do it:
>
>$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
>$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
>$selectquery = "SELECT * FROM PatPerInfo
> WHERE trim(username) = '$auth_user'
> AND trim(password) = '$auth_pass'";
>
>$result = pg_exec( ...
>
>
>Doing it this way you can simply see if you got back exactly one row,
>and if you did then that should be the correct user record - no need for
>PHP to inefficiently loop through all of the table looking.
>
>
> > $username = pg_Result($result,$rw,0);
> > $password = pg_Result($result,$rw,1);
> >
>
>Aren't you missing a comparison on the line below?
>
> > if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
> > {
> > $auth = 1;
> > }
> > }
> >
> > echo $auth;
> > }
> >
> > if($auth==0)
> > {
> > print "Access Denied
\n";
> > exit;
> > }
> >
> >
> > ?>
> >
> > After the username and password, i get the following error: Parse error:
> > parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.
> >
> > Please view te following link:
> > http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what
>is
> > happening.
> > Only once has the authentication window appeared, and has not done so
>since.
> > It only gives the error as seen at the link.
>
>Once you have provided the correct credentials to basic auth, your web
>browser will repeatedly provide them each time until you exit the
>browser or cancel them.
>
>Most sites don't use Basic Authentication like the above - generally
>some form of session is maintained through URL rewriting or cookies
>since that allows a lot more control (and graphical design) fitting the
>login process more smoothly into the web page.
>
>Regards,
> Andrew.
>
>----------------------------------------------------------- --------------
>Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
>WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
>DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
> http://survey.net.nz/ - any more questions?
>----------------------------------------------------------- --------------
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

____________________________________________________________ _____
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: PHP Username & Password Detection From PSQL Database

am 07.04.2004 16:46:27 von Thom Dyson

When the database connection fails, you are still trying to run the
pg_close command. That can't be good.

> if(!$database)
> {
> echo "Connection Failed
";
> }
>
> else
> {
>
> }

> pg_close($database);

> ?>

Thom Dyson
Director of Information Services
Sybex, Inc.



pgsql-php-owner@postgresql.org wrote on 04/07/2004 07:16:57 AM:

......

> Though if a different password is used, Access Denied is printed as well
as
> an error, Warning: Unable to jump to row 0 on PostgreSQL result index 2
in
> /home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable
to
> solve. This applies for all incorrect passwords. Please view my code:


> If anyone can spot any mistakes, i will welcome suggestions ;-)


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: PHP Username & Password Detection From PSQL Database

am 07.04.2004 21:18:01 von Andrew McMillan

On Thu, 2004-04-08 at 02:16, Yasmine Kedoo wrote:
>
> The username 'yamkedoo' and password 'yasmine' will give Successful Login.
> This works for all usernames and passwords in the database.
>
> Though if a different password is used, Access Denied is printed as well as
> an error, Warning: Unable to jump to row 0 on PostgreSQL result index 2 in
> /home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am unable to
> solve. This applies for all incorrect passwords. Please view my code:

Note that your code is vulnerable to "SQL injection" exploit - what
happens if someone puts in a username of "'; DROP TABLE PatPerInfo;".
The earlier code I sent you included calls to pg_escape_string() to
avoid this problem. If that function is not implemented in your PHP
version (it's in 4.2 onwards, I think) you can implement something like
it yourself, fairly trivially:

function pg_escape_string($str) {
$str = str_replace("'", "''", $str);
$str = str_replace('\\', '\\\\', $str);
}


Also, see the error highlighted in your code below.


