Creating your own content management system with php [Page 3 of 4]

Misc Links

Ads

Age of Valor - Ultima Online Free Shard
AoS/SE/ML/Custom - advanced code, dedicated staff, peerless bosses, non overpowered customs + much much more

Latest Forum Topics

Possibly shutting down forum in near future
Posted by Red Squirrel
on Jan 21 2012, 5:19:43 pm

How to solve "ZoneMinder Console - Stopped"
Posted by Red Squirrel
on Jan 14 2012, 12:28:31 am

had fun on last day of 2011
Posted by rovingcowboy
on Jan 01 2012, 5:30:47 pm

Merry Christmas!
Posted by rovingcowboy
on Jan 01 2012, 5:11:32 pm

How to solve SMF directory not writable
Posted by Red Squirrel
on Oct 15 2011, 12:03:38 am

Creating your own content management system with php
Better control of site content and access
By Red Squirrel

To keep things simple, we won't use a database, but in most cases you would want to use a database to store all this information. Our file I/O php article explains the implementation of file and mysql driven databases.

So here is a way to handle logins, and as well as manage who has access to what. Remember that $module holds the value of the page requested, and we have access to this variable even though we are in a different file, because it is included after.

<?php
$DBusername="root";                                 //1: user ROOT
$DBpassword="5f4dcc3b5aa765d61d8327deb882cf99";     //1: MD5 password for user ROOT (the password is "password")

//guest account
$Userguest[username]="guest";
$Userguest[homeaccess]="0";      //2: permission db
$Userguest[articlesaccess]="0";  //2: permission db
$Userguest[aboutaccess]="0";     //2: permission db

//root account
$Userroot[username]="root";
$Userroot[homeaccess]="1";       //2: permission db
$Userroot[articlesaccess]="1";   //2: permission db
$Userroot[aboutaccess]="1";      //2: permission db

$loggedinuserID=$_COOKIE[tut_cmsuser]; //3: get user's username cookie
$loggedinpassHASH=$_COOKIE[tut_cmspass]; //3: get user's password cookie


if($_GET[authact]=="logout")//4: check if we are in the process of logging out
{
setcookie("tut_cmsuser","",0); //4.1:clear cookie for username
setcookie("tut_cmspass","",0); //4.1:clear cookie for password

$loggedinuserID="";            //4.2: clear the user var
$loggedinpassHASH="";          //4.2: clear the pass var
}


if($_GET[authact]=="logon")//5: check if we are in the process of logging in
{
if(($_POST[user]==$DBusername)&&(md5($_POST[pass])==$DBpassword)) //5.1: check if user/pass is right
{
setcookie("tut_cmsuser",$DBusername,time()+31536000);  //5.2: set user cookie for 1 year
setcookie("tut_cmspass",$DBpassword,time()+31536000);  //5.2: set pass cookie for 1 year

$user=$Userroot;    //5.3: assign the root permission info to user var

$loggedinuserID=$DBusername;   //5.4: set cookie for username
$loggedinpassHASH=$DBpassword; //5.4: set cookie for password

}
else echo("Wrong user name or password!"); //5.5: //error out if we have the wrong info
}



if(($loggedinuserID!=$DBusername)||($loggedinpassHASH!=$DBpassword))//6: check if cookie matches with database
{
$user=$Userguest;    //6.1: assign the guest permission info to user var
}
else $user=$Userroot; //6.2: assign the root permission info to user var

if($user[$module."access"]=="0")$module="login"; //6.3: if we don't have permission we change the module requested to the login page

?>

1: In most cases this information would be in a database, but for the sake of this tutorial, everything is static variables to make it easier to follow, and to avoid the need to look in a database. These 2 variables hold the username and password for a user account, in this case "root" with a password of "password". We store the password in MD5 for extra security.

2: These variables would also be in a database in most cases, usually in the same entry as each user. These hold the various permissions for each page, for each user. Never use this method in a real-life situation as it could get nasty...

3: Now that the "database" is loaded, we now check to see what user is logged in, by fetching the cookies. The user cookie would hold the username, and the password cookie would hold the MD5 string for the password.

4: If the user clicked the logout button (leading to index.php?authact=logout) then we run this "if" statement.

4.1: First we clear the cookie by replacing it with a blank one that expires in the past (and will be deleted)

4.2: We clear $loggedin vars, which are used in #6 to determine what user is logged in

5: This if statement only get's executed if a user has hit the "login" button on the login form containing a textbox called "user" and textbox called "pass".

5.1: this nested if statement checks to see if the entered information matches with the "database" otherwise we go to 5.5 which is an error saying it's the wrong username/password.

5.2: We set the cookie so that the session is remembered for a year (the current time + 365*24*60*60 seconds)

5.3: We then assign the correct permission data to the $user var which can be used throughout the modules to decide if a user has permission to do something.

5.4: We set the $loggedin vars to the correct information

(now out of both if statements)

6: This is where the $loggedin vars come in handy, we check to see if they are valid.

6.1: If root is logged in, then we assign the root's information to the $user var

6.2: Otherwise we assign the guest info instead.

6.3: Then we check if the wanted module (remember the $module variable in index.php?) is accessable by that user. If it's not, we replace the $module var with "login" so that when index.php continues it's stuff, it will load the login module instead of the wanted module.

Lost yet? Good. Since we're pretty much done. The rest of the code involved such as the header and footer is not really new code if you read our beginner php guides so I won't explain any of it, and most of it is html anyway and varies depending on the site. In this example we kept the html low end to concentrate on the engine which is index.php and auth.php.

If you want to see a working version of this script you can view or download it. It will also give you an idea of the directory structure, and contains the same comments as the ones used in this tutorial.

Oh and another thing, there's a small mistake in that code that I meant to put there (ok ok, so I did not really mean to, but decided to leave it there). It's not really a mistake, but rather unnecessary code. The mistake is at comment 5.3 Notice how we give $user the info, but we do the same on comment 6.2! This won't break anything, but it's simply a line of code that is not needed, so it can be removed.

When programming scripts/engines that consists of many documents, silly mistakes like these are possible and can impact performance on a large scale. So it's always good to try and notice these things since they can be harder to find.

On the next page, we'll take a look at a script I use for security here at Iceteks, well the login part of it.

16789 Hits

Pages: [1] [2] [3] [4]

1 Comments

Latest comments (newest first)

Posted by Andy on October 10th 2004 (08:52)
LOL I was about to say. WOW this guest is smart. Why can't i find someone like that at my site.
spacer

View all comments
Post comment

Top Articles	Latest Articles
- What are .bin files for? (27968 reads) - Text searching in linux with grep (22573 reads) - SPFDisk (Special Fdisk) Partition Manager (17074 reads) - Creating your own content management system with php (16789 reads) - PSP User's Guide (16566 reads)	- How to Use MDADM Linux Raid (14858 reads) - What is Cloud Computing? (14887 reads) - Dynamic Forum Signatures (version 2) (15256 reads) - Successfully Hacking your iPhone or iTouch (15921 reads) - Ultima Online Newbie Guide (16385 reads)