How to securely authenticate a user without using any type of database.
authenticate.php?username={$_GET['username']}&password={$_GET['password']}
if ($_GET['username'] == "secret_username" && password == "secret_password")
{
$_SESSION['user'] = $username;
header("Location: password_protected_page.php");
exit;
}
This method seems to be an option. Is it secure?
Use a file to hold your data. have a users.txt below your public html like so:
username:hashedpassword
then you use fopen
<?php
$filename = "/home/users.txt";
$file = fopen( $filename, "r" );
$display = fread( $file, filesize( $filename ) );
fclose($file);
?>
Then explode it by newline and then |, then check if the first is equal to username and the second is equal to md5(password).
Seems like the easiest way to me...
I would at least post for authentication but otherwise it should work fine.
Definitely, you can do that. But, just use POST.
There is nothing wrong with the process. Even when we use database, we actually do the same thing but just using some select command.
You might be thinking about password hash, but they are used so that, even if the 3rd party gets a hold of database dump(somehow), they can never actually decrypt the password, as hash are one way function. Now in you case you are not using database, so that's not a problem.
However the problem lies in scalability. Are you sure that there will always be just one user of the system. If yes, then its okay, else go for DB.
I learned PHP on my own. I never took a course nor had a mentor. I had issues "getting" datasbase calls, as they seemed so convoluted compared to other PHP which seemed natural. I started using this a long time ago.
You can create a text file (username.php) in a directory OFF the web server accesible folders.
(consider permissions!)
So you have /root/users and in that folder you have (by username)
/root/users.Joe.php
/root/users/Juan.php
/root/users/Tim.php
Tim.php contents
<?php
$userpath='/var/www/html/users/Tim';
$password='Timspassword';
?>
Now when Tim logs on wee have code that does this:
<?php
include '/root/users/'.$_POST[username].'.php';
if ($password == $_POST['password'])
{
$_SESSION['loggedin']='yes';
$_SESSION['expire']='<how much time you need?>';
}
?>
This way you can more easily create new users . BTW I use an index.php in each users folder that will do very little if not logged in as that particular user that matches the name of the folder. You should also use https. You could also use password encryption/decryption in these user passwords.
Truth be told, Database injection is a real vulberability. Daily I get hackers looking for databases on my sites. THERE ARE NONE, so they go away.
no databese required.