11.7 Using the HTML form Environment

11.7 Using the HTML <form> Environment

The final script in our gift registry application is the first the user sees. It shows the guest a login <form> in which he can enter his username and password. The source of the script is shown in Example 11-5, and its output is shown in Figure 11-2.

When the guest has entered his credentials and clicks on the Log In button, the script is re- requested to validate the credentials. If the username already exists in the people table, the password is validated . If the password matches, the session variable $user is registered with the guest's people_id as its value. Then the header( ) function with the Location: parameter is used to redirect the browser to the presents .php script, along with a welcome message. If the password doesn't match, then the script is re-requested, and an error message is shown.

Figure 11-2. The initial login screen of the gift registry

If the username doesn't exist, it is added to the people table along with the user-supplied password. This allows a new guest to use the system, decide on his own username and password, and log in. For applications in which security is important, the usernames and passwords would be added to the people table by an administrator.

Passwords are encrypted. The PHP library function crypt( ) is a one-way encryption function that takes two parameters: the string to be encrypted and a salt . The salt in our example is two characters from the username. It adds security by ensuring that a password is encrypted to a different string when it is provided by different users. Because crypt( ) is one-way, the encrypted string cannot be decoded. Therefore, when a returning user attempts to log in, the password they've supplied is encrypted and compared to the stored string: if they're the same, the password is correct.

The gift registry application isn't secure. Passwords are transferred between the web browser and web server as unencrypted text. While this isn't important for a simple application, additional security and authentication features are often required in web database applications. For such applications, communications should be encrypted by a secure sockets layer (SSL) software package that can be added to a web server.

Example 11-5. The index.php script

 <?php   // Show the user the login screen for the application, or   // try and log the user in.   //   // Three optional parameters:   // (1) $login name that has been entered into the <form>   // (2) $password that has been entered into the <form>   // (3) $message to display      // Include database parameters   include "db.inc";      // Pre-process the user data for security   $user = clean($user, 30);   $passwd = clean($passwd, 30);      // Start a session   session_start(  );      // Has the user entered a username and password?   if (isset($message)  empty($login)  empty($passwd))    {     // No, they haven't, so show them a <form> ?> <!DOCTYPE HTML PUBLIC     "-//W3C//DTD HTML 4.0 Transitional//EN"    "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>   <title>Sam and Rowe's Wedding Gift Registry</title> </head> <body bgcolor=#ffffff> <h2>Sam and Rowe's Wedding Gift Registry</h2> <?php   // If an error message is stored, show it...   if (isset($message))     echo "<h3><font color=\"red\">{$message}</font></h3>"; ?> (if you've not logged in before, make up a username and password) <form action="index.php" method="POST"> <br>Please enter a username: <input type="text" name="login"> <br>Please enter a password: <input type="password" name="passwd"> <br><input type="submit" value="Log in">  </form><br> <?php require "disclaimer"; ?> </body> </html> <?php   } else    {     // Connect to the MySQL DBMS - credentials are in the file db.inc     if (!($connection = @ mysql_pconnect($hostName, $username, $password)))        showerror(  );        // Use the wedding database     if (!mysql_select_db($databaseName, $connection))        showerror(  );        // Create a query to find any rows that match the username the user entered     $query = "SELECT people_id, passwd                FROM people                WHERE people_id = \"{$login}\"";        // Run the query through the connection     if (!($result = @ mysql_query($query, $connection)))        showerror(  );        // Were there any matching rows?     if (mysql_num_rows($result) == 0)     {        // No. So insert the new username and password into the table        $query = "INSERT INTO people                   SET people_id = \"{$login}\",                       passwd    = \"" . crypt($passwd, substr($user, 0, 2)) .  "\"";           // Run the query        if (!($result = @ mysql_query($query, $connection)))           showerror(  );     }     else     {        // Yes. So fetch the matching row        $row = @ mysql_fetch_array($result);           // Does the user-supplied password match the password in the table?        if (crypt($passwd, substr($login, 0, 2)) != $row["passwd"])        {           // No, so create an error message           $message = "This user exists, but the password is incorrect. Choose another            username, or fix the password.";              // Now, redirect the browser to the current page           header("Location: index.php?message=" . urlencode($message));           exit;                  }     }        // Save the user's login name in the session     if (!session_is_registered("user"))        session_register("user");     $user = $login;        $message = "Welcome! Please select gift suggestions from the list to add" .                " to your shopping list!";        // Everything went ok. Redirect to the presents.php page.     header("Location: presents.php?message=" . urlencode($message));   }  ?>