Snippets Databases
Databases
PHP-odbc_group_check
by: Jeremy Brooks
|
December 22, 2000
Version: 1.0.0
Type: Full Script
Category: Databases
License: GNU General Public License
Description: PHP4 odbc-based scripts to 1. protect a PHP page with user auth info stored in an odbc db (encrypted password, login attempt logging, IP logging, last/current login date, etc) and 2. sets view permissions on a per-page basis (i.e., users in groups 4 and g can view this page, etc). Written for Windows/Apache, but only has a few lines (path to log files and includes/requires) that are plaform-specific. Latest version at http://www.datapriority.com/GC/GC.html . Bug fixes/suggestions are welcome!
*************These 3 scripts must be saved seperately to function...
****************BEGIN auth_test.inc*************
<?
////////////////////////////////////////////////////////////////////////////////////
//This script is the property of Jeremy Brooks (jeremy.brooks@bams.com)
//and is released under the GNU Public License (www.gnu.org).
//Unauthorized use is prohibited.
//
//If you use this script please let me know how (if) it works for you.
//Users are strongly encouraged to send me tweaks, questions,
//suggestions, or just tell me if, how and where you are using it
//
//if anyone ports this to non-odbc or non-windows use PA-LEEZ send it to me...
//////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////
//This set up scripts consists of 3 files:
//auth_test.inc, group_check.inc, and style.inc
/////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////
//auth_test.inc works in this manner:
//define location of log files and remote IP var
//declare odbc database info
//start a session
//check for cookie
//if cookie, check for validity
//if no cookie but login has been attempted, MD5 password entered,
// verify against database entry (db password field must contain
// MD5 hashes of passwords!)
//if bad username, error to screen and log
//if bad password, error to screen and log
//if successful, log, update db to reflect current login date, previous login date,
// current IP
//if session has timed out, show message and login form.
//
//BTW, style.inc is just a style sheet. You don't need to use it.
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
//This script was designed for use on an intranet in a Win NT environment
//running a SQL Server 7.0 database on Apache 1.3.11 ane PHP4 and may have some
//specificity's and idiosyncrasies as such. Ye hath been forwarned.
//////////////////////////////////////////////////////////////////////////////////////
//This is the directory where your log file resides
define( "BASE_DIR", "c:\web\apache" );
define( "AUTH_LOG", BASE_DIR . "\logs\auth_access_log.txt" );
$ip = getenv("REMOTE_ADDR");
//login form with cookie check
function login_form(){
$this_page=getenv("REQUEST_URI");
?>
<HTML>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HEAD>
<SCRIPT language="JavaScript">
var cookiesEnabled = false;
function cookietest_onload()
{
document.cookie = "Enabled=true";
var cookieValid = document.cookie;
if (cookieValid.indexOf("Enabled=true") != -1)
{
cookiesEnabled = true;
}
else
{
cookiesEnabled = false;
document.write("<h2><font color='red'>Error loading page...</font><p>");
document.write("You must have cookies enabled to view this page.</h2><p>");
document.write("<b>Please enable your cookies, restart your browser, and try again.<p>");
document.write("If you need assistance with this, feel free to contact:<p>");
document.write("<table border=0 width=400 cellspacing=6><tr><td>Sysadmin Guy</td>");
document.write("<td></td><td>Sysadmin Other Guy</td></tr><tr><td>509-555-1212</td>");
document.write("<td width='50'><i>OR</i></td><td>509-121-5555</td></tr><tr><td>spam@bringiton.com.com</td>");
document.write("<td></td><td>yeah@baby.com</td></tr></table>");
}
}
</script>
<? include ("c:\web\Apache\inc\style.inc"); ?>
<TITLE>BAMS On-Line User Login</TITLE>
<script language="JavaScript">
<!-- Begin
function look() {
document.login.this_user.focus();
}
//End -->
</script>
</HEAD>
<BODY bgcolor="white" onLoad="BrowserCheck();look();">
<center>
<table width="450" border=1>
<tr><td>
<img src="my_logo.jpg">
<CENTER>
<FONT COLOR="blue">Please Log In...</FONT>
<FORM NAME=login ACTION="<? echo $this_page ?>" METHOD=post>
<TABLE BORDER=0>
<TR>
<TD><B>Username:</B></TD>
<TD><INPUT NAME="this_user" TYPE="text" SIZE="10"></TD>
</TR>
<TR>
<TD><B>Password:</B></TD>
<TD><INPUT NAME="this_pass" TYPE="password" SIZE="10"></TD>
</TR>
</TABLE>
<BR>
<INPUT TYPE="submit" VALUE="Log in">
<input type="reset" value="Clear">
<p>
<font color="red" size='1'><b>All activity on this server is logged. Unauthorized use is strictly prohibited.</b></font>
</FORM>
</tr></td></table>
</center>
</BODY>
</HTML>
<?
exit;
}
function set_cookie ( $this_user, $encrypted_password ) {
$DB="my_db";
$USER="some_user";
$PASS="some_pass";
$cnx = odbc_connect($DB, $USER, $PASS);
$encrypted_password=MD5($this_pass);
$md5str = MD5( TIME() );
$now = date("m/d/Y H:i:s");
$cookie_val = "$this_user-$encrypted_password-$md5str";
setcookie( "baview_auth", $cookie_val, 0,"/" ,"192.168.101.12", 0);
$arg = "update auth_info_table set string='$md5str' where username='$this_user'";
$set_cookie_ok=odbc_exec($cnx, $arg);
odbc_close( $cnx);
}
function check_cookie ( $cookie, $this_user, $this_pass ) {
$DB="my_db";
$USER="some_user";
$PASS="some_pass";
$cnx = odbc_connect($DB, $USER, $PASS);
$cookie_var = split("-", $cookie);
$ck_username = $cookie_var[0];
$ck_password = $cookie_var[1];
$secret = $cookie_var[2];
$arg = "select 1 as auth from auth_info_table where username='$ck_username' and password='$ck_password' and string='$secret'";
$row = odbc_exec( $cnx, $arg );
odbc_close( $cnx);
if (!$row){
login_form();
}
}
$DB="my_db";
$USER="some_user";
$PASS="some_pass";
$cnx = odbc_connect($DB, $USER, $PASS);
session_start();
if ($baview_auth){
check_cookie($baview_auth, $this_user, $this_pass);
}
elseif ($this_user) {
$enc_pass = MD5($this_pass);
$authenticate=odbc_exec($cnx, "SELECT * FROM auth_info_table WHERE username = '$this_user'");
if (!odbc_fetch_row($authenticate)) {
echo "<center><font color='red' size=3><b>$this_user not found.</b> </font><br><font color='darkblue' size=2><u>Please make sure caps lock is off and try again</u><br> or contact Jeremy Brooks at 509-353-1239<br>or Shawn Hafen at 509-353-6165</font></center><br>";
error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authentication failure- bad username\n", 3, AUTH_LOG);
login_form() ;
odbc_close( $cnx);
}
else
{
while (odbc_fetch_row( $authenticate)); {
$db_username=odbc_result($authenticate, 16);
$db_password=odbc_result($authenticate, 37);
$db_curr_login_date = odbc_result($authenticate, 39);
$db_GID = odbc_result($authenticate, 44);
global $db_GID;
}
if ($enc_pass != $db_password) {
$ip = getenv("REMOTE_ADDR");
echo "<center><font color='blue' size=3><b>Bad password for $this_user.</b> </font><br><font color='darkblue' size=2><u>Please make sure caps lock is off and try again</u><br> or contact Jeremy Brooks at 509-353-1239 <br>or Shawn Hafen at 509-353-6165";
error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authentication failure- bad password\n", 3, AUTH_LOG);
login_form();
odbc_close( $cnx);
}
set_cookie($this_user, $this_pass);
session_start();
$uid = $this_user;
session_register("uid");
$now = date("m/d/Y H:i:s");
odbc_exec($cnx, "UPDATE auth_info_table SET current_login_date = '$now', last_login_date ='$db_curr_login_date', current_IP = '$ip' WHERE username = '$this_user'");
odbc_close( $cnx);
error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authenticated\n", 3, AUTH_LOG);
}
}
else {
login_form();
}
if (!$uid && $baview_auth) {
$yup = $HTTP_COOKIE_VARS["baview_auth"];
setcookie( "baview_auth", $yup, time() - 3600,"/" ,"192.168.101.12", 0);
echo "<center><font color='red'>Session Expired. Please Log In.</font></center><p>";
login_form();
}
?>
*************END auth_test.inc*************
*************BEGIN group_check.inc*************
<?
session_start();
//////////////////////////////////////////////////////////////////////////////////////
//This script is the property of Jeremy Brooks (jeremy.brooks@bams.com)
//and is released under the GNU Public License (www.gnu.org).
//Unauthorized use is prohibited.
//
//If you use this script please let me know how (if) it works for you.
//Users are strongly encouraged to send me tweaks, questions,
//suggestions, or just tell me if, how and where you are using it
//
//if anyone ports this to non-odbc or non-windows use PA-LEEZ send it to me...
/////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
//This set up scripts consists of 3 files:
//auth_test.inc, group_check.inc, and style.inc
//all files must be in a folder outside your
// htdocs/html directory
// (these exaples are used in
// c:\web\apache\inc)
/////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////
//group_check.inc works in this manner:
//in the user database there is a field called gid that holds a value
//[0-9][a-z] that corresponds to the level of permission granted a user.
//i.e., 1=view reports, 5=create new reports, r=edit tables, etc...
//multiple values are allowed, i.e. 348sfh
//
//create no permission page in function no_permit()
//create a cursor using uid from session declared in auth_test.inc
//get length of gid value from db
//put all seperate values of gid into array
//get length of page permission level ($permit)
//put permit values into array also
//NESTED ARRAY LOOP TIME! (WOO-HOO!!!)
//for each value in god array, compare to each
// value in permit array
//if matched values are found, flag = "OK"
//if flag == "OK" by the end of the script, allow
// user to view page
//otherwise, show denial message
//
//These lines must be at the top of each
// protected page (before any output
// is sent to the browser!):
//
//$permit = "45shp";
//require('c:\web\Apache\inc\auth_test.inc');
//require('c:\web\Apache\inc\group_check.inc');
//session_start();
//
//where 4, 5, s, h, and p are the permission levels allowed to
// view the page (any of these levels grant access)
//
//make sure you have enabled sessions in php.ini
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
//This script was designed for use on an intranet in a Win NT environment
//running a SQL Server 7.0 database on Apache 1.3.11 ane PHP4 and may have some
//specificity's and idiosyncrasies as such. Ye hath been forwarned.
//////////////////////////////////////////////////////////////////////////////////////
function no_permit(){
?>
<html>
<head>
<? include ("c:\web\Apache\inc\style.inc"); ?>
<title>Access Denied</title>
</head>
<body bgcolor='white'>
<center><table width=500 border=0>
<tr>
<td align='center'>
<b>Sorry...You don't have permission to use this page.<p>
If you feel you recieved this message in error, please contact:<br></b><P>
<i>Sysadmin Guy<br>
509-454-4666<br>
ilike@warmcheese.com.com
<br>
<b>or</b>
<br>
Some Dude<br>
509-111-1111<br>
catbreath@catfood.com
</i></b>
<P>
<b>Please <a href="javascript:history.back(1)">Click Here</A> to Return to the previous page</b>
</td>
</body>
</html>
<?
exit;
}
$DB="my_db";
$USER="some_user";
$PASS="some_pass";
$cnx = odbc_connect($DB, $USER, $PASS);
$row = odbc_exec( $cnx, "SELECT * FROM auth_info_table WHERE username = '$uid'" );
while (odbc_fetch_row( $row)); {
$db_GID = odbc_result($row, 44);
}
odbc_close( $cnx);
$GID_length = strlen($db_GID);
$loop = 0;
while ($loop < $GID_length) {
$GID_part = substr($db_GID, $loop, 1);
$arr_GID[$loop]=$GID_part;
$loop++;
}
$permit_length = strlen($permit);
$loop = 0;
while ($loop < $permit_length) {
$permit_part = substr($permit, $loop, 1);
$arr_permit[$loop]=$permit_part;
$loop++;
}
$GID_count = count($arr_GID);
$permit_count = count($arr_permit);
$flag = "";
for ($GID_idx = 0; $GID_idx < $GID_count; $GID_idx++){
$GID_temp = $arr_GID[$GID_idx];
for ($permit_idx = 0; $permit_idx < $permit_count; $permit_idx++){
$permit_temp = $arr_permit[$permit_idx];
if ($GID_temp == $permit_temp) {
$flag = "OK";;
}
}
}
if ($flag <> "OK") {
no_permit();
}
?>
*************END group_check.inc***************
*************BEGIN style.inc*******************
<script language='JavaScript'>
<!--
var message='Sorry, that function is disabled.\n\nACCESS DENIED '; // Message for the alert box
function click(e) {
if (document.all) {
if (event.button == 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which == 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
// -->
</script>
<STYLE TYPE='text/css'>
<!--
BODY {
font-family: lucida, helvetica, sans-serif;
font-size: 10pt;
}
TD, P, UL {
font-family: lucida, helvetica, sans-serif;
font-size: 10pt;
}
H2 {
font-family: lucida, helvetica, sans-serif;
font-size: 12pt;
}
A { text-decoration: none; }
A:link { color: #000099; }
A:visited { color: #000099; }
-->
</STYLE>
*******************END style.inc*************
PHPBuilder
Policies
PHP Developer
Topics
PHP Developer
Resources
PHP Developer
References
