I am trying to give users a page depending on the windows login used. The crucial point is definitely not security, instead people want it comfortable, so they open the browser and see what they are meant to see. I thought of $_server['remote_user'] but this is empty. I googled a lot and found only things which seem to need authentication or sessions, both requiring many hours of work ;)
I am using WAMP and do not want to be more specific on the system because I want it to run tomorrow as well and I prefer the dirty solution to nothing. Grateful for your comments.
bj
Thanks to your comments I have found a viable solution at least for this special purpose:
The first file reads windows username using WScript.Network and sends a form containing the username. The second writes it to a session var. Dark and dirty but easy to maintain and handle...
File 1, session02.php:
<?php
session_start();
?>
<form id="form_user_name" name="form_new_record" action="session03.php" method="post" accept-charset="ISO-8859-1">
<input name="user_name" type="text" >
<input type="submit" value="Submit">
</form>
<script type=text/javascript>
var wscript_network=new ActiveXObject("WScript.Network");
var user_name=wscript_network.UserName;
form_user_name.user_name.value=user_name;
form_user_name.submit();
</script>
File2, session03.php:
<?php
session_start();
$current_windows_user=$_POST['user_name'];
$_SESSION['current_windows_user'] = $current_windows_user;
echo "---".$_SESSION['current_windows_user']
?>
Later either $_SESSION['current_windows_user'] or $current_windows_user are available
Thanks to everybody!
Your question is a bit unclear, if you are asking to use PHP to check a users login from a Windows PC, this can not be done.
However, if you are wanting to use a simple (little security) HTML form along with PHP and MySQL (both included with *AMP) I would suggest doing the following:
On your index.html page:
<form method="POST" action="validatelogin.php">
<input type="text" name="username" placeholder="Enter username" />
<input type="submit" value="Submit" />
</form>
On your validatelogin.php page
session_start();
$dsn = "mysql:host=localhost;dbname=example;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,'root','password', $opt);
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$username = $_POST['username'];
$stmt->execute(array(
':username'=>$username,
));
$exist = $stmt->fetch();
if (!empty($exist)) {
$_SESSION['id'] = $exist["id"];
}
The last step is the most crucial:
This setup assumes you have a database named example, using the login credentails of username:root password:password. This example also assumes you have a table created inside of that database named users.
That table will have the following setup:
2 rows
first row name: id
first row type: int
first row A_I: checked
second row name: username
second row type: text
From here you can insert into the database usernames that you want people to use, I hope this helped.
Related
I'm trying to insert data from the form created into the SQL Server Database Table that is connected through ODBC. After I submit the data it shows up as a blank row with only the ID that has a value. I am very new to PHP and got parts of code from tutorials. This is just a test project. Here's the code:
<html>
<header>
<title>
</title>
</header>
<body>
<form action="\INSERTCODE.php" method="POST">
<input type= "number" step="any" name="sepal_lengp" placeholder="Sepal Length">
<input type= "number" step="any" name="sepal_widthp" placeholder="Sepal Width">
<input type= "number" step="any" name="petal_lengp" placeholder="Petal Length">
<input type= "number" step="any" name="petal_widthp" placeholder="Petal Width">
<input type= "text" name="flower_type" placeholder="Flower Name">
<button type="submit" name="submit" >INPUT VALUES</button>
</form>
<?php
//display all results from table
include("C:\Users\Dshop\Desktop\php-7.3.3\Server1\connection.php");
$i=1;
$sql = "SELECT * FROM dbo.textcsv";
$result = odbc_exec( $connection, $sql );
while($all =odbc_result_all($result,$i) ){
echo $all;
}
?>
</body>
</html>
This part includes the form. The filename is index1.php.
<?php
include("C:\Users\Dshop\Desktop\php-7.3.3\Server1\connection.php");
$sepal_lengp = $_POST['sepal_lengp']??'';
$sepal_widthp = $_POST['sepal_widthp']??'';
$petal_lengp = $_POST['petal_lengp']??'';
$petal_widthp = $_POST['petal_widthp']??'';
$flower_typep = $_POST['flower_typep']??'';
$dbinsert = "INSERT INTO dbo.textcsv (sepal_leng, sepal_width, petal_leng, petal_width, flower_type) VALUES ('$sepal_lengp', '$sepal_widthp', '$petal_lengp', '$petal_widthp', '$flower_typep');";
odbc_exec( $connection, $dbinsert );
HEADER("Location: ../index1.php?=success");
This part inserts data into the database table, using $_POST to obtain the data from index1.php. This file is called INSERTCODE.php. $connection and connection.php is the file that includes the connection to ODBC.
For this test project I used the Iris dataset. I believe that I had to use ODBC and SQL Server instead of mysql. Sql server is the 2014 version, PHP is 7.33, using node.js to run the server. Help is greatly appreciated!
EDIT I found out that the $_POST isn't getting any values from the form. Any ideas?
