The following table must be created for the authentication class to function.
create table auth_users
(
id int(11) auto_increment not null,
username varchar(33) unique not null,
password varchar(33) not null,
email varchar(64) not null,
activation_hash varchar(128) null,
primary key ( id )
);
The following file, auth.php, must be included on any page which authentication is desired. It will automatically create an object which can be referred to as [b]$auth[/b]. The authentication status is stored in boolean format in the session variable [b]$_SESSION['authorized'][/b].
mysql_bind(); }
else if ( isset( $_GET['logout'] ) ) {
$this->user_logout();
}
}
// is the user authorized already
function is_authorized() {
return $_SESSION['authorized'];
}
// is the account currently activated
function is_activated() {
return $_SESSION['active_account'];
}
// bind to the mysql server
function mysql_bind() {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT username, activation_hash FROM auth_users " .
"WHERE username = '" . $username . "' AND password =MD5('" . $password . "')";
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// if the account exists in the system
if( mysql_num_rows( $result ) == 1 ) {
$_SESSION['authorized'] = true;
$_SESSION['username'] = $username;
// check to see whether or not the account is active
if( ! isset( $user_data['activation_hash'] ) ) {
$_SESSION['active_account'] = false; // if an activation hash is present, the account is not active
} else {
$_SESSION['active_account'] = true; // if no activation hash present, the account is active
}
// if the account is not in the system
} else {
$_SESSION['authorized'] = false;
}
}
// create a new barterjunk user
function user_create($username,$email,$password) {
if( $this->is_username_available($username) == false ) {
return false;
}
// create an activation hash
$activation_hash = md5( $username . $password . time() );
// add the username, password, email and activation hash to the user's table
$query = "INSERT INTO auth_users (username,password,email,activation_hash) " .
"VALUES ('" . $username . "'," .
"MD5('" . $password . "')," .
"'" . $email . "'," .
"'" . $activation_hash . "' )";
mysql_query( $query );
$this->user_activation_message( $username );
return true;
}
function user_activation_message($username) {
// get the activation hash for this account
$query = "SELECT activation_hash, email FROM auth_users WHERE username = '" . $username . "'";
$result = mysql_query( $query );
$user_data = mysql_fetch_assoc( $result );
// send a message to the user's email account with a verification link
$subject = 'BarterJunk.com account activation for ' . $username;
// header of the verification email message
$header = 'From: AccountActivation@barterjunk.com' . "\r\n" .
'Reply-To: webmaster@barterjunk.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
// text of the verification email message
$verification_message =
"{$username},\n\n" .
"Please visit the link below to activate your new BarterJunk.com account.\n\n" .
"http://www.barterjunk.com/?activation_code=" . $user_data['activation_hash'] . "\n";
// send the message
mail( $user_data['email'], $subject, $verification_message, $header );
}
// activate a locked account
function user_activation($activation_hash) {
// check to see that the activation hash is valid
$query = "SELECT username FROM auth_users WHERE activation_hash='" . $activation_hash . "'";
$result = mysql_query( $query );
// if the hash is invalid, terminate
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
// if the hash is valid, remove the activation hash from the system
$user_data = mysql_fetch_assoc( $result );
$query = "UPDATE auth_users SET activation_hash=NULL WHERE activation_hash = '" . $activation_hash . "'";
mysql_query( $query );
// get the username previously associated with this activation hash, return it
return $user_data['username'];
}
// change a user's password
function user_password_change($username,$password_old,$password_new) {
$query = "SELECT username FROM auth_users " .
"WHERE username = '" . $username . "' AND password = MD5('" . $password_old . "')";
$result = mysql_query( $query );
if( mysql_num_rows( $result ) != 1 ) {
return false;
}
$query = "UPDATE auth_users " .
"SET password = MD5('" . $password_new . "') " .
"WHERE username = '" . $username . "'";
mysql_query( $query );
}
// logout of the current session
function user_logout() {
$_SESSION['authorized'] = false;
}
// is the requested username available?
function is_username_available( $username ) {
if( $username == '' ) {
return false;
}
$query = "SELECT username FROM auth_users WHERE username='" . $username . "'";
$result = mysql_query( $query );
if( mysql_num_rows( $result ) == 0 ) {
return true;
} else {
return false;
}
}
}
// create the auth object
$auth = new auth();
?>
In order to utilize this functionality, you must call PHP's built-in [b]session_start()[/b] function at the very beginning of each page that you want authentication status to be preserved.
Here is a simple example of a basic method of authentication:
session_start();
require_once('auth.php');
if ( $auth->is_authorized() == true && $auth->is_activated() == true) {
require('templates/authorized.php');
}
else if ( $auth->is_authorized() == true && $auth->is_activated() == false ) {
require('templates/activation_needed.php');
} else {
require('templates/unauthorized.php');
}
Here is an example of a password change:
session_start();
require_once('auth.php');
user_password_change
($_GET['username'],$_GET['password_old'],$_GET['password_new'])