Regards,
Andrew McMillan

>
> > #Connects to the database
> $database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname = yamkedoo user =
> yamkedoo password = yamkedoo");
>
> if(!$database)
> {
> echo "Connection Failed
";
> }
>
> else
> {
> #assign formusername from html form to
> $auth_user
> #assign formpassword from html form to
> $auth_pass
> $auth_user = trim($formusername);
> $auth_pass = trim($formpassword);
>
> $query = "SELECT * FROM PatPerInfo WHERE trim(username) = '$auth_user' AND
> trim(password) = '$auth_pass'";
> $result = pg_exec($database, $query);
> $row = pg_fetch_object($result, $rw);

Here, you always try and fetch a row. You should check the count of rows
returned, and only try and fetch if there is one:

if ( !$result ) {
print "There was a problem accessing the database";
# do something here to log the application problem
}
else if ( pg_numrows($result) != 1 ) {
print "Access Denied";
# Possibly do something here to log the unauthorised access attempt
}
else {
$row = pg_fetch_object($result, 0);
print "Successful Login";
}

>
> if($row)
> {
> print "Successful Login\n";
> }
>
> else
> {
> print "Access Denied\n";
> }
> }
>
> pg_close($database);

I never pg_close in my programs - the database will be closed
automatically when the page generation finishes, and that's fine.

>
> ?>
>
> If anyone can spot any mistakes, i will welcome suggestions ;-)
>
> Thanx
>
>
>
>
> >From: Andrew McMillan
> >To: Yasmine Kedoo
> >CC: pgsql-php@postgresql.org
> >Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database
> >Date: Wed, 07 Apr 2004 21:35:22 +1200
> >
> >On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> > > Hi.
> > >
> > > I am just beginning to work with PHP & PSQL so forgive me if i make
> >simple
> > > mistakes. :-)
> > >
> > > I created my PSQL database via telnet on my university's database
> >server. I
> > > have no problems retrieving and displaying certain data using PHP, but i
> >am
> > > unable to recognise a username and password entered via a predefined
> > > authentication variable, $PHP_AUTH_USER.
> > >
> > > The script must recognise the username: 'yamkedoo', and password:
> >'yasmine'.
> > > In the database, the username & password columns are spelt exactly as:
> > > 'username' & 'password'. The database name is 'yamkedoo', and the table
> >name
> > > is 'PatPerInfo', as can be seen from the following code:
> >
> >The example in the PHP manual is:
> >
> > > > if (!isset($_SERVER['PHP_AUTH_USER'])) {
> > header('WWW-Authenticate: Basic realm="My Realm"');
> > header('HTTP/1.0 401 Unauthorized');
> > echo 'Text to send if user hits Cancel button';
> > exit;
> > } else {
> > echo "

Hello {$_SERVER['PHP_AUTH_USER']}.

";
> > echo "

You entered {$_SERVER['PHP_AUTH_PW']} as your
> >password.

