Among the many great promises that in reality came true when each of our Internet-enabled world reached typically the twenty-first century is reliable customer-to-business interaction. Each moment, I find a new solution to use through life's errands without ever waiting on hold in a bank teller, a druggist, or an insurance agent. I do it almost all online.
Internet savvy individuals are coming to expect such web empowerment. And while these material transactions usually require any private data traveling typically the ether, you, as all the webmaster, bear the burden of keeping that data away from all who have no right to the idea.
Since retina scans and additionally brain wave signatures continue to properties of James Connect flicks, we're stuck using usual boring passwords.
Is this specific really secure?
Let's get this into position first. The only unquestionably secure computer is 1 that's unplugged. Kind of like 'the just safe car is the one which sits in your house. ' Life is a risk/reward proposition and, let me face it, this (probably) isn't really Fort Knox, we're getting.
The security measures let us discuss suitable for garden-variety information. I've used these schemes to put in writing back-end website administration webpages for online shopping buggies. I've used them to post 'partner' pages where merchants can download ads plus sales data from wholesalers. I wouldn't have tried it to secure credit greeting card numbers, social security information, or nuclear launch language.
So what are PHP, MySQL, together with session variables?
PHP may be a programming language used (in this case) to post HTML. MySQL is a fabulous database. Session variable widely-used by web servers to track information from page on a domain to another one. This article isn't a good how-to for either technology. If you aren't very at ease them, you could just replicate and paste the code samples herein and build yourself an password protected website. You may want to just read the Cliff's records for Pride and Prejudice and start a C+ in document class. Your choice.
Let's begin to do sessions
It's often been said that this web is 'stateless', for example each web page is certainly entirely independent, needing zero other page to are available, and taking no information within the previous page. This is ideal anonymous surfing from one site to another, but it stinks for password protection. Consumers desire password protected information, they also don't want to input their password on every single page. So we turn to web server to check a user while they've on our site.
Ex-girlfriend. 1.
<? php
session_start();
? >
<! DOCTYPE html GENERAL POPULATION '-//W3C//DTD XHTML 1. 0 Strict//EN' 'http: // internet. w3. org/ TR/ xhtml1/ DTD/ xhtml1-strict. dtd'>
< html xmlns='http: //www. w3. org/1999/xhtml'' xml: lang='en' lang='en'>
< head> < title> Dan McConkey's Free Internet promotion Guide< /title> < /head>
< body>
< p> Dan McConkey's Free Internet promotion Guide< /p>
< /body>
< /html>
last part Ex. 1
session_start() is a PHP function that looks to work out if a session was already started then does one of two things:
1. If a session have been started, it does little or nothing.
2. If a session isn't started, it begins a.
It is important to make note of that session_start() must occur before any PHP on the web site, if you want it to work. Begin every password-protected page for it. Validation
Now let's think that basic validation. What sorts of things do came across accomplish?
* First, came across check to see if for example the user has already logged around, so we don't call for a password on each and every page. If our user has recently logged in, we pass her through to the secure content.
* If the person hasn't already logged during, we need him or her for this. So we need for you to a log-in form.
* We end up needing next to compare log-in form results by having a known list of usernames not to mention passwords. If the user checks out, we pass her along to the safe content.
* If the person doesn't check out, we direct her back to the log-in screen.
* Lastly, we need to provide the user to be able to log out.
So let's get started with a basic frame-work that we'll make out later.
Ex. 2
<? php
// start session if you're not already started
session_start();
// be certain if user just logged out
if ( $log_out )
work write_log_in( $text )
// end write_log_in purpose
function verify()
// check to see if they're already logged in
// if yes, return true
// if no, check to see if visitor has just tried to log on
// if yes, verify password
// if it worked, return true
// if it didn't, send them back to log-in
// if the user didn't just log-in, (s)he needs to
// end verify feature
? >
<! DOCTYPE html GENERAL POPULATION '-//W3C//DTD XHTML 1. 0 Strict//EN' 'http: // internet. w3. org/ TR/ xhtml1/ DTD/ xhtml1-strict. dtd'>
< html xmlns='http: //www. w3. org/1999/xhtml'' xml: lang='en' lang='en'>
< head> < title> Dan McConkey's Free Internet promotion Guide< /title> < /head>
< body>
< p> Dan McConkey's Free Internet promotion Guide< /p>
<? php
// check out valid user
if ( verify() )
// begin secure content
echo '<p>Clatu, verata, nicto</p>';
// end secure content
// end if ( verify() )
? >
< /body>
< /html>
Last part Ex. 2
As Document said, this is merely takes a simple frame-work. I like to begin the process all my projects this way. It allows me to getting a grand view of what I'm doing before getting mired down inside details.
