Rev 4 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed
<?php
/*
* Filename: auth.class.php
*
* Description:
* Authorization class for web application.
* Requires database table with following minimal structure
* id int unsigned not null auto_increment
* name varchar(64)
* passwd varchar(256)
* access text
* defaults are table _user, with columns name, passwd and access
* name and pass are matched against database entries, then name
* and access are stored in instantiation of class
*
* passwd should be able to handle 256 chars as hashes become
* longer.
*
*
* $Rev:: 1 $: Revision in Repository
* $Author:: rodolico $: Last Author
* $Date:: 2017-07-28 0$: Last Commit
*
*
* History:
* 20170728 - RWR - 1.0
* Initial build
*/
require_once( 'DBQuery.class.php' );
class Auth {
// all data stored in $parameters. We will initialize $parameters
// with some default data
protected $parameters = array(
'table name' => '_user', // table storing auth info
'column username' => 'name', // field to match username to
'column password' => 'passwd', // field to match password to
'column access' => 'access', // field which contains access information
'column id' => '_user_id' // unique user id in table
);
// constructor simply loads parameters into array from
public function __construct( $parameters = array() ) {
// first, gather all info from the parameters array
foreach ( $parameters as $key => $value )
$this->parameters[$key] = $value;
} // construct
public function __get( $parameter ) {
return $this->parameters[$parameter];
} // function get
public function __set ($parameter, $value ) {
$oldValuee = get( $parameter );
$this->parameters[$parameter] = $value;
return $oldValue;
} // function set
/*
* authorizes access to a resource
* just a shell at this time.
*/
public function authorize ( $resource = '' ) {
if ( isset( $this->parameters['username'] ) ) {
/*
* code here to actually determine if user is authorized
* for this page
*/
return true;
} elseif ( isset( $this->parameters['login page'] ) ) {
// redirect to login page
header( "Location: $this->parameters[login page]" );
exit();
} else {
print $this->createLoginPage();
exit();
}
} // function authorize
/*
* Checks if the username and password are valid.
* username can either be taken from parameters or from $this->parameters
* on success, sets username, password, user_id and access from
* database (I know username should not change, but I want the db val
*/
function verifyLogin( $password, $username = null ) {
if ( isset( $username ) )
$this->parameters['username'] = $username;
if ( isset( $this->parameters['username'] ) && isset( $password ) ) {
$sql = "select
$this->parameters[column id] 'id',
$this->parameters[column username] 'username',
$this->parameters[column password] 'password',
$this->parameters[column access] 'access'
from
$this->parameters[table name]
where
$this->parameters[column username] = " .
makeSafeSQL( $this->parameters['username'] );
$results = new DBQuery( $sql );
if ( $results->getOneRow() ) {
// a special case is when the password stored in the database is null
// in which case we give full access. This allows us to do a manual reset
// if passwords are lost.
if ( $results->password == 'null' || password_verify( $password, $results->password ) ) {
$this->parameters['username'] = $results->username;
$this->parameters['user id'] = $results->id;
$this->parameters['access'] = $results->access;
return true;
} // if password verifies
} // if the query executed
} // if we have a username and a password
return false;
} // function verifyLogin
/* update password hash from parameter passed in, saving it in database */
function setPassword ( $password ) {
$hash = password_hash( $password, PASSWORD_DEFAULT );
$sql = "update $this->parameters[table name]
set $this->parameters[column password] = '$hash'
where $this->parameters[column id] = $this->parameters[user id]";
return new DBQuery( $sql, true );
} // setPassword
public function createLoginPage () {
return '<?php
session_start();
if (isset( $_POST["submit"])) {
include_once( "Auth.class.php" );
$_SESSION["authorization information"] = new Auth();
?>
<html><body>
<h3 align="center">Enter your username and password below</h3>
<FORM action="login.html" method="POST" enctype="multipart/form-data">
<table border="1" cellpadding="2" align="center">
<tbody>
<tr>
<td>User Name</td>
<td><input type="text" name="login" size="20"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass" size="20"></td>
</tr>
<tr><TD colspan="2" align="center"><INPUT type="submit" name="Login" value="Log In"></TD></tr>
</tbody>
</table>
</FORM></body></html>';
} // function createLoginPag
} // class Auth
?>