";
> > }
> >?>
> >
> >A couple of notes:
> >
> >1) You have > >starts (like in the example above). Lowercase is also a lot more normal
> >(although probably uppercase still works).
> >
> >2) The example above shows the syntax for more recent PHP versions, with
> >some security features enabled (i.e. use of $_SERVER['PHP_AUTH_USER']
> >rather than $PHP_AUTH_USER) whether the older syntax you have used below
> >will work will depend on how the installation was configured, to some
> >extent, as well as the version you are using.
> >
> >
> > >
> > > if(!isset($PHP_AUTH_USER))
> > > {
> > > Header("WWW-Authenticate: Basic realm=\"Authentication\"");
> > > Header( "HTTP/1.0 401 Unauthorized");
> > >
> > > echo "No Login\n";
> > > exit;
> > > }
> > > else
> > > {
> > > echo "User: $PHP_AUTH_USER
";
> > > echo "Password: $PHP_AUTH_PW
";
> > > }
> > > > > > $database = pg_connect("host=pgdbs.inf.brad.ac.uk dbname=yamkedoo
> > > user=yamkedoo password=yamkedoo");
> > >
> > > if(!$database)
> > > {
> > > print "Connection to database failed.";
> > > }
> > >
> > > else
> > > {
> > > $selectquery = "SELECT * FROM PatPerInfo";
> > > $result = pg_exec($database, $selectquery);
> > >
> > > $maxrows = pg_numrows($result);
> > > $maxfields = pg_numfields($result);
> > >
> > > for ($rw = 0; $rw < $maxrows; $rw++)
> > > {
> >
> >Just as a suggestion you might want to consider:
> >
> >$row = pg_fetch_object($result, $rw);
> >if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
> > trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) )
> >{
> > ...
> >
> >Actually, though, you can get the database to do it:
> >
> >$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
> >$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
> >$selectquery = "SELECT * FROM PatPerInfo
> > WHERE trim(username) = '$auth_user'
> > AND trim(password) = '$auth_pass'";
> >
> >$result = pg_exec( ...
> >
> >
> >Doing it this way you can simply see if you got back exactly one row,
> >and if you did then that should be the correct user record - no need for
> >PHP to inefficiently loop through all of the table looking.
> >
> >
> > > $username = pg_Result($result,$rw,0);
> > > $password = pg_Result($result,$rw,1);
> > >
> >
> >Aren't you missing a comparison on the line below?
> >
> > > if( trim($PHP_AUTH_USER) == trim($username) && (trim($PHP_AUTH_PW))
> > > {
> > > $auth = 1;
> > > }
> > > }
> > >
> > > echo $auth;
> > > }
> > >
> > > if($auth==0)
> > > {
> > > print "Access Denied
\n";
> > > exit;
> > > }
> > >
> > >
> > > ?>
> > >
> > > After the username and password, i get the following error: Parse error:
> > > parse error in /home/webpages/yamkedoo/Tests/referrals2.php on line 44.
> > >
> > > Please view te following link:
> > > http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see what
> >is
> > > happening.
> > > Only once has the authentication window appeared, and has not done so
> >since.
> > > It only gives the error as seen at the link.
> >
> >Once you have provided the correct credentials to basic auth, your web
> >browser will repeatedly provide them each time until you exit the
> >browser or cancel them.
> >
> >Most sites don't use Basic Authentication like the above - generally
> >some form of session is maintained through URL rewriting or cookies
> >since that allows a lot more control (and graphical design) fitting the
> >login process more smoothly into the web page.
> >
> >Regards,
> > Andrew.
> >
> >----------------------------------------------------------- --------------
> >Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
> >WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
> >DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
> > http://survey.net.nz/ - any more questions?
> >----------------------------------------------------------- --------------
> >
> >
> >---------------------------(end of broadcast)---------------------------
> >TIP 2: you can get off all lists at once with the unregister command
> > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>
> ____________________________________________________________ _____
> It's fast, it's easy and it's free. Get MSN Messenger today!
> http://www.msn.co.uk/messenger
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
------------------------------------------------------------ -------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
The truth is rarely pure, and never simple. - Oscar Wilde
------------------------------------------------------------ -------------


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Re: PHP Username & Password Detection From PSQL Database

am 08.04.2004 01:07:27 von Chris Smith

Don't worry about using pg_escape_string - simply use addslashes(). Then
it's generic (ie you could easily port this to another db) and it's also
available in all versions =)



-----Original Message-----
From: pgsql-php-owner@postgresql.org
[mailto:pgsql-php-owner@postgresql.org] On Behalf Of Andrew McMillan
Sent: Thursday, April 08, 2004 5:18 AM
To: Yasmine Kedoo
Cc: pgsql-php@postgresql.org
Subject: Re: [PHP] PHP Username & Password Detection From PSQL Database


On Thu, 2004-04-08 at 02:16, Yasmine Kedoo wrote:
>
> The username 'yamkedoo' and password 'yasmine' will give Successful
> Login.
> This works for all usernames and passwords in the database.
>
> Though if a different password is used, Access Denied is printed as
> well as
> an error, Warning: Unable to jump to row 0 on PostgreSQL result index
2 in
> /home/webpages/yamkedoo/Tests/brandnew.php on line 16, that I am
unable to
> solve. This applies for all incorrect passwords. Please view my code:

Note that your code is vulnerable to "SQL injection" exploit - what
happens if someone puts in a username of "'; DROP TABLE PatPerInfo;".
The earlier code I sent you included calls to pg_escape_string() to
avoid this problem. If that function is not implemented in your PHP
version (it's in 4.2 onwards, I think) you can implement something like
it yourself, fairly trivially:

function pg_escape_string($str) {
$str = str_replace("'", "''", $str);
$str = str_replace('\\', '\\\\', $str);
}


Also, see the error highlighted in your code below.


