Hey guys,

Boss wants me to include a downloads page on our company website that's password protected. What would be the best way to do this working with php and mysql to handle a DB with all usernames and passwords?

Would it be more logical to make 4 different access levels/pages with the 4 different versions of the software available for download? Or is there a way to manage logins using cookies where each user gets to login to a custom part of the site with their files available?

Sorry, I'm really new at web design and my knowledge is really limited, help :eek:

I would recommend using two tables to handle this information. In one table the encrypted password will be stored and in another the users data would be stored.

Furthermore, I would normally use a one way encryption. However, the downfall of a one way encryption is that if the user ever forgets their password than it needs to be reset. This is because the passcode stored in the database will actually be encrypted by concentrating two separate pieces of information. Normally, this is the users readable password and the time stamp which they registered.

php

$password = $_POST['pwd'];
$salt = time();
$pwd = sha1($password.$salt);

/*
* insert create user account. This where you would insert any other user data.
* this example assumes this tables has a primary key id.
*/
$sql = 'INSERT INTO `users` u values (NULL,\''.$userName.'\','.$salt.');';
mysql_query($sql);

/*
* place the password and associated user key in the password vault. This
* table has a one to one relationship with users. Each user should only
* have one password.
*/
$sql = 'INSERT INTO `vault` v values (NULL,'.mysql_insert_id().','.$pass.');';
mysql_query($sql);


That is a short version without much security checking. Normally you would also want to check the user input to make sure it validates and that the data you need to insert into the table in the database exists.

Once the data is in the database its a simple join and presto. This below code would be the login page at a simple glance.

php

$passcode = $_POST['pwd'];
$user = $_POST['user'];

/*
* Find user record and make sure record has a matching password encrytion
*/
'SELECT u.`id` FROM `users` u LEFT JOIN `vault` v ON u.`id`=v.`user_id` WHERE u.`name` = \''.$user.'\' AND v.`passcode` = SHA1('.$password.'u.`created`) LIMIT 1;'
$result = mysql_query($sql);

/*
* if there isn't result than nothing in the db matches so you need to handle
* this scenerio as you see fit.
*/
if(!$result) { exit; }

/*
* again checking to make certain we have only one result
*/
if(mysql_num_rows($result)!=1) { exit; }

/*
* Once here the user validation has passed. Normally a session is set to allow
* them access.
*/
$_SESSION['admin'] = 'admin';


Now all you need to do is make sure you look for that session variable on protected pages. If it exists you allow them access if not you can exit or script or redirect.

php

if(!isset($_SESSION['admin'])) { exit; }


Hope you got that all. Its a complex topic.

You will also want to read up on sql injection. I didn't include any security checks here for it but thats mainly because I tend to use mysqli and bind user input rather than using the mysql native functions in php.

Thanks :D In all honesty I got about half of that, which is better than none of it I guess, lol.

What I had been thinking about doing, since we have 4 versions of software is to make one access level for every version of software we sell, then everytime I insert a new user into the database I would only give them access to that software version's download page.

Cookies and sessions are a bit beyond me still, I've only got about a month's work of experience with web sites and its all self taught. If I make a table with 3 columns, keeping in mind that first and second column belong to user name and password, can I assign the third column to an access level? And also, do access levels work like a ladder, in which the highest order has access to the lower ones, or can I make separate accesses which will not allow them into anything but THAT?

Sorry I guess I'm not being very clear, either way, thanks for the great code reference, I get a bit of it having played around with mysql and php a little bit, it'll certainly come in handy for reference as I work on this.

Do you know any good resources for php and mysql, hopefully beginner level tutorials that dont involve too much advanced stuff for my brain to asplode :eek:

Cookies and sessions are a bit beyond me still, I've only got about a month's work of experience with web sites and its all self taught. You're not going to be able to avoid them. Once a user has successfully logged in, a session holds that info—i.e. as the user moves from page to page, the PHP on each page needs to check the session to make sure the user is authenticated before granting them access. It sounds like you're trying to run before you've learned how to walk, so I'd suggest you read up on the basics of PHP & security as it relates to PHP. Links to follow at the end of this message.

...do access levels work like a ladder, in which the highest order has access to the lower ones, or can I make separate accesses which will not allow them into anything but THAT?You can do it either way.

