PHP/MySQL Authentication Scheme
Snippet Menu
-8
Tue. Nov. 7th, 2006 11:06 AM
This class is a simple authentication scheme which makes it easy to add authentication to any page by including one class and adding one table to your MySQL database.
The following functions are employed by this authentication class:
auth()
is_authorized()
mysql_bind()
user_create($username,$email,$password)
user_activation_message($username)
user_activation($activation_hash)
user_password_change($username,$password_old,$password_new)
user_logout()
is_username_available( $username )
The following functions are employed by this authentication class:
auth()
this is the default constructor; it automatically checks for the POST vars "username" and "password", it also checks to see if the user passed the GET variable "logout", which would prompt it to set the authentication status to un-authenticated.
is_authorized()
Checks the SESSION variable "authorized" and returns true or false depending on that variable.
mysql_bind()
This is automatically called by the constructor each time the class is instantiated and $_POST['username'] and $_POST['password'] are present. It queries the db for a valid username and MD5 encoded password.
user_create($username,$email,$password)
Creates a user, if the username is available, and creates an MD5 hash based on username, password and date, to be used in the "activation" of the account.
user_activation_message($username)
Sends the custom activation message to the email address for the username specified
user_activation($activation_hash)
Checks to see if the activation hash is valid, if it is, the activation_hash variable is set to NULL, thus signifying that the account is active.
user_password_change($username,$password_old,$password_new)
Quick and easy way to change the user's password with one function call.
user_logout()
Sets the authorization status in $_SESSION['authorized'] to FALSE
is_username_available( $username )
Returns TRUE or FALSE depending on whether or not the username is free.
CREATE TABLE auth_users
(
id INT(11) AUTO_INCREMENT NOT NULL,
username VARCHAR(33) UNIQUE NOT NULL,
password VARCHAR(33) NOT NULL,
email VARCHAR(64) NOT NULL,
activation_hash VARCHAR(128) NULL,
PRIMARY KEY ( id )
);
(
id INT(11) AUTO_INCREMENT NOT NULL,
username VARCHAR(33) UNIQUE NOT NULL,
password VARCHAR(33) NOT NULL,
email VARCHAR(64) NOT NULL,
activation_hash VARCHAR(128) NULL,
PRIMARY KEY ( id )
);
<?
class auth {
// default constructor
function auth() {
if( isset( $_POST['username'] ) && isset( $_POST['password'] ) )
{ $this->mysql_bind(); }
else if ( isset( $_GET['logout'] ) ) {
$this->user_logout();
}
}
// is the user authorized already
function is_authorized() {
return $_SESSION['authorized'];
}
// is the account currently activated
function is_activated() {
return $_SESSION['active_account'];
}
// bind to the mysql server
function mysql_bind() {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT username, activation_hash FROM auth_users " .
"WHERE username = '" . $username . "' AND password =MD5('" . $password . "')";
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// if the account exists in the system
if( mysql_num_rows( $result ) == 1 ) {
$_SESSION['authorized'] = true;
$_SESSION['username'] = $username;
// check to see whether or not the account is active
if( ! isset( $user_data['activation_hash'] ) ) {
$_SESSION['active_account'] = false; // if an activation hash is present, the account is not active
} else {
$_SESSION['active_account'] = true; // if no activation hash present, the account is active
}
// if the account is not in the system
} else {
$_SESSION['authorized'] = false;
}
}
// create a new barterjunk user
function user_create($username,$email,$password) {
if( $this->is_username_available($username) == false ) {
return false;
}
// create an activation hash
$activation_hash = md5( $username . $password . time() );
// add the username, password, email and activation hash to the user's table
$query = "INSERT INTO auth_users (username,password,email,activation_hash) " .
"VALUES ('" . $username . "'," .
"MD5('" . $password . "')," .
"'" . $email . "'," .
"'" . $activation_hash . "' )";
mysql_query( $query );
$this->user_activation_message( $username );
return true;
}
function user_activation_message($username) {
// get the activation hash for this account
$query = "SELECT activation_hash, email FROM auth_users WHERE username = '" . $username . "'";
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// send a message to the user's email account with a verification link
$subject = 'BarterJunk.com account activation for ' . $username;
// header of the verification email message
$header = 'From: AccountActivation@barterjunk.com' . "\r\n" .