Regards,
Andrew McMillan

>
> > #Connects to the database
> $database = pg_Connect ("host=pgdbs.inf.brad.ac.uk dbname =
yamkedoo
> user =
> yamkedoo password = yamkedoo");
>
> if(!$database)
> {
> echo "Connection Failed
";
> }
>
> else
> {
> #assign formusername from html form to
> $auth_user
> #assign formpassword from html form to

> $auth_pass
> $auth_user = trim($formusername);
> $auth_pass = trim($formpassword);
>
> $query = "SELECT * FROM PatPerInfo WHERE trim(username)
=
> '$auth_user' AND
> trim(password) = '$auth_pass'";
> $result = pg_exec($database, $query);
> $row = pg_fetch_object($result, $rw);

Here, you always try and fetch a row. You should check the count of rows
returned, and only try and fetch if there is one:

if ( !$result ) {
print "There was a problem accessing the database";
# do something here to log the application problem
}
else if ( pg_numrows($result) != 1 ) {
print "Access Denied";
# Possibly do something here to log the unauthorised access attempt }
else {
$row = pg_fetch_object($result, 0);
print "Successful Login";
}

>
> if($row)
> {
> print "Successful Login\n";
> }
>
> else
> {
> print "Access Denied\n";
> }
> }
>
> pg_close($database);

I never pg_close in my programs - the database will be closed
automatically when the page generation finishes, and that's fine.

>
> ?>
>
> If anyone can spot any mistakes, i will welcome suggestions ;-)
>
> Thanx
>
>
>
>
> >From: Andrew McMillan
> >To: Yasmine Kedoo
> >CC: pgsql-php@postgresql.org
> >Subject: Re: [PHP] PHP Username & Password Detection From PSQL
> >Database
> >Date: Wed, 07 Apr 2004 21:35:22 +1200
> >
> >On Wed, 2004-04-07 at 20:59, Yasmine Kedoo wrote:
> > > Hi.
> > >
> > > I am just beginning to work with PHP & PSQL so forgive me if i
> > > make
> >simple
> > > mistakes. :-)
> > >
> > > I created my PSQL database via telnet on my university's database
> >server. I
> > > have no problems retrieving and displaying certain data using PHP,

> > > but i
> >am
> > > unable to recognise a username and password entered via a
> > > predefined authentication variable, $PHP_AUTH_USER.
> > >
> > > The script must recognise the username: 'yamkedoo', and password:
> >'yasmine'.
> > > In the database, the username & password columns are spelt exactly

> > > as: 'username' & 'password'. The database name is 'yamkedoo', and
> > > the table
> >name
> > > is 'PatPerInfo', as can be seen from the following code:
> >
> >The example in the PHP manual is:
> >
> > > > if (!isset($_SERVER['PHP_AUTH_USER'])) {
> > header('WWW-Authenticate: Basic realm="My Realm"');
> > header('HTTP/1.0 401 Unauthorized');
> > echo 'Text to send if user hits Cancel button';
> > exit;
> > } else {
> > echo "

Hello {$_SERVER['PHP_AUTH_USER']}.

";
> > echo "

You entered {$_SERVER['PHP_AUTH_PW']} as your
> >password.