Do you know any good resources for php and mysql, hopefully beginner level tutorials that dont involve too much advanced stuff for my brain to asplode :eek:

I totally feel your pain as I had a horrible time getting "over the hump" where PHP was concerned (javascript and I are still not friends). ;)

As one who has a tendency to impatiently jump in with both feet, I can tell you from personal experience that if you don't first get a good solid understanding of the basics, you're just going to get exponentially more confused and end up having to go back and rewrite all your code (especially when you realize later—much to your horror & embarrassment—that you've left gaping security holes all over the place).

IBM has an excellent PHP reading list (http://www.ibm.com/developerworks/opensource/library/os-php-read/), as well as other resources.
http://www.tizag.com/ has some good tutorials.
Check out the PHP Security Consortium's Library at http://phpsec.org/library/. Especially important is their PHP Security Guide, which you can download as a PDF from http://phpsec.org/projects/
Read through php.net's language reference (http://php.net/manual/en/langref.php). I know, I know, it's long and kinda boring, but the info is invaluable.
If you use Firefox, go to the Mycroft Project and add the PHP function list to your search bar (http://mycroft.mozdev.org/search-engines.html?name=php.net), then whenever you need to look up a function, you can just type it into the box.
Google "php forum" and/or join PHP mailing lists, just be sure you've tried to solve a problem yourself first and then ask your question clearly & briefly as some lists are frequented by seasoned pros who get snarky if they feel that you haven't done your homework before coming to them, and they'll send you to one of the How to Ask Questions the Smart Way (http://www.catb.org/~esr/faqs/smart-questions.html) pages.
Last, but definitely not least, get yourself a good book on learning PHP. My personal favorite out of the many I tried is David Powers' PHP Solutions (http://www.amazon.com/PHP-Solutions-Dynamic-Design-Made/dp/1590597311/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1216834545&sr=8-2). He's the one that finally got me over the hump, and he actively answers questions on the Friends of ED forum related to his books. You could also try the PHP lessons at lynda.com for ($25 per month for access). Oh, I forgot one other! This Australian guy has some free beginner video tutorials: http://www.phpvideotutorials.com/

Well, that should be enough to keep you busy for a while. Good luck with your project.

/waves from under 50 feet of reading material...

Thanks for the info! :D

-busy bee

The best way to handle access levels is to store them in the vault as an integer. For example, if you have three types of access than you could store a 0,1,2 in the vault table under a column named access. Users with 0 have limited access, those with 1 have protected and those with 2 have admin. This is conceptual but you should get the picture. If this where the case though you would need to store the user id in the session variable. This way you can extract the id and query the database for their access level on every page it is needed. So rather than setting the session value to some random string you would need to set it to the users id which is normally how I would do it any way. Once you have that id you can pretty much display any data that is specific to the user. Which may not be all that useful in the beginning but as an app develops you may need to pull user related data. An example this might be on a blogs page. Where every ones blogs enteries are stored in the same table. If there is a foreign key in the blogs table that relates to the users id (person who owns the entry) than it is easy to provide the individual user with blog enteries that they own. It is also easy to allow CRUD(create,read,edit and delete) features specific to them and editing their "stuff".


/*
* user id pulled from session
*/
$user = array();
$user['id'] = $_SESSION['admin'];

$sql = 'SELECT b.* FROM `blogs` where b.`user_id` = '.$user['id'].';';


Lastly you don't want to use cookies. Cookies can be edited like any other text file on a persons computer. Even though it is unlikely that a person will be able to edit their cookie file to "trick" the server it is possible. However, a session is pretty much secure. This is because the session information is stored both on the users computer and the server. Both store different data and the users session info is merely a key that point to the information on the server. So their is very little liklihood of anyone "hacking" their session data. The only downfall of a session is that once the user closes their browser the session is destroyed. A cookie can last forever. Therefore, if a user logged in one day it would be easy to check for the cookie and automatically log them back in. However, like I stated above this is highly insecure. Its best just to use a session and have it destroy itself.

If your having trouble pick up a copy of PHP Solutions. That book goes over much of this in full detail. However, the security and database related information is near the end of the book. So your going to need to do some reading before you can probably understand the later chapters on communicating with mysql and setting up login pages that are secure.

Thanks for all the help and advice, its starting to make more sense, but as you say, I'm most likely better off learning to walk before I can run.