Basically, so very far, all we've done is place some secret content in a if statement. If the person is valid, we show a person who, if not, we never. Writing a log-in create
The first thing much more flesh out is our log-in function. This is mostly a basic form, with no special features, so it should be pretty straight forward.
Ex 3
function write_log_in( $text )
echo '
<p>$text</p>
<form method='post' action=''>
<p>User ID: <input type='text' name='user_name /></p>
<p>Password: <input type='password' name='password' /></p>
<p><input type='submit' value='Log In'></p>
</form>
';
// end write_log_in purpose
End Ex. 3
Hardly any problems, right? All this can be is PHP writing an HTML log-in form. Several things are worth noting:
1. The method attribute on the < form> tag can be 'post'. We could buy 'get', but that would add more our user name and password on the URL as varibles. for instance our_url? user_name=bob& password=truck64. This shows the password--in plain text-- at that time in the URL. Why spend almost the entire package time on security should you be just going to position peoples' passwords out pertaining to display?
'post' is additional secure, forcing the server to check form data, rather that your URL. Any time you can keep information out of your URL, you're one step nearer to a secure web page.
2. Next you want to think about the action attribute to the < form> tag. Leaving it blank tells the server that you choose to plan to process these form results this particular same page.
Checking your log-in values
Now let's flesh out our frame-work extra.
Ex. 4
<? php
// start session if you're not already started
session_start();
// be certain if user just logged out
if ( $log_out )
work write_log_in( $text )
// end write_log_in purpose
function verify()
// check to see if they're already logged in
// if yes, return true
// check to see if visitor has just tried to log on
$user_name = $_POST['user_name'];
$password = $_POST['password'];
if ( $user_name && $password )
// verify password and log in to database
$db = mysql_pconnect( 'localhost', '$user_name', '$password' );
if ( $db )
// register session variable and exit the verify function
$valid_user = $user_name;
$_SESSION['valid_user'] = $valid_user;
return true;
else
// bad user and password
$text = 'User Name and Password did not match';
write_log_in( $text );
else
// if the user didn't just log-in, (s)he needs to
// end verify feature
? >
<! DOCTYPE html GENERAL POPULATION '-//W3C//DTD XHTML 1. 0 Strict//EN' 'http: // internet. w3. org/ TR/ xhtml1/ DTD/ xhtml1-strict. dtd'>
< html xmlns='http: //www. w3. org/1999/xhtml'' xml: lang='en' lang='en'>
< head> < title> Dan McConkey's Free Internet promotion Guide< /title> < /head>
< body>
< p> Dan McConkey's Free Internet promotion Guide< /p>
<? php
// check out valid user
if ( verify() )
// begin secure content
echo '<p>Clatu, verata, nicto</p>';
// end secure content
// end if ( verify() )
? >
< /body>
< /html>
Last part Ex. 4
First, we'll check your house user has just tried to sign in.
$_POST is a PHP superglobal array that monitors data sent to a page via a < mode method='post'> tag. In all the log-in function, we referred to as our inputs user_name and password, so we can access the person input by calling $_POST['user_name'] along with $_POST['password'].
We next dash an if ( $user_name & & $password ) statement to observe if both $_POST['user_name'] and $_POST['password'] hold values. If he or she do, the user just tried to sign in.
Our next section of code will be the part that actually checks or possibly a user name and security password are correct. Here, we use MySQL's User table (part in the mysql database) to check our users. This is normally, perhaps, the best journey, as MySQL is already build to control access permissions. Yet, this can present problems when you're needing to keep the collection connection open across articles. Also, some hosting companies won't present you with grant access (let anyone make new users) to mysql database.
In those people cases, you can accomplish a very similar thing by setting up your current users table in a database. You would then should write an SQL issue that compares user companies and passwords. That would look something such as this:
Ex. 5
$select = 'select user_name with users
where user_name='$user_name'
together with password=PASSWORD( '$password' )';
$query = mysql_query( $select );
whenever ( mysql_num_rows( $query ) == 1 )
{
// validated user and password
...