";
> > }
> >?>
> >
> >A couple of notes:
> >
> >1) You have > >starts (like in the example above). Lowercase is also a lot more
> >normal (although probably uppercase still works).
> >
> >2) The example above shows the syntax for more recent PHP versions,
> >with some security features enabled (i.e. use of
> >$_SERVER['PHP_AUTH_USER'] rather than $PHP_AUTH_USER) whether the
> >older syntax you have used below will work will depend on how the
> >installation was configured, to some extent, as well as the version
> >you are using.
> >
> >
> > >
> > > if(!isset($PHP_AUTH_USER))
> > > {
> > > Header("WWW-Authenticate: Basic
realm=\"Authentication\"");
> > > Header( "HTTP/1.0 401 Unauthorized");
> > >
> > > echo "No Login\n";
> > > exit;
> > > }
> > > else
> > > {
> > > echo "User: $PHP_AUTH_USER
";
> > > echo "Password: $PHP_AUTH_PW
";
> > > }
> > > > > > $database = pg_connect("host=pgdbs.inf.brad.ac.uk
dbname=yamkedoo
> > > user=yamkedoo password=yamkedoo");
> > >
> > > if(!$database)
> > > {
> > > print "Connection to database failed.";
> > > }
> > >
> > > else
> > > {
> > > $selectquery = "SELECT * FROM
PatPerInfo";
> > > $result = pg_exec($database,
> > > $selectquery);
> > >
> > > $maxrows = pg_numrows($result);
> > > $maxfields = pg_numfields($result);
> > >
> > > for ($rw = 0; $rw < $maxrows; $rw++)
> > > {
> >
> >Just as a suggestion you might want to consider:
> >
> >$row = pg_fetch_object($result, $rw);
> >if ( trim($_SERVER['PHP_AUTH_USER']) == trim($row->username)
> > trim($_SERVER['PHP_AUTH_PW']) == trim($row->password) ) {
> > ...
> >
> >Actually, though, you can get the database to do it:
> >
> >$auth_user = pg_escape_string(trim($_SERVER['PHP_AUTH_USER']));
> >$auth_pass = pg_escape_string(trim($_SERVER['PHP_AUTH_PW']));
> >$selectquery = "SELECT * FROM PatPerInfo
> > WHERE trim(username) = '$auth_user'
> > AND trim(password) = '$auth_pass'";
> >
> >$result = pg_exec( ...
> >
> >
> >Doing it this way you can simply see if you got back exactly one row,

> >and if you did then that should be the correct user record - no need
> >for PHP to inefficiently loop through all of the table looking.
> >
> >
> > > $username =
pg_Result($result,$rw,0);
> > > $password = pg_Result($result,$rw,1);
> > >
> >
> >Aren't you missing a comparison on the line below?
> >
> > > if( trim($PHP_AUTH_USER) ==
trim($username) && (trim($PHP_AUTH_PW))
> > > {
> > > $auth = 1;
> > > }
> > > }
> > >
> > > echo $auth;
> > > }
> > >
> > > if($auth==0)
> > > {
> > > print "Access Denied
\n";
> > > exit;
> > > }
> > >
> > >
> > > ?>
> > >
> > > After the username and password, i get the following error: Parse
> > > error: parse error in /home/webpages/yamkedoo/Tests/referrals2.php

> > > on line 44.
> > >
> > > Please view te following link:
> > > http://www.cyber.brad.ac.uk/~yamkedoo/Tests/referrals2.php to see
> > > what
> >is
> > > happening.
> > > Only once has the authentication window appeared, and has not done

> > > so
> >since.
> > > It only gives the error as seen at the link.
> >
> >Once you have provided the correct credentials to basic auth, your
> >web browser will repeatedly provide them each time until you exit the

> >browser or cancel them.
> >
> >Most sites don't use Basic Authentication like the above - generally
> >some form of session is maintained through URL rewriting or cookies
> >since that allows a lot more control (and graphical design) fitting
> >the login process more smoothly into the web page.
> >
> >Regards,
> > Andrew.
> >
> >----------------------------------------------------------- ----------
> >----
> >Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St,
Wellington
> >WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154
Willis St
> >DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE:
+64(4)499-2267
> > http://survey.net.nz/ - any more questions?
>
>----------------------------------------------------------- ------------
--
> >
> >
> >---------------------------(end of
> >broadcast)---------------------------
> >TIP 2: you can get off all lists at once with the unregister command
> > (send "unregister YourEmailAddressHere" to
majordomo@postgresql.org)
>
> ____________________________________________________________ _____
> It's fast, it's easy and it's free. Get MSN Messenger today!
> http://www.msn.co.uk/messenger
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to
majordomo@postgresql.org)
------------------------------------------------------------ ------------
-
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St,
Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis
St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE:
+64(4)499-2267
The truth is rarely pure, and never simple. - Oscar Wilde
------------------------------------------------------------ ------------
-


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings



---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly