This discussion is archived
3 Replies Latest reply: Nov 19, 2010 11:41 AM by FlyingGuy RSS

PHP - Oracle Simple Login system

795487 Newbie
Currently Being Moderated
Sounding like a broken record.... I'm very new at PHP and Oracle.

For a Uni course I need to be able to have some basic user management on a few pages I have. Sorta like an admin area.

I've been playing a little but I'm not having much success... And I can't find anything on the internet.. Everything is MySQL..

So I'll post my scripts, or or better still if any one would care to share an article on how to write a simple login system using ORACLE and PHP. or actually write one :) .. Knock yourself out. We have the ok from the teacher to use opensource or GPL scripts for this section of the assignment, but I just can't find any. And the rare couple I have found, are way over kill.

login.php

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>

<body>
     <?php
     if (isset($_GET['msg']) && $_GET['msg'] == 1) {
          echo '<p><strong>Your username and/or password could not be matched to a valid user account</strong></p>';
     }
     ?>
     <form name="form1" method="post" action="checklogin.php">
     <p>
          <label>
               User Name
               <input type="text" name="username" id="user">
          </label>
     </p>
     <p>
          <label>
               Password
               <input type="password" name="password" id="password">
          </label>
          <label>
               Remember Me:
               <input type="checkbox" name="rememberme" value="1"><br>
          </label>
          <label>
          <input type="submit" name="submit" id="button" value="Login">
          </label>
     </p>
     </form>
</body>
</html>

checklogin.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>
</head>
<body>
<?php

// check to see if they are set before using them.
if (isset($_POST['username']) && isset($_POST['password'])) {
     
     
     // Login
     $dbuser="user";
     $dbpass="pass";
     $db="db";
     
     // extract all the form fields and store them in variables
     $username=$_POST['username'];
     $password=$_POST['password'];
     $remember=$_POST['remember'];
     
     //Connect to DB
     $connect = OCILogon($dbuser, $dbpass, $db);
     
     if (!$connect) {
          echo "An error has occured connecting to the database";
          exit;
     }
     
     //
     $query = "SELECT * from MEMBERS WHERE username='".$username."' and password='".$password."'";
     
     //Store resultsof select query
     $result = OCIParse($connect, $query);
     
     //Just check
     //$sql = OCIParse($connect, $query);
     if(! $result) {
          echo "An error occurred in parsing the sql string '$query'.\n";
          exit;
     }
     
     $r = OCIExecute($result);
     
     if(! $r) {
          echo "An error occurred in executing the sql '$query'.\n";
          exit;
     }
     
     /*
     $tmpcount = OCIFetch($result);
     // COunt Rows
     //$Count = OCIRowCount($tmpcount);
     
     if ($tmpcount==1){
     */
     
     $count = OCIRowCount($result);
     
     if ($count == 1) {
          // the row returned must have username and password equal to those supplied
          // in the form, or it wouldn't be returned.
          
          if (isset($_POST['remember'])) {
               /* Set cookie to last 1 year */
               setcookie('username', $_POST['username'], time()+60*60*24*365, 'www.UNI.edu.au');
               setcookie('security', md5($_POST['password']), time()+60*60*24*365, 'www.UNI.edu.au');
          
          } else {
               /* Cookie expires when browser closes */
               setcookie('username', $_POST['username'], false, 'www.UNI.edu.au');
               setcookie('security', md5($_POST['password']), false, 'www.UNI.edu.au');
          }
          header('Location: index.php');
               
     } else {
          //echo 'Username/Password Invalid';
          header('Location: login.php?msg=1');
     }
          