My problem right now is the full spectrum of design tasks that seem to arise for me here, and cause I'm silly and always 'can do' I get myself into pickles :D

I just updated all the web pages on the site from .html to .php so I could divide the pages into include segments to make it easy for me to update over time. Then when I get time next I need to clean up my css style sheet because since I made the site as a complete beginner I left a lot of mess in it and I'm sure there's several styles there that aren't even being used in the content.

I'm gonna take a break for a few hours from the web design, there's about 8 print brochures I need to finish by this afternoon to match the new corporate look of our company and then boss wants me to re-do all the envelopes, it's neverending :mad:

At least it's all experience I suppose...

/waves from under 50 feet of reading material...

Thanks for the info! :D

-busy beeLOL, you're welcome.

As you learn, you'll find that in the same way you start off a design project by reviewing a creative brief and then sketching out rough designs, with programming you'll usually start out by defining 1.) the interface elements needed to administer the application—this will require some additional programming beyond the code that actually performs the user authentication, 2.) the logic—i.e. what the program will do, step-by-step, and 3.) your database schema (design).

I know you're already drowning in reading material, but I think it might help if I spell out some examples and try to keep them very simple (yeah, right :p). Sooooo, before you even write one line of code, you should have thought through & answered/defined the following:

Administration

Requirements: An interface that allows admins view, add, edit and delete users/passwords. This must be a secured area (you can use an .htaccess file for this if you're on an Apache server).

Description: A minimum of two pages—one to display a list of users & their info (with an option to delete one or more users), and another to add/edit users.

The view/delete page could contain a table with a row for each user and a column named "Delete" with a checkbox for each row (user) that you can tick. At the bottom of the table would be a button that says "Delete User(s)". When you press the button, you connect to the database and the users are deleted. This table could also have a column with an "Edit" link which, when clicked, takes you to the edit user form.

The add/edit page would contain a form that allows admins to either: 1.) enter new user data, or 2.) edit existing user data. If using the add option you'd be presented with a blank form, and when you submit it it would insert the new data into the database. If using the edit option, the form would automatically be populated with existing user data retrieved from the database. When submitted, the database entry for the user would be updated.

Note: If admins would also need to manage files, then the above would also apply to handling them, however you'd also need a form to handle the uploads.

Other things to consider: On the public/user end you'll of course need a login screen. How will users sign up/register? If they're going to register themselves, then you've got more work ahead of you. What happens when they need to update their info (like email address) or when they inevitably forget their password or username? If they're not going to register themselves, then admins will have to take time to do this (which doesn't really make much sense outside of an corporate intranet type situation where company mangers would be admins).

How secure is your server environment? Is it a shared hosting situation? if so, are you aware of the inherent risks and how to minimize them? Does your domain have an SSL certificate for secure (encrypted) transmission of data? If not, usernames & passwords could potentially be captured as plain text during transmission by anyone with a packet sniffer (http://en.wikipedia.org/wiki/Packet_sniffer).

Program Logic

User Login:

Login Form - Start a session.
Check user entered uname & pwd against database.
If authentication PASSES, add timeout (i.e. amount of time user can be inactive before session is automatically destroyed), redirect user to file download (or whatever) page, showing only files based on user's permission level (more logic there which I won't go into now).
If authentication FAILS, destroy the session, send the user back to the login screen, and display a message telling them they've entered an invalid username or password (don't tell them which was wrong, as that only helps hackers who may be guessing at one or the other).
Provide user logout link/button that destroys session when clicked and sends user back to the login page (or displays a "you have successfully logged out" message, or whatever).


Database Schema:

How many tables will be required?
Which fields will be needed for each table?
What type of data will each field contain (according to MySQL data types (http://dev.mysql.com/doc/refman/5.0/en/data-types.html)). At least one field/column must be a unique "primary key" that is associated with each row (database record).
What will be the relationships between the tables?


Caveat: Properly designing a database is one of the trickiest parts. It's something I still haven't completely mastered when it comes to complicated sets of data. It's a real PITA when you get it wrong and have to start over.

Once you've got the above nailed down as firmly as possible you can start writing your code, testing, debugging, testing again...

I swear I'm only trying to be helpful, not scare you to death! :D If nothing else, it should give you a serious appreciation for the amount of work that goes into something like a full-fledged e-commerce application or content management system (CMS).

Seriously, if someone had explained all the above to me when I was starting out with PHP/MySQL, it would have saved me a untold aggravation & confusion.

Okay, I'm going back to my usual hangout now and I promise not to say another word on the matter unless you ask.

