[PHP-users 21369]PHPLIB Auth認証のユーザ追加

hiroyuki.A tiro1 @ abelia.ocn.ne.jp
2004年 4月 20日 (火) 13:51:12 JST


ひろゆきです。

前回のエラーは解消されました。
md5.jsファイルへのパスが違ってました。
ありがとうございました。

さらなる問題が発生しました。
教えてください。

PHPLIBにてAuthを使用しています。
PHPLIBの付属のログインユーザを追加するフォームを利用してユーザ追加をした
いです。 PasswordをPostgresqlのデータベースへ格納した際に暗号化して
保存したいのですが、フォームから追加するとユーザは作成されますが
データベースへ保存されたパスワードはすべて同じで空パスワードです。
空パスワードを暗号化して格納してます。

空Password=d41d8cd98f00b204e9800998ecf8427e


解消の仕方をご存知の方お願いします。

phplib-7.4
Linux2.4
Postgresql-7.4

local.incファイル

class Example_Challenge_Crypt_Auth extends Auth {
  var $classname      = "Example_Challenge_Crypt_Auth";

  var $lifetime       =  15;

  var $magic          = "Frobozzica";  ## Challenge seed
  var $database_class = "DB_Example";
  var $database_table = "auth_user_md5";

  function auth_loginform() {
    global $sess;
    global $challenge;
    global $_PHPLIB;

    $challenge = md5(uniqid($this->magic));
    $sess->register("challenge");

    include($_PHPLIB["libdir"] . "crcloginform.ihtml");
  }

  function auth_validatelogin() {
    global $HTTP_POST_VARS, $challenge;

    $this->auth["uname"] = $HTTP_POST_VARS["username"];        ## This 
provides access for "loginform.ihtml"

    $this->db->query(sprintf("select user_id,perms,password ".
                "from %s where username = '%s'",
                          $this->database_table,
                          addslashes($HTTP_POST_VARS["username"])));

    if ($this->db->num_rows() == 0) {
      return false;
    }

    while($this->db->next_record()) {
      $uid   = $this->db->f("user_id");
      $perm  = $this->db->f("perms");
      $pass  = $this->db->f("password");   ## Password is stored as a 
md5 hash
    }
    $expected_response = md5($HTTP_POST_VARS["username"].":$pass:
$challenge");

    ## True when JS is disabled
    if ($HTTP_POST_VARS["response"] == "") {
      if (md5($HTTP_POST_VARS["password"]) != $pass) {       ## md5 hash 
for non-JavaScript browsers
        return false;
      } else {
      $this->auth["perm"] = $perm;
        return $uid;
      }
    }

    ## Response is set, JS is enabled
    if ($expected_response != $HTTP_POST_VARS["response"]) {
      return false;
    } else {
      $this->auth["perm"] = $perm;
      return $uid;
    }
  }
}


new_user_md5.php3ファイル

<?php
/*
 *
 */

## include this if you're not using the autoprepend feature
include("webdb_prepend.inc");

## straight from the examples...
   page_open(array("sess" => "Example_Session", "auth" => 
"Example_Challenge_Crypt_Auth", "perm" => "Example_Per
m"));

## Set this to something, just something different...
   $hash_secret = "Jabberwocky...";

## Pull our form variables out of HTTP_POST_VARS
if (isset($HTTP_POST_VARS['username'])) $username = $HTTP_POST_VARS
['username'];
if (isset($HTTP_POST_VARS['password'])) $password = $HTTP_POST_VARS
['password'];
if (isset($HTTP_POST_VARS['u_id'])) $u_id = $HTTP_POST_VARS['u_id'];
if (isset($HTTP_POST_VARS['perms'])) $perms = $HTTP_POST_VARS['perms'];

###
### Utility functions
###

## my_error($msg):
##
## Display error messages

  function my_error($msg) {
?>
  <table border=0 bgcolor="#eeeeee" align="center" cellspacing=0 
cellpadding=4 width=540>
   <tr>
    <td><font color=#FF2020>Error: <?php print $msg ?></font></td>
   </tr>
  </table>
  <BR>
<?php
}

