views:

100

answers:

3

I'm trying to create a very simple login for only one or two users, the username and password are stored in "admin.txt" the text file is formatted like: username password __ I cannot seem to have the username and password register... Thanks for the help!!

        // username and password sent from form 
       $myusername=$_POST['username']; 
       $mypassword=$_POST['password'];



        $sql = fopen("../admin8183/users/admin.txt", "r");

                    while (!feof($sql)) {
                      $myusername = fgets($sql);
                      $mypassword = fgets($sql);
                      $line = fgets($sql);



         $myusername = trim($myusername);
         $mypassword = trim($mypassword);

                }
            //  counting  rows
         $admin=count(file("../admin8183/users/admin.txt"));

           if($admin==1){
        // Register $myusername, $mypassword and redirect to file "sendmessage.php"
         session_register("myusername");
         session_register("mypassword"); 
          header("location:sendmessage.php");
             }
              else {
            echo "Wrong Username or Password";
              }

p.s. I am sure that there are a few things wrong with my code, and that there are more efficient ways of accomplishing my goal, this is my first stab at creating a login in php... Thanks for your help!

+1  A: 

First, I must say this is the wrong way to acomplish your task, The offer on the comment to use htpasswd is very right.

As for your code:

  1. You are using the same $myusername variable when reading from $_POST and from the file. You need to use seperate variables and compare then.
  2. You expect the file to have 3 rows (3 gets), yet you register only if it has 1 row)

Update:

Since you can't use htpasswd, i highly recommend hashing your password. Either if you save it in a file or hardcoded, it is a good practice. As @silky pointed out, sha1/md5 are no better then plain text, so here is an implementation of sha256 for PHP.

Also, don't save your password/username in the sessoion, as @pygorex1 pointed out, use a different variable for marking the user as logged-in.

Am
1 and 2. are good points ill re evaluate that however, as I said to the other comment, I cannot access my server settings...
Ryan
Avoid SHA1 if you can, it's considered weak and soon-to-be-dead: http://valerieaurora.org/hash.html
Noon Silk
md5 then......?
Am
Oh dear, MD5 is most definitely dead; you must use SHA-2 or up (sometime in the near future we should see a SHA-3 class being released, but for now, SHA-2 is pretty much the only option).
Noon Silk
can't seem to find sha-2 for php
Am
Am: Then SHA-1 will be acceptable, but just note it down to upgrade when SHA-2 for php becomes available :) (I'd think there is some sort of SHA-256 impl for PHP somewhere, though.)
Noon Silk
@silky: thanks for the link, i`ll go change my own functions now...
Am
A: 

Well, it would seem that fgets() gets an entire line: http://php.net/manual/en/function.fgets.php

so you are putting the entire line username password into $mysuername and then the next line into $mypassword and so on.

zipcodeman
+2  A: 

There's several problems with this script:

  • $myusername, $mypassword - first these variables are being initialized from $_POST data, then overwritten with the file contents. I don't see any checking of the user-submitted password against the password in the file.
  • The password file is being loaded in twice - once via fopen/fgets and again via file. This is wasteful - load the file only once via file()
  • The following lines: $admin=count(file("../admin8183/users/admin.txt")); ... if($admin==1) will allow anyone access as long as the password file contains only one line. Which will never occur if the username/password are on separate lines. Worse yet, this check is independent of user input.
  • The password is being saved in the session. At the very least, if the username and password are correct, a session variable called $_SESSION['logged_in'] should be set to true.
  • Is the password being stored in an encrypted format? At a minimum the password should be stored as a SHA1/MD5 hash.
  • session_register is deprecated.

Building a secure user authentication scheme is hard. As others have noted, try using basic Apache authentication. Here's a decent tutorial:

http://www.nexcess.net/support/tutorials/misc-tools/htaccess-authentication/

pygorex1