EDIT 2 I've tried using $_REQUEST, checking var_dump, and did all that stuff, but I still got nothing. After going to https://www.w3schools.com/php7/php7_forms.asp for an example form, I found out that the example did not work either. Now i'm not sure if the problem is from the code, or from something like the php configuration. Need help, please help.
you're treating your variables as strings, by th look of your database you want them as floats. Try using floatval( ) (http://php.net/manual/en/function.floatval.php) on your variables to make sure they are in the write format, this will also go some way to sanitising them until you update this to prepare statements so you can safely bind the values and specify the type
After rephrasing my issue to "node.js not taking post data" I found the issue. Node.js needs extra steps to process POST data. So, because of this, my input was ignored by node.js and the INSERTDATA.php ran without any data to insert anything. Turns out the solution of the problem was to use something like the body-parser or the other solution from another question.
The solution I took was to uninstall node.js and use XAMPP instead. It was much easier to use.
Also could someone flag my question for duplicate?
I am trying to implement a user login system for my website. I have a newMember.html file that has a form like this:
<form method="post" action="nameValidation.php">
<p>Username:</p>
<input type="text" name"user" required>
<input name="submitButton" type="submit" value="Create account"/>
</form>
inside nameValidation, I check if the username is available. If it's not, i want some way to show a red text next to my input field where you type in your username. I tried something like this, but got a server error:
(inside nameValidation.php)
<?php
//connect to database, check the value of the username to see if it exists
if (username already exists) {
//keep the page that i had the way it was,
//just add a red sentence saying "username is already taken"
}
else {
//tell the user he was successful in making an account,
//and redirect him to my login page (already implemented)
}
?>
I didn't want to use inline php for two reasons.
1) it looks cluttered and confusing (at least to me)
2) I read in other stackoverflow posts that it's not good practice.
I will use inline php if i have to, but any and all help will be greatly appreciated!
Use a web framework like CakePHP, Laravel, Symfony or any other framework that suits you.
A PHP framework uses templates to accommodate dynamic pages. They usually allow special shortcuts in your code, so that you do not have to write any 'inline PHP'.
This is the MVC (Model View Controller) mentality: the controllers control the actual data being used in your view, and not the view.
Enough about web frameworks.
To answer your question, first rename your file to end in .php, to show that the file contains PHP.
Next, edit the code such that it checks if a user exists. The most beautiful inline PHP code gets created by doing all the work at the top of the page, and using the generated data in the page itself.
So, for your HTML:
<?php
/* For example: */
$username = $_POST['username'];
$db = new DB(/* ... */);
$userNameExists = $db -> userNameExists ($username);
?>
<!-- The rest of the code of the page -->
<form method="post" action="nameValidation.php">
<p>Username:</p>
<input type="text" name"user" required value="<?php echo $username; ?>"><?php echo $userNameExists ? '<span class="error">Username already exists</span>' : '' ?>
<input name="submitButton" type="submit" value="Create account"/>
</form>
I am using Joomla 3.0 (it is up to date), and sorcerer. I have a form that I want to submit the entered data to a table in the database that I created. For some reason it will not write to the table, and I am pretty sure it can't find the database.
Since I am using sorcerer, I don't need to include code to connect to the database, it is supposed to be done automatically. I have tried countless variations of code and nothing is working. This seems like it should be pretty simple.
I am new to PHP/SQL coding, so maybe there is something wrong with my code, but after trying so many different things, I am wondering if there is another reason I can't write to the table.
Here is my HTML form and php. Essentially, I want to check if the username entered here in the form exists in the users table in my database. If it does exist and the checkbox is on, enter the username and message into the out_of_office table. If the checkbox is unchecked, delete the row from the table. But, as of now I can't even write to the table, so I figured I should get that part working properly first.
<form method="post" action="">
<p>Out of Office <input name="onoff" type="checkbox" value="ON"></p>
<p><label>Custom Out of Office Message</label>
<input type="text" name="custommessage" size="30" maxlength="25"/></p>
<p><label>Enter Username</label>
<input type="text" name="enterusername" size="30" maxlength="25"/></p>
<p><input type="submit" name="submit" value="Submit" /></p>
</form>
<?php
$username = $_POST['enterusername'];
$message = $_POST['custommessage'];
$query = "INSERT INTO out_of_office VALUES ('$username', '$message')";
mysql_query($query) or die ('Error');
echo "data entered";
?>
When I go to the page on my web site I get a white page that says "Error".
Like I said, I have tried a lot of code for the PHP but nothing works. Please help!
Right, rather than having all your code in an article, you should make a small module which you can then import into your article.
Here is the documentation on how to develop a basic module. In addition to this, you can also use a module generator
Once you have yourself a basic module, you're going to want to start using Joomla coding standards for getting $_POST data. Have a read of the following on how to do this:
http://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase
As for your database query, again, you will need to looking into specific coding standards. Read more about this here:
http://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase
Here is an example of what your database query would look like
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$columns = array('username', 'message');
$values = array($db->quote($username), $db->quote($message));
$query
->insert($db->quoteName('out_of_office'))
->columns($db->quoteName($columns))
->values(implode(',', $values));
$db->setQuery($query);
$db->execute();
Just something to get you started off. Good luck.
Hope this helps
Herroo everyone!