} else {
echo 'You must supply a username and password.';
}
//End Cookie script

?>
</body>
</html>

loginchecker.php
<?php
$loggedIn = false;
if (isset($_COOKIES['username']) && isset($_COOKIES['security'])) {
     // Check Login
     $dbuser="user";
     $dbpass="pass";
     $db="db";
     //Connect to DB
     $connect = OCILogon($dbuser, $dbpass, $db);
     if (!$connect) {
          echo "An error has occured connecting to the database";
          exit;
     }
     //
     $query = "SELECT password FROM MEMBERS WHERE username = '".$username."'";
     //Store resultsof select query
     $result = OCIParse($connect, $query);
     //Just check
     //$sql = OCIParse($connect, $query);
     if(! $result) {
          echo "An error occurred in parsing the sql string '$query'.\n";
          exit;
     }
     $r = OCIExecute($result);
     if(! $r) {
          echo "An error occurred in executing the sql '$query'.\n";
          exit;
     }
     $count = OCIRowCount($result);
     
     if ($count == 1) {
          $pass = "";
          while ($row = oci_fetch_array($result)) {
               $pass = $row[0];
          }
          $test = md5($pass);
          
          if ($test == $_COOKIES['security']) {
               // The password cookie equals the value stored in the database...
               $loggedIn = true;
          }
     }
}
if (!$loggedIn) {
     header("Location: {login.php}");
}          
?>

Edited by: 792484 on 2/09/2010 08:34
  • 1. Re: PHP - Oracle Simple Login system
    cj Employee ACE
    Currently Being Moderated
    Look at these two articles:
    http://www.oracle.com/technetwork/articles/mclaughlin-phpid1-091467.html
    http://www.oracle.com/technetwork/articles/mclaughlin-phpid2-091795.html
  • 2. Re: PHP - Oracle Simple Login system
    570628 Newbie
    Currently Being Moderated
    Doesn t really understand what your call "basic user management", Oracle user management ?

    In your code you have:

    "SELECT password FROM MEMBERS WHERE username = '".$username."'"

    This table sounds like an application user management (non Oracle user management)




    If you want to manage Oracle users, you can also simply create a function to try to connect to the database like:

    function connectToDatabase($username, $password)
    {
    $ora_host=’(DESCRIPTION =(ADDRESS =(PROTOCOL = TCP)(HOST = 192.168.X.X)(PORT = 1521))(CONNECT_DATA =(SID = xe)))’;
    $connect = ocilogon($username, $password, $ora_host);
    return $connect;
    }

    You use form parameters then call it in your next page for example "checklogin.php".

    $connect = connectToDatabase($username, $password);

    if (!$connect) {
    echo "An error has occured connecting to the database";
    exit;
    }
    else
    {
    //create your cookie
    //redirect to your next page
    }
  • 3. Re: PHP - Oracle Simple Login system
    FlyingGuy Explorer
    Currently Being Moderated
    Ok, first of all I would NEVER put an sql statement in php that made any mention of tables that contained user names and or passwords.

    Write a stored Procedure similar to:

    create stored procedure sp_auth_user(uname in varchar,upass in varchar,result out integer)
    is
    begin
    select count(*) into result from users where name = uname and pass = upass ;
    end;

    in php you would then simply

    <?php
    //
    //
    require_once([your db connection routine that is OUT of the web servers document root!]);
    //
    // ****** Remember, EVERY php file in the document root and below has a URL associated with it!!!!

    // These of course would be fed in either from the GET or POST functions.
    $uName = "fred" ;
    $uPass = "password" ;
    $result = 0 ;

    $qText = "begin sp_auth_user(:uname,:upass,:result); end ;" ;

    if(! $query = oci_parse($OraDB,$qText)) $result = -1 ;

    oci_bind_by_name($query,":uname",$uName);
    oci_bind_by_name($query,":upass",$uPass);
    oci_bind_by_name($query,":result",$result,SQLT_INT);

    // Note that there are no oci fetches of any kind here. Bound parameters in SQL statements that return a single
    // value are there for you immediately after the call. You can use bound parameters for all sorts of other things as
    // well. Learn about stored procedures and views and roles, they are your friends!

    if(! oci_execute($query)) $result = -2 ;

    ?>

    You can simply do the same thing with password resets/changes/fetches and the like as well. Remember, expose as LITTLE as possible of your underlying database structure as you can. Doing so is what SQL injection freaks count on! You could also create a small class to handle all of this as well with the few basic functions you need to handle user management.

    As far as Oracle users are concerned I simply refine roles and choke them down as tight as I can and the web role is one of the tightest. Explicit permissions on tables, procedures and functions to limit the access as much as possible to the web server. Not only is it great from a security POV but it really teaches you the whole Oracle Role concept, which is VERY VERY powerful.

    Have fun!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points