## my_msg($msg):
##
## Display success messages
  function my_msg($msg) {
?>
 <table border=0 bgcolor="#eeeeee" align="center" cellspacing=0 
cellpadding=4 width=540>
  <tr>
   <td><font color=#008000>O.K.: <?php print $msg ?></font></td>
  </tr>
  </table>
 <br>
<?php
}


?>
<html>
 <head>
<!--
<META HTTP-EQUIV="REFRESH" CONTENT="<?php print $auth->lifetime*60;?>; 
URL=logoff.html">
-->
  <title>ユーザ管理</title>
  <style type="text/css">
  <!--
    body { font-family: Arial, Helvetica, sans-serif }
    td   { font-family: Arial, Helvetica, sans-serif }
    th   { font-family: Arial, Helvetica, sans-serif }
  -->
  </style>
 <script language="javascript" src="md5.js"></script>
 </head>

<body bgcolor="#ffffff">
<h1>ユーザ管理</h1>
<P>
ログイン中のユーザ: <b><?php print $auth->auth["uname"] ?></b>
ログイン中のユーザ権限: <b><?php print $auth->auth["perm"] ?></b>.<BR>
</P>
<?php

###
### Submit Handler
###

## Some debug output - can be useful to see what's going on
#$debug_output = "<br>\n";
#reset($HTTP_POST_VARS);
#while(list($var,$value)=each($HTTP_POST_VARS)) {
#  $debug_output .= "$var: $value<br>\n";
#}
#reset($HTTP_POST_VARS);
#my_msg($debug_output);

# Notify the user if a plain text password is received
if(!empty($password)) {
  my_error("<b>Warning:</b> plain text password received. Is Javascript 
enabled?");
}

:## Get a database connection
$db = new DB_Example;

## Hash the password if we need to
if (empty($hashpass)) {
  if(isset($password)) {
    $password = md5($password);
  } else {
    $password = "";
  }
} else {
  $password = $hashpass;
}

## Find out if a new password was entered
if ($password == md5("*******")) {
        $new_password = false;
} else {
        $new_password = true;
}

## $perms array will be unset if a user has had all perms removed.
## If so, set $perms to an empty array to prevent errors from implode.
if (empty($perms)) {
  $perms = array();
}

## Check if there was a submission
while ( is_array($HTTP_POST_VARS)
     && list($key, $val) = each($HTTP_POST_VARS)) {
  switch ($key) {

  ## Create a new user
  case "create":
    echo "Creating<br>";
    ## Do we have permission to do so?
    if (!$perm->have_perm("admin")) {
      my_error("ユーザ作成の権限がない");
      break;
    }

    ## Do we have all necessary data?
    if (empty($username) || empty($password)) {
      my_error("<B>ユーザ名</B>と<B>パスワード</B>入れなさい!");
      break;
    }

    ## Does the user already exist?
    ## NOTE: This should be a transaction, but it isn't...
    $db->query("select * from auth_user_md5 where username='$username'")
;
    if ($db->nf()>0) {
      my_error(" <B>$username</B>はすでに存在する!");
      break;
    }

    ## Create a uid and insert the user...
    $u_id=md5(uniqid($hash_secret));
    $permlist = addslashes(implode($perms,","));
    $query = "insert into auth_user_md5 values('$u_id','$username',
'$password','$permlist')";
    $db->query($query);
    if ($db->affected_rows() == 0) {
      my_error("<b>Failed:</b> $query");
      break;
    }

    my_msg("User \"$username\" created.<BR>");
  break;

  ## Change user parameters
  case "u_edit":
    ## Do we have permission to do so?
    if (!$perm->have_perm("admin") && ($auth->auth["uid"] != $u_id)) {
      my_error("ユーザ作成の権限がない");
      break;
    }

    ## Handle users changing their own password...
    if (!$perm->have_perm("admin")) {
      if (!$new_password) {
        my_error("あたらしい<b>Password</b>入れなさい ");
        break;
      }
      $query = "update auth_user_md5 set password='$password' where 
user_id='$u_id'";
      $db->query($query);
      if ($db->affected_rows() == 0) {
        my_error("<b>Failed:</b> $query");
        break;
      }

      my_msg(" ". $auth->auth["uname"] ."のパスワードを変更しました。
<BR>");
      break;
    }

    ## Do we have all necessary data?
    if (empty($username) || empty($password)) {
      my_error("<B>ユーザ名</B>と<B>Password</B>を入れなさい!");
      break;
       }