I am building a website for my dad. He is an accountant. We have Google calendars setup for him to take appointments. The website is just a pretty front page with three clickable images that link to different calenders. Two of the buttons are linked to employee calendars and are not password protected which is fine. We want new people to be able to sign up for them. My dad however is overbooked and needs his link password protected so he can give the password out to specific clients in order for them to make their appointments. He does not want see new people.
I can work with html and css but a total newb to PHP/MYSQL. I have been doing a lot of research and downloaded many tutorials/sample codes the past few days but I am still confused. This is what I've gotten so far after modifying some sample code. I set the password to be barney and do not require a user name and saved it as php1.php in a sub folder called protect. I remember reading somewhere that this well help with people bypassing the password.
<?php
$password = "barney";
if (md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
after this I am stuck... I do not know how to apply this to my html page and attach it to the image/link. Any help is much appreciated! Thanks so much!!
The obvious problem here is that you are comparing your password $password to an md5 version of the submitted password. They will be different and so you will always be shown the login form.
Replace with
<?php
$password = "barney";
if ($_POST['txtPassword'] != $password) {
?>Login form here<?php
} else {
?>Restricted access here<?php
}
But then you should keep in mind that such a scheme remains bad practice and low-security:
the password is stored in plain-text
you don't check how many
attempts a user makes to retrieve the password (see brute-force
attacks)
...
if you don't want to use the PHP file you could always modify the .htaccess file if it is available to you.
here is a quick how-to:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
here is more detailed info:
http://www.javascriptkit.com/howto/htaccess3.shtml
Ok, this might be obvious but its not clicking quite yet. I am creating a forum/blog esque app.
I grab the posts from the database rather securely but commenting is beginning to be a little more difficult. (I could just be paranoid, right?).
How do I add a comment without exposing the id of the parent message? (like in a hidden form field or query string, or something).
I guess I am a bit paranoid that someone might go into the code with firebug or something and change the hidden form field value to something else before submitting. I guess I would have to make sure the user has permission to comment to that particular post/category?
Things to note :
The user is already logged in.
Its not a public post
I would recommend that you setup your database like so:
Comments
---------
id
encodedID
authorID
parentID
message
Then, for the form field have two hidden values, one will be the encodedID, and the second will be a hash that you make. I would recommend the hash to be:
<?php
$hash = sha1(md5($encodedID . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));
?>
Then, when the user submits the form, validate that the hash is valid for the specific encodedID and user. Here is a brief code write up:
<?php
if(isset($_POST['submit']))
{
//Get the variables and all and sanitize the input of 'message'
if(sha1(md5($_POST['value1']. $userID . $_SERVER['REMOTE_ADDR'] . "abc1234")) == $_POST['value2'])
{
//User is valid.
}
else
{
//Invalid user.
//Document this.
}
}
$value1 = $encodedID; //Grab this from your database
$value2 = sha1(md5($value1 . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));
?>
<form method="post" action="comment.php">
<input type="text" name="message" />
<input type="hidden" name="value1" value="<?php echo $value1; ?>" />
<input type="hidden" name="value2" value="<?php echo $value2; ?>" />
<input type="submit" name="submit" value="Comment" />
</form>
Edit: Just a small tip, but I would recommend that you change value1 and value2 to something abstract, don't call it encodedID or anything like that, just so that it confuses any users that will attempt to try and break it.
And yes md5 and sha1 are not completely secure, but for this case it will work since you want to be able to process the comments fast and efficiently.
That might be an overkill but if you really want to hide the post_id of the current message then you should consider using session. So instead of using something like this on your form:
<form action="/postcomment.php" method="post" >
<input name="post_id" type="hidden" value="123" />
<textarea name="message"></textarea>
</form>
Reduce it to something like this:
<?php $_SESSION['post_id'] = '123'; ?>
<form action="/postcomment.php" method="post" >
<textarea name="message"></textarea>
</form>
Of course this is "yucky" coding but at least you get the idea.
Oh, don't forget to validate EVERYTHING on postcomment.php. Also escape ALL string input values and make sure all numeric inouts are numbers indeed (multiply them by one?).
[EDIT: Due to insistent public demand, may I, if you please, amend the aforementioned:]
Instead of:
<?php $_SESSION['post_id'] = '123'; ?>
Generate a form id:
<?php $_SESSION['form_id'] = $_SESSION['user_id'].'_'.md5(time()); ?>
Then generate the unique post_id:
<?php $_SESSION[$_SESSION['form_id'].'_post_id'] = '123'; ?>
After submitting get the post_id:
<?php $post_id = $_SESSION[$_SESSION['form_id'].'_post_id']; ?>
you could assign the form an "id" as a hidden field and create a database table to track form ids and their associated post ids, that way when the form gets submitted you could check the post id in the db without ever sending it to the client based on the form id that is returned with the post
You're asking the wrong question here: instead of being concerned about the user getting some internal ID that means nothing outside your application, your primary concern should be about keeping them from doing anything unpleasant with it.
Imagine I just started sending POST requests to add a comment for every ID between 1 and 10,000. I'm sure to hit a real post sooner or later.
Rule #1 about writing secure web applications: Don't trust the user.
In other words, yes, you should check to make sure that they have permission to comment when you receive the results back from the from.