Authentication (checking passwords) in php

Important: these examples send passwords in clear text. Do not send any passwords that you use for anything else!

You need to copy the file /var/www/html/wordpress/wp-includes/class-phpass.php into your current directory. To do this:

• ssh to the csci1101sp10 server, just like when you are checking php for syntax errors.
• type cd public_html/, also as you would do when checking for php errors.
• Type

  
  cp /var/www/html/wordpress/wp-includes/class-phpass.php .
  

  (note the dot at the end!)
• type ls to see the file list, you should see class-phpass.php in that list.

Note that require_once does not work for absolute paths. You can use a relative path from your working directory (that involves lots of ..), then you don't need to copy the file.

Authentication using php only

User fills in a form in a web page, the program checks the password, and if it is incorrect, re-displays the form. The password is checked against the one stored in the database.

Note that, although it is possible to distinguish between a wrong user name and a wrong password, the form diaplys a uniform message. This is often done for security reasons so that the form would not reveal user names.

<?php

  // -------------- define functions -----------------
function isvalid($user, $password, $connection) {
  // checking if the user's login name is in DB
  // and if it is, checking if the hashed password in DB
  // matches the hash of the given password

  // get rid of extra spaces in user name
  $user = trim($user);

  // get the user's hashed password from the database
  $password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";

  if (! ($result = @mysql_query($password_q, $connection))) {
    showerror();
  }

  // if the result is empty then the user's name is not in the
  // database, i.e. is invalid
  if (!$row = @mysql_fetch_assoc($result)) {
    //print "<p>Invalid password</p>";
    return false;
  }
  // if we got here, the user name is valid, and we get
  // the hashed password
  $pass_hash = $row['user_pass'];

  // PASSWORD-CHECKING MAGIC BELOW:

  // include the file that checks the password
  require_once("class-phpass.php");

  // create an object for checking the password
  $wp_hasher = new PasswordHash(8, TRUE);

  // call the function to check the password
  // note the ->: this is an object-oriented approach
  $check = $wp_hasher->CheckPassword($password, $pass_hash);

  // true if the password checks out, false otherwise
  return $check;
}


function print_login_form() {
  $form_string = "
<form id=\"theform\" method=\"post\"
action=\"passwords_salt.php\">
<table border=\"0\">
<tr>
<td>Enter your user name:</td>
<td>
<input type = \"text\" name = \"user\" />
</td>
</tr>
<tr>
<td>Enter your password:</td>
<td>
<input type = \"password\" name = \"password\" />
</td>
</tr>
<tr>
<td>
<input type=\"submit\" name = \"submit\" value=\"submit\" />
</td>
</tr>
</table>
</form>
";
  print $form_string;
}

function showerror()
{
  die("Error ". mysql_errno(). " : " .mysql_error());
}

// ---------------- end of functions -----------------



// getting the form data
$user = $_POST['user'];
$password = $_POST['password'];?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
PHP functions
Author: Elena Machkasova
Last modified: 4/29/09
-->
<html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
// open DB conncetion
// connect to the server
if (! ($connection = @mysql_connect("localhost","1101readonly","spring1101read")))
die ("connection to the database failed");

// select a database
if (!@mysql_select_db("wordpress", $connection)) showerror();

if (isset($user)) {
   if (isvalid($user, $password, $connection)) {
       print "Welcome, $user!<br/>\n";
   } else {
       // if the password is incorrect or no such user,
       // print an error message and display the form
       print "<p>No such user or password invalid, please try again</p>";
       print_login_form();
   }
} else {
      // print the login form the first time
      print_login_form();
}


// close DB connection
@mysql_close($connection);

?>
</body>
</html>

http://csci1101sp10.morris.umn.edu/~elenam/1101_spring10/passwords/passwords_salt.php

Authentication using php and http headers

Here the server sends a password pop-up form before the page is loaded. The password is then checked exactly the same way as in the previous example.

<?php
  // -------------- define functions -----------------
function isvalid($user, $password, $connection) {
  // checking if the user's login name is in DB
  // and if it is, checking if the hashed password in DB
  // matches the hash of the given password

  // get rid of extra spaces in user name
  $user = trim($user);

  // get the user's hashed password from the database
  $password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";

  if (! ($result = @mysql_query($password_q, $connection))) {
    showerror();
  }

  // if the result is empty then the user's name is not in the
  // database, i.e. is invalid
  if (!$row = @mysql_fetch_assoc($result)) {
    //print "<p>Invalid password</p>";
    return false;
  }
  // if we got here, the user name is valid, and we get
  // the hashed password
  $pass_hash = $row['user_pass'];

  // PASSWORD-CHECKING MAGIC BELOW:

  // include the file that checks the password
  require_once("class-phpass.php");

  // create an object for checking the password
  $wp_hasher = new PasswordHash(8, TRUE);

  // call the function to check the password
  // note the ->: this is an object-oriented approach
  $check = $wp_hasher->CheckPassword($password, $pass_hash);

  // true if the password checks out, false otherwise
  return $check;
}

function showerror()
{
  die("Error ". mysql_errno(). " : " .mysql_error());
}

function send_headers() {
  header("WWW-authenticate: Basic realm=\"1101 Blog\"");
  header("HTTP/1.1 401 Unauthorized");
}

// ---------------- end of functions -----------------

// get the user's name, password (if any)
$user = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];

$message = "You are not authorized to access this page";
if (!isset($user)) {
  // need to authenticate
  send_headers();
 } else {
  // open connection to check the password
  if (! ($connection = @mysql_connect("localhost","1101readonly","spring1101read"))) {
    die ("connection to the database failed");
  }

  // select a database
  if (!@mysql_select_db("wordpress", $connection)) showerror();

  if (isvalid($user, $password, $connection)) {
    // if the user, password are in the database
    $message = "Welcome, $user!<br/>\n";
  } else {
    // invalid password
    send_headers();
  }
  // close DB connection
  @mysql_close($connection);
 }

?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
Checking if the user's login name and password are in the database
Author: Elena Machkasova elenam@morris.umn.edu
Last modified: 4/30/09
-->
<html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
                // will display the message if the user is successfully logged in or if
                // clicked "Cancel"
print $message;
?>
</body>
</html>

http://csci1101sp10.morris.umn.edu/~elenam/1101_spring10/passwords/server_password.php

UMM CSci 1101