    ## Update user information.
    $permlist = addslashes(implode($perms,","));
    if (!$new_password) {
      $password_query = "";
    } else {
      $password_query = "password='$password',";
    }
    $query = "update auth_user_md5 set username='$username', 
$password_query perms='$permlist' where user_id='$u
_id'";
    $db->query($query);
    if ($db->affected_rows() == 0) {
      my_error("<b>Failed:</b> $query");
      break;
    }

    my_msg("ユーザ \"$username\"変更しました<BR>");
  break;

  ## Delete the user
  case "u_kill":
    ## Do we have permission to do so?
    if (!$perm->have_perm("admin")) {
      my_error("権限がありません");
      break;
    }

    ## Delete that user.
    $query = "delete from auth_user_md5 where user_id='$u_id' and 
username='$username'";
    $db->query($query);
    if ($db->affected_rows() == 0) {
      my_error("<b>Failed:</b> $query");
      break;
    }

    my_msg("ユーザ \"$username\" 削除しました<BR>");
  break;

  default:
  break;
 }
}

### Output user administration forms, including all updated
### information, if we come here after a submission...

?>
<script language="javascript">
<!--
 function doHashPass(theForm) {
    theForm.hashpass.value = MD5(theForm.password.value);
    theForm.password.value = "";
    return true;
 }
 // -->
</script>


<table border=0 bgcolor="#eeeeee" align="center" cellspacing=2 
cellpadding=4 width=540>
 <tr valign=top align=left>
  <th>ユーザ名</th>
  <th>Password</th>
  <th>権限</th>
  <th align=right>変更項目</th>
 </tr>
<?php

  if ($perm->have_perm("admin")) {

 ?>
 <!-- create a new user -->
 <form name="add" method="post" action="<?php $sess->pself_url() ?>" 
onSubmit="doHashPass(this)">
 <tr valign=middle align=left>
  <td><input type="text" name="username" size=12 maxlength=32 value="">
</td>
  <td><input type="text" name="password" size=12 maxlength=32 value="">
</td>
  <td><?php print $perm->perm_sel("perms","user");?></td>
  <td align=right><input type="submit" name="create" value="ユーザを新規
作成"></td>
  <input type="hidden" name="hashpass" value="">
 </tr>
 </form>
<?php
  } // end if admin

  ## Traverse the result set
  $db->query("select * from auth_user_md5 order by username");
  while ($db->next_record()) {

?>
 <!-- existing user -->
 <form method="post" action="<?php $sess->pself_url() ?>" onSubmit=
"doHashPass(this)">
 <input type="hidden" name="hashpass" value="">
 <tr valign=middle align=left>
 ?php
    if ($perm->have_perm("admin")) {
?>
  <td><input type="text" name="username" size=12 maxlength=32 value="<?
php $db->p("username") ?>"></td>
  <td><input type="text" name="password" size=12 maxlength=32 value="***
****"></td>
  <td><?php print $perm->perm_sel("perms", $db->f("perms")) ?></td>

  <td align=right>
   <input type="hidden" name="u_id"   value="<?php $db->p("user_id") ?>"
>
   <input type="submit" name="u_kill" value="ユーザ削除">
   <input type="submit" name="u_edit" value="変更">
  </td>
<?php
    } elseif ($auth->auth["uname"] == $db->f("username")) {
?>
  <td><?php $db->p("username") ?></td>
  <td><input type="text" name="password" size=12 maxlength=32 value="***
****"></td>
  <td><?php $db->p("perms") ?></td>
  <td align=right>
   <input type="hidden" name="u_id"   value="<?php $db->p("user_id") ?>"
>
   <input type="submit" name="u_edit" value="変更">
  </td>
<?php
    } else {
?>
  <td><?php $db->p("username") ?></td>
  <td>**********</td>
  <td><?php $db->p("perms") ?></td>
  <td align=right>&nbsp;</td>
<?php
    }
?>
 </tr>
 </form>
<?php
  } // while next record
?>
</table>
<?php
  page_close();
?>
</body>
</html>


PHP-users メーリングリストの案内