Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Simple password protection in PHP

Tags:

php

passwords

I was reading a quite interesting chapter in a "Learning PHP"-book of mine and came across a code example which I wanted to modify and use on my personal website (to protect a simple document, nothing "big", which is why I also don't encrypt the passwords).

I've used the php-sample and I just can't make it work at all.
Here it is (dont get scared by the length, it's really simple):

<?php

if ($_POST['_submit_check']) {
    if ($form_errors = validate_form()) {
        show_form($form_errors);
    } else {
        process_form();
    }
} else {
    show_form();
}

function show_form($errors = '') {
    echo '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">';

    if ($errors) {
        echo '<br>'
        echo implode('<br>', $errors);
        echo '<br>';
    }

    echo 'Username: ';
    echo '<input type="text" name="username" value="Username goes here">';
    echo '<br>'

    echo 'Password: ';
    echo '<input type="password" name="password">';
    echo '<br>'

    echo '<input type="submit" name="submit" value="Log In">';
    echo '<input type="hidden" name="_submit_check" value="1">'; //when the form is entered, this returns true and the first line of the document is good to go

    echo '</form>';
}

function validate_form() {
    $errors = array();

    $users = array('admin' => 'pass123',
                   'notsoadmin' => 'pass1234');


    if (!array_key_exists($_POST['username']) {
        $errors[] = "Please enter username and password";
    }

    $saved_password = $users[ $_POST['password'] ];
    if ($saved_password != $_POST['password']) {
        echo "Password and username don't match. Please try again";
    }

    return $errors;
}

function process_form() {
    $_SESSION['username'] = $_POST['username'];

    echo "Welcome, $_SESSION[username]";
}

?>

Before my HTML and stuff I also added this:

<?php session_start(); ?>

Clearly I've missed something... Maybe it's $form_errors right at the beginning, that causes the problem (which is "nothing happens"), it was in my book but I'm not sure why/where it comes from?

like image 740
Latze Avatar asked May 30 '26 11:05

Latze

1 Answers

Shouldn't...

    $saved_password = $users[ $_POST['password'] ];
    if ($saved_password != $_POST['password']) {
        ...
    }

actually be..

    $saved_password = $users[ $_POST['username'] ];
    if ($saved_password != $_POST['password']) {
        ...
    }

i.e. you should be looking for username entry in $users not the password

By the way it's really bad practice to store raw passwords like that. Consider HASHing and SALTing them.

Check this question out for information

like image 197
irishbuzz Avatar answered Jun 01 '26 01:06

irishbuzz
Sign in to Comment

Related questions

Removing duplicate field entries in SQL
PHP: setting a number as key in associative array
php, proc_open how pass multiple arguments
localhost/phpinfo.php
how to pass laravel route parameter to vue
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/msqli.so'
Codeigniter Foreign Key data retrieve
UTF-8 encoding problem with XSLT via PHP
Overlapping date range MySQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!