Flatfile Login

[Webiter]

I require a very lightweight login and password facility for about 5 people to gain access to a back office web page with relevant information for them. I have found this flat file example code at http://www.ehow.com/how_6587681_crea...using-php.html. There seems to be something with this ("myfile.txt\",\"r\") causing a break in the code at about line 6.

Assuming that the processor code can be fixed I should progress as follows :

1. Set up a myfile.txt to record the required Usernames and Passwords

2. Set up login.html to position the login form. Should this be saved with a .php extension?

3. Set up the form handler processor.php

Any guidance greatly appreciated.

PHP Code:

<?php
function CheckLogin($uid,$pw)
{
// set the login variable to false
$valid=false
// open the flat file and set it to the beginning 
$f = fopen ("myfile.txt\",\"r\")
rewind($pfile)
// check all lines in flat file database
while (!feof($f)) 
{
// get the data from a single line
$line = fgets($f)
// assign the user name and password to an array variable
$log = explode(',', $line)
// check the user name against the current line in the flat file
if ($log[0] == $uid) 
{
// the user exists so check the password
if (log[1] == $pw){
// the password is valid so set the login variable to true
$valid=true
}
}
}
// if the login variable is true then return true, otherwise return false
if($valid=true){
return=true
}else{
return=false
}
}
?>

<?php
// call the check login function with the fields entered into the login form
if(!CheckLogin($_POST['username'],$_POST=['password'])
{
// the login is false so redirect the user to the login page
header('Location: login.php')
// the login information is correct so load the page and end the PHP script
}else{
?>

HTML Code:

<form name="formname" method="post" action="processor.php">
<br /><br /> 
Username :<input type="text" name="username">
<br /><br />
Password :<input type="text" name="password"><br /><br />
<input type="submit" name="Submit" value="Submit">
</form>

[djr33]

If you're going to do it this way on a small scale, I suggest just writing an array of usernames and passwords directly into your PHP file. Something like this:

PHP Code:

<?php
$logins = array(
'user1' => 'pass1',
'user2' => 'pass2',
'user3' => 'pass3',
'user4' => 'pass4',
'user5' => 'pass5'
);


$user = strtolower($_POST['user']); //probably best to check that it was submitted also
$pass = $_POST['pass']; //probably best to check that it was submitted also

if (isset($logins[$user])&&$logins[$user]==$pass)) {
   echo 'Log in!'; //they're logged in -- save it in a session variable or something
}

[bernie1227]

As far as I can see, the issue with openin the code is that you're escaping all the quotes except the first one, so the statement doesn't end properly. It should be:

PHP Code:

$f = fopen (\"myfile.txt\",\"r\") 


Out of curiosity, why are you escaping all the quotes?

As to number 2 in what you should do, if login.html is just a form, with no php, there is no particular reason to name it .php

As Daniel said before however, it would probably be better to use an array or some such, as it is only for 5 people.

[Webiter]

Yes, that will get me Logged into a backend page.

PHP Code:

if (isset($logins[$user])&&$logins[$user]==$pass) 
header('Location:Backend_page.html') 


Not sure if I have done that correct but it does present the required Backend_page.

Just need some processing to control blank and incorrect login sends!

[djr33]

Using a redirect is very insecure-- if anyone finds the direct link, it provides no protection at all. You'd need some code like this:

PHP Code:

 <?php
session_start(); //we'll use sessions to keep track of the logins

$logins = array(
'user1' => 'pass1',
'user2' => 'pass2',
'user3' => 'pass3',
'user4' => 'pass4',
'user5' => 'pass5'
);


$user = strtolower($_POST['user']); //probably best to check that it was submitted also
$pass = $_POST['pass']; //probably best to check that it was submitted also

if (isset($logins[$user])&&$logins[$user]==$pass)) {
    $_SESSION['username'] = $user;
} 

if (!isset($_SESSION['username'])) {
    exit('Access denied.'); //and redirect to login form as required
    //or just display the login form now; that's simple-- show login if not logged in, otherwise don't
    //and whatever you do, end it with exit; -- that'll stop anything else from happening
}

//ok, now the rest of this part is safe