Digi

Hi,

If you wish, we can design and program you with all the functionalities. For further details send me a private message or send a mail

Austin

Hi Austin, thanks for the offer, but I'm not only stubborn but I do want to nail this down and learn databases. One of the things I love about my job even though I complain about it, is the diverse amount of design tasks that I'm always actively engaged on, in whatever mediums. It only opens opportunities to learn even more.

digizan: I appreciate all the help, you've got me pouring through a lot of info, I had given consideration already to making an interface to manipulate the mySQL database so I guess I'm on the right mind-track at least, which is better than nothing, when I think over all the amounts of knowledge i still need to pour through before I get this done.

(I guess this is why it takes me usually around a month on and off to get something done...) :eek:

digizan: I appreciate all the help, you've got me pouring through a lot of info, I had given consideration already to making an interface to manipulate the mySQL database so I guess I'm on the right mind-track at least, which is better than nothing, when I think over all the amounts of knowledge i still need to pour through before I get this done.

(I guess this is why it takes me usually around a month on and off to get something done...) :eek:It sounds like you're on exactly the right track. You may spend a lot of time cursing, pulling your hair, and berating yourself for taking on this project, but I guarantee that when you finally complete it and it's working perfectly you'll be on cloud nine (and I promise you if you keep at it, that day will come).

Digi :)

Hey all,

I didn't want to start a new thread since the title on this one pretty much sums it up, just have another php question for the experts out there.

The software we distribute works on registration and licensing, usually to request licenses people have to do it from within the software by 'email request' which is just a script that the software runs that opens up your default mail browser and collects the necessary information.

In this case, the necessary information is the machine ID which is then matched with the issued license number to verify its validity...

"64-31-CF-C1-A7-2C-xx-xx" That's my machine number for example (last 4 digits withheld), when I e-mail request a license, the software collects this number from the user's computer and sends it to a support inbox which we then collect, process for license and then e-mail the code back to the user.

Now.... The question is, I was wanting to add this feature into the website, for ease of access, is there a way to get php to retrieve the user's machine ID and send it back to me? Most likely using a form. I understand form-2-email CGI scripts and such, but I have no idea how to make php gather the information I need that can't really be input (or really shouldn't for security reasons) by the user.

Any suggestions?

I have no idea how to make php gather the information I need that can't really be input (or really shouldn't for security reasons) by the user.That's not going to happen. PHP is a server side language, so everything is processed on the server before being sent to the client.

Let's cover some basics here: Say you have a page with a form on it, contact.php. Your browser makes a request to the server for that page. The server recognizes that it's PHP and turns it over to the PHP processing module which interprets any PHP it contains, converts the results to HTML, then sends it back to the server, and the server, in turn, sends it back to your browser. You fill out the form, press "submit", and the process starts all over again. This is why if you view the source of a PHP page in your browser you only see the HTML that is output by PHP, not the actual PHP code itself.

You'd need a client side scripting language like javascript to do anything on the client side—say detect the user's screen resolution—which would then have to pass the data to PHP via a call to the web server. I'd guess that the program you guys sell is probably written in a language like C# or whatever, so javascript isn't going to be your answer. I have zero knowledge of those kinds of languages, so I can't tell you anything more on that front.

If you want a more detailed overview of how PHP works, see http://www.techotopia.com/index.php/An_Overview_of_PHP

Digi

I see.

Thanks for the heads up, guess I'll have to find a work around for it, I didn't really want to get the user to input their own machine ID, but then I guess its the only way, but then again, if it means they have to input it, may as well let the software handle it via e-mail the way it is already an extra step to get it working server-side.

Well, if anyone does happen to know a way to get a browser to return me that information in any way, I'd be very interested to hear your theories on it.

Thanks for the info again digi, slowly but surely getting the hang of web site building. Pretty far from getting where I want to be since its not really my main field. If anyone's up for critique, please let me know what you think of the site, I know it could use some upgrades to the design, but I've also gotta follow what the boss wants, and he doesn't have much design sense. He likes BIG pictures cause he thinks that's gonna get him the most sales, go figure. Wish I could use a smaller format :(

Link to my website here. (http://www.uniguard.com.au)

It may be possible using the terminal. You can execute shell commands through exec() in php. The only problem is that the shell commands will take place on the hosting server computer. Therefore, I'm not really sure how you would be able to grab a remote computers info. Seems like if you could it would be some sort of "hack".