'Reply-To: webmaster@barterjunk.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
// text of the verification email message
$verification_message =
"{$username},\n\n" .
"Please visit the link below to activate your new BarterJunk.com account.\n\n" .
"http://www.barterjunk.com/?activation_code=" . $user_data['activation_hash'] . "\n";
// send the message
mail( $user_data['email'], $subject, $verification_message, $header );
}
// activate a locked account
function user_activation($activation_hash) {
// check to see that the activation hash is valid
$query = "SELECT username FROM auth_users WHERE activation_hash='" . $activation_hash . "'";
$result = mysql_query( $query );
// if the hash is invalid, terminate
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
// if the hash is valid, remove the activation hash from the system
$user_data = mysql_fetch_assoc( $result );
$query = "UPDATE auth_users SET activation_hash=NULL WHERE activation_hash = '" . $activation_hash . "'";
mysql_query( $query );
// get the username previously associated with this activation hash, return it
return $user_data['username'];
}
// change a user's password
function user_password_change($username,$password_old,$password_new) {
$query = "SELECT username FROM auth_users " .
"WHERE username = '" . $username . "' AND password = MD5('" . $password_old . "')";
$result = mysql_query( $query );
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
$query = "UPDATE auth_users " .
"SET password = MD5('" . $password_new . "') " .
"WHERE username = '" . $username . "'";
mysql_query( $query );
}
// logout of the current session
function user_logout() {
$_SESSION['authorized'] = false;
}
// is the requested username available?
function is_username_available( $username ) {
if( $username == '' ) {
return false;
}
$query = "SELECT username FROM auth_users WHERE username='" . $username . "'";
$result = mysql_query( $query );
if( mysql_num_rows( $result ) == 0 ) {
return true;
} else {
return false;
}
}
}
// create the auth object
$auth = new auth();
?>
session_start();
require_once('auth.php');
if ( $auth->is_authorized() == true && $auth->is_activated() == true) {
require('templates/authorized.php');
}
else if ( $auth->is_authorized() == true && $auth->is_activated() == false ) {
require('templates/activation_needed.php');
} else {
require('templates/unauthorized.php');
}
session_start();
require_once('auth.php');
user_password_change
($_GET['username'],$_GET['password_old'],$_GET['password_new'])
chris c
Comments
Voting
Votes Up
Votes Down
<?
class auth {
// default constructor
function auth() {
if( isset( $_POST['username'] ) && isset( $_POST['password'] ) )
{ $this->mysql_bind(); }
else if ( isset( $_GET['logout'] ) ) {
$this->user_logout();
}
}
// is the user authorized already
function is_authorized() {
return $_SESSION['authorized'];
}
// bind to the mysql server
function mysql_bind() {
$username = $_POST['username'];
$password = $_POST['password'];
$query = sprintf("SELECT username, activation_hash FROM auth_users " .
"WHERE username = %s AND password = MD5( %s )",
$this->quote_smart( $username),
$this->quote_smart( $password) );
/*$query = "SELECT username, activation_hash FROM auth_users " .
"WHERE username = '" . $username . "' AND password =MD5('" . $password . "')"; */
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// if the account exists in the system
if( mysql_num_rows( $result ) == 1 ) {
$_SESSION['authorized'] = true;
$_SESSION['username'] = $username;
// check to see whether or not the account is active
if( ! isset( $user_data['activation_hash'] ) ) {
$_SESSION['active_account'] = false; // if an activation hash is present, the account is not active
} else {
$_SESSION['active_account'] = true; // if no activation hash present, the account is active
}
// if the account is not in the system
} else {
$_SESSION['authorized'] = false;
}
}
// create a new barterjunk user
function user_create($username,$email,$password) {
if( $this->is_username_available($username) == false ) {
return false;
}
// create an activation hash
$activation_hash = md5( $username . $password . time() );
// add the username, password, email and activation hash to the user's table
$query = sprintf("INSERT INTO auth_users (username,password,email,activation_hash) " .
