Authentication (checking passwords) in php

Important: these examples send passwords in clear text. Do not send any passwords that you use for anything else!

You need to copy the file /var/www/html/wordpress/wp-includes/class-phpass.php into your current directory (note the dot at the end!):


cp /var/www/html/wordpress/wp-includes/class-phpass.php .

Note that require_once does not work for absolute paths. You can use a relative path from your working directory (that involves lots of ..), then you don't need to copy the file.

Authentication using php only

User fills in a form in a web page, the program checks the password, and if it is incorrect, re-displays the form. The password is checked against the one stored in the database.

Note that, although it is possible to distinguish between a wrong user name and a wrong password, the form diaplys a uniform message. This is often done for security reasons so that the form would not reveal user names.


<?php

  // -------------- define functions -----------------
function isvalid($user, $password, $connection) {
  // checking if the user's login name is in DB
  // and if it is, checking if the hashed password in DB
  // matches the hash of the given password

  // get rid of extra spaces in user name
  $user = trim($user);

  // get the user's hashed password from the database
  $password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";

  if (! ($result = @mysql_query($password_q, $connection))) {
    showerror();
  }

  // if the result is empty then the user's name is not in the 
  // database, i.e. is invalid
  if (!$row = @mysql_fetch_assoc($result)) {
    //print "<p>Invalid password</p>";
    return false;
  }
  // if we got here, the user name is valid, and we get
  // the hashed password
  $pass_hash = $row['user_pass']; 

  // PASSWORD-CHECKING MAGIC BELOW:

  // include the file that checks the password
  require_once("class-phpass.php");
  
  // create an object for checking the password
  $wp_hasher = new PasswordHash(8, TRUE);

  // call the function to check the password
  // note the ->: this is an object-oriented approach
  $check = $wp_hasher->CheckPassword($password, $pass_hash);

  // true if the password checks out, false otherwise
  return $check;
}

function print_login_form() {
  $form_string = "
<form id=\"theform\" method=\"post\" 
action=\"passwords_salt.php\">
<table border=\"0\">
<tr>
<td>Enter your user name:</td>
<td>
<input type = \"text\" name = \"user\" />
</td>
</tr>
<tr>
<td>Enter your password:</td>
<td>
<input type = \"password\" name = \"password\" />
</td>
</tr>
<tr>
<td>
<input type=\"submit\" name = \"submit\" value=\"submit\" />
</td>
</tr>
</table>
</form>
";
  print $form_string;
}

function showerror()
{
  die("Error ". mysql_errno(). " : " .mysql_error());
}

// ---------------- end of functions -----------------



// getting the form data
$user = $_POST['user'];
$password = $_POST['password'];


?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- 
PHP functions
Author: Elena Machkasova 
Last modified: 4/29/09
--> 
<html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
// open DB conncetion
// connect to the server
if (! ($connection = @mysql_connect("localhost","1101readonly","1101spr09readonly")))
die ("connection to the database failed");

// select a database
if (!@mysql_select_db("1101spr09", $connection)) showerror();

if (isset($user)) {
   if (isvalid($user, $password, $connection)) {
       print "Welcome, $user!<br/>\n";
   } else {
       // if the password is incorrect or no such user, 
       // print an error message and display the form
       print "<p>No such user or password invalid, please try again</p>";
       print_login_form();
   }
} else {
      // print the login form the first time
      print_login_form();
}


// close DB connection
@mysql_close($connection);
?>
</body>
</html>

http://csci1101sp09.morris.umn.edu/~elenam/1101_spring09/passwords/passwords_salt.php

Authentication using php and http headers

Here the server sends a password pop-up form before the page is loaded. The password is then checked exactly the same way as in the previous example.


<?php
// -------------- define functions -----------------
function isvalid($user, $password, $connection) {
  // checking if the user's login name is in DB
  // and if it is, checking if the hashed password in DB
  // matches the hash of the given password

  // get rid of extra spaces in user name
  $user = trim($user);

  // get the user's hashed password from the database
  $password_q = "SELECT user_pass FROM wp_users WHERE user_login = '$user'";

  if (! ($result = @mysql_query($password_q, $connection))) {
    showerror();
  }

  // if the result is empty then the user's name is not in the 
  // database, i.e. is invalid
  if (!$row = @mysql_fetch_assoc($result)) {
    //print "<p>Invalid password</p>";
    return false;
  }
  // if we got here, the user name is valid, and we get
  // the hashed password
  $pass_hash = $row['user_pass']; 

  // PASSWORD-CHECKING MAGIC BELOW:

  // include the file that checks the password
  require_once("class-phpass.php");
  
  // create an object for checking the password
  $wp_hasher = new PasswordHash(8, TRUE);

  // call the function to check the password
  // note the ->: this is an object-oriented approach
  $check = $wp_hasher->CheckPassword($password, $pass_hash);

  // true if the password checks out, false otherwise
  return $check;
}

function showerror()
{
	die("Error ". mysql_errno(). " : " .mysql_error());	
}

function send_headers() {
	header("WWW-authenticate: Basic realm=\"1101 Blog\"");
	header("HTTP/1.1 401 Unauthorized");	
}

// ---------------- end of functions -----------------

// get the user's name, password (if any)
$user = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];

$message = "You are not authorized to access this page";
if (!isset($user)) {
	// need to authenticate
	send_headers();	
} else {
	// open connection to check the password
	if (! ($connection = @mysql_connect("localhost","1101readonly","1101spr09readonly"))) {
		die ("connection to the database failed");
	}

	// select a database
	if (!@mysql_select_db("1101spr09", $connection)) showerror();

	if (isvalid($user, $password, $connection)) {
		// if the user, password are in the database
		$message = "Welcome, $user!<br/>\n";	
	} else {
		// invalid password
		send_headers();	
	}
	// close DB connection
	@mysql_close($connection);
}

?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- 
Checking if the user's login name and password are in the database
Author: Elena Machkasova elenam@morris.umn.edu 
Last modified: 4/30/09
--> 
<html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>
Checking user's login name and password
</title>
</head>
<body>
<?php
// will display the message if the user is successfully logged in or if 
// clicked "Cancel"
print $message;
?>
</body>
</html>

http://csci1101sp09.morris.umn.edu/~elenam/1101_spring09/passwords/server_password.php


UMM CSci 1101

The views and opinions expressed in this page are strictly those of the page author. The contents of this page have not been reviewed or approved by the University of Minnesota.