End Ex 5
Getting back to our validation using MySQL's built in features, we know that the user name and password checked out because the connection attempt returned true.
Registering a session variable
Now that we know our user name and password check out, we need to store that information and allow our user to continue surfing our protected area without logging in each and every page. Looking back at example four, we notice another of PHP's superglobal variables: $_SESSION.
$_SESSION is an array that holds all of our session variables. By setting the valid_user session variable, we can later make a call to ession_is_registered( 'valid_user' ) to see if our user has already logged in successfully.
Logging out
The last thing we have to attend to is allowing our users to log out of our system. In this case, we've used a simple link inside our protected area.
Ex 6
<?php
// start session if not already started
session_start();
// check to see if user just logged out
if ( $log_out )
session_unregister( 'valid_user' );
session_destroy();
session_start();
function write_log_in( $text )
// end write_log_in function
function verify()
// end verify function
?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://
www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'' xml:lang='en' lang='en'>
<head><title>Dan McConkey's Free Web Marketing Guide</title></head>
<body>
<p>Dan McConkey's Free Web Marketing Guide</p>
<?php
// check for valid user
if ( verify() )
{
echo '<p><a href='?log_out=1'>Log out</a></p>';
// begin secure content
echo '<p>Clatu, verata, nicto</p>';
...
End Ex 6
First, looking in the HTML body, we see a simple HTML link that adds a variable to the URL. In this case, the variable name is log_out and its value is 1. We use 1 as a value because it's easy to store in a URL, but really any value greater than zero will work.
Once we pass a log-out request to the page, we need to process it. That's what the if( $log_out) part is for.
The if statement checks if a log-out request was passed. Once it sees that one was, it unregisters the valid_user session variable, then it destroys the session entirely.
Ironically, it starts a new session right back up. That's in case the user decides to log in later (without closing the browser window), or log in as a different user. The final code
Putting it all together we get this:
Ex. 7
<?php
// start session if not already started
session_start();
// check to see if user just logged out
if ( $log_out )
session_unregister( 'valid_user' );
session_destroy();
session_start();
function write_log_in( $text )
echo '
<p>$text</p>
<form method='post' action=''>
<p>User ID: <input type='text' name='user_name /></p>
<p>Password: <input type='password' name='password' /></p>
<p><input type='submit' value='Log In'></p>
</form>
';
// end write_log_in function
function verify()
// check to see if they're already logged in
if ( session_is_registered( 'valid_user' ) ) return true;
// check to see if visitor has just tried to log on
$user_name = $_POST['user_name'];
$password = $_POST['password'];
if ( $user_name && $password )
// verify password and log in to database
$db = mysql_pconnect( 'localhost', '$user_name', '$password' );
if ( $db )
// register session variable and exit the verify function
$valid_user = $user_name;
$_SESSION['valid_user'] = $valid_user;
return true;
else
// bad user and password
$text = 'User Name and Password did not match';
write_log_in( $text );
else
// user must log in
$text = 'This is a secure server. Please log in.';
write_log_in( $text );
// end verify function
?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://
www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'' xml:lang='en' lang='en'>
<head><title>Dan McConkey's Free Web Marketing Guide</title></head>
<body>
<p>Dan McConkey's Free Web Marketing Guide</p>
<?php
// check for valid user
if ( verify() )
echo '<p><a href='?log_out=1'>Log out</a></p>';
// begin secure content
echo '<p>Clatu, verata, nicto</p>';
// end secure content
// end if ( verify() )
?>
</body>
</html>
End Ex. 7
That's a pretty hefty code block to put at the head of every web page. Typically, I would put my verify() and write_log_in()functions into a seperate file and reference them with an include() function. That provides the added benifit of updating your entire website by editing one file only.
Hope that helps.
Copyright (C) 2005 Dan McConkey
About The Author
Dan McConkey is a freelance web marketing professional, working in and around Charlotte, NC. In the web, Dan has found an amazing potential for lead generation for businesses. Using traditional advertising theories, appropriate technologies, and a little common sense, your electronic marketing campaigns can easily be your most effective.
Dan maintains Dan McConkey's Free Web Marketing Guide at
http://www.dmcconkey.com dmcconkey@yahoo.com.
Subject: Security Protection with PHP, MySQL, together with Session Variables. 
Wed Sep 21, 2011 8:04 pm