"VALUES ( %s, MD5( %s ), %s, %s )",
$this->quote_smart( $username ),
$this->quote_smart( $password ),
$this->quote_smart( $email ),
$this->quote_smart( $activation_hash ) );
/*$query = "INSERT INTO auth_users (username,password,email,activation_hash) " .
"VALUES ('" . $username . "'," .
"MD5('" . $password . "')," .
"'" . $email . "'," .
"'" . $activation_hash . "' )";*/
mysql_query( $query );
$this->user_activation_message( $username );
return true;
}
function user_activation_message($username) {
// get the activation hash for this account
$query = sprintf("SELECT activation_hash, email FROM auth_users WHERE username = %s ",
$this->quote_smart( $username ) );
//$query = "SELECT activation_hash, email FROM auth_users WHERE username = '" . $username . "'";
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// send a message to the user's email account with a verification link
$subject = 'BarterJunk.com account activation for ' . $username;
// header of the verification email message
$header = 'From: AccountActivation@barterjunk.com' . "\r\n" .
'Reply-To: webmaster@barterjunk.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
// text of the verification email message
$verification_message =
"{$username},\n\n" .
"Please visit the link below to activate your new BarterJunk.com account.\n\n" .
"http://www.barterjunk.com/?activation_code=" . $user_data['activation_hash'] . "\n";
// send the message
mail( $user_data['email'], $subject, $verification_message, $header );
}
// activate a locked account
function user_activation($activation_hash) {
// check to see that the activation hash is valid
$query = sprintf("SELECT username FROM auth_users WHERE activation_hash= %s",
$this->quote_smart($activation_hash) );
//$query = "SELECT username FROM auth_users WHERE activation_hash='" . $activation_hash . "'";
$result = mysql_query( $query );
// if the hash is invalid, terminate
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
// if the hash is valid, remove the activation hash from the system
$user_data = mysql_fetch_assoc( $result );
$query = sprintf("UPDATE auth_users SET activation_hash=NULL WHERE activation_hash = %s",
$this->quote_smart( $activation_hash ) );
//$query = "UPDATE auth_users SET activation_hash=NULL WHERE activation_hash = '" . $activation_hash . "'";
mysql_query( $query );
// get the username previously associated with this activation hash, return it
return $user_data['username'];
}
// change a user's password
function user_password_change($username,$password_old,$password_new) {
$query = sprintf("SELECT username FROM auth_users WHERE username = %s AND password = MD5( %s )",
$this->quote_smart( $username ),
$this->quote_smart( $password_old) );
//$query = "SELECT username FROM auth_users " .
// "WHERE username = '" . $username . "' AND password = MD5('" . $password_old . "')";
$result = mysql_query( $query );
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
$query = sprintf("UPDATE auth_users SET password = MD5( %s ) WHERE username = %s",
$this->quote_smart( $password_new ),
$this->quote_smart( $username ) );
//$query = "UPDATE auth_users " .
// "SET password = MD5('" . $password_new . "') " .
// "WHERE username = '" . $username . "'";
mysql_query( $query );
}
// logout of the current session
function user_logout() {
$_SESSION['authorized'] = false;
}
// is the requested username available?
function is_username_available( $username ) {
if( $username == '' ) {
return false;
}
$query = sprintf("SELECT username FROM auth_users WHERE username=%s", $this->quote_smart( $username ) );
$result = mysql_query( $query );
if( mysql_num_rows( $result ) == 0 ) {
return true;
} else {
return false;
}
}
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
}
// create the auth object
$auth = new auth();
?>
I don't see anything in any of the menus that would allow this.
I'm nearly new to php and want to create an authentication mechanism over my php applications and found your code. It pretty easy to implement but have problems with implementation.
I've created a logon page and user successfully logs on to the site and i'm printing username on page. Also created a logout.php which logs out user and return to the index.php but still i can see the username. Why?
Here is the code i'm using within logout.php:
<?php
session_start();
require('auth.php');
$auth->user_logout();
?>
I'd have to see how you're using the code to know what's going on with your experiment.
Do you have the address to a test instance of your site?
Also, be sure to get the latest revision of the code.. its in one of my comments.. i have plugged a few security holes having to do with SQL injection.