[PHP-users 21369]PHPLIB Auth認証のユーザ追加
hiroyuki.A
tiro1 @ abelia.ocn.ne.jp
2004年 4月 20日 (火) 13:51:12 JST
ひろゆきです。
前回のエラーは解消されました。
md5.jsファイルへのパスが違ってました。
ありがとうございました。
さらなる問題が発生しました。
教えてください。
PHPLIBにてAuthを使用しています。
PHPLIBの付属のログインユーザを追加するフォームを利用してユーザ追加をした
いです。 PasswordをPostgresqlのデータベースへ格納した際に暗号化して
保存したいのですが、フォームから追加するとユーザは作成されますが
データベースへ保存されたパスワードはすべて同じで空パスワードです。
空パスワードを暗号化して格納してます。
空Password=d41d8cd98f00b204e9800998ecf8427e
解消の仕方をご存知の方お願いします。
phplib-7.4
Linux2.4
Postgresql-7.4
local.incファイル
class Example_Challenge_Crypt_Auth extends Auth {
var $classname = "Example_Challenge_Crypt_Auth";
var $lifetime = 15;
var $magic = "Frobozzica"; ## Challenge seed
var $database_class = "DB_Example";
var $database_table = "auth_user_md5";
function auth_loginform() {
global $sess;
global $challenge;
global $_PHPLIB;
$challenge = md5(uniqid($this->magic));
$sess->register("challenge");
include($_PHPLIB["libdir"] . "crcloginform.ihtml");
}
function auth_validatelogin() {
global $HTTP_POST_VARS, $challenge;
$this->auth["uname"] = $HTTP_POST_VARS["username"]; ## This
provides access for "loginform.ihtml"
$this->db->query(sprintf("select user_id,perms,password ".
"from %s where username = '%s'",
$this->database_table,
addslashes($HTTP_POST_VARS["username"])));
if ($this->db->num_rows() == 0) {
return false;
}
while($this->db->next_record()) {
$uid = $this->db->f("user_id");
$perm = $this->db->f("perms");
$pass = $this->db->f("password"); ## Password is stored as a
md5 hash
}
$expected_response = md5($HTTP_POST_VARS["username"].":$pass:
$challenge");
## True when JS is disabled
if ($HTTP_POST_VARS["response"] == "") {
if (md5($HTTP_POST_VARS["password"]) != $pass) { ## md5 hash
for non-JavaScript browsers
return false;
} else {
$this->auth["perm"] = $perm;
return $uid;
}
}
## Response is set, JS is enabled
if ($expected_response != $HTTP_POST_VARS["response"]) {
return false;
} else {
$this->auth["perm"] = $perm;
return $uid;
}
}
}
new_user_md5.php3ファイル
<?php
/*
*
*/
## include this if you're not using the autoprepend feature
include("webdb_prepend.inc");
## straight from the examples...
page_open(array("sess" => "Example_Session", "auth" =>
"Example_Challenge_Crypt_Auth", "perm" => "Example_Per
m"));
## Set this to something, just something different...
$hash_secret = "Jabberwocky...";
## Pull our form variables out of HTTP_POST_VARS
if (isset($HTTP_POST_VARS['username'])) $username = $HTTP_POST_VARS
['username'];
if (isset($HTTP_POST_VARS['password'])) $password = $HTTP_POST_VARS
['password'];
if (isset($HTTP_POST_VARS['u_id'])) $u_id = $HTTP_POST_VARS['u_id'];
if (isset($HTTP_POST_VARS['perms'])) $perms = $HTTP_POST_VARS['perms'];
###
### Utility functions
###
## my_error($msg):
##
## Display error messages
function my_error($msg) {
?>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=0
cellpadding=4 width=540>
<tr>
<td><font color=#FF2020>Error: <?php print $msg ?></font></td>
</tr>
</table>
<BR>
<?php
}
## my_msg($msg):
##
## Display success messages
function my_msg($msg) {
?>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=0
cellpadding=4 width=540>
<tr>
<td><font color=#008000>O.K.: <?php print $msg ?></font></td>
</tr>
</table>
<br>
<?php
}
?>
<html>
<head>
<!--
<META HTTP-EQUIV="REFRESH" CONTENT="<?php print $auth->lifetime*60;?>;
URL=logoff.html">
-->
<title>ユーザ管理</title>
<style type="text/css">
<!--
body { font-family: Arial, Helvetica, sans-serif }
td { font-family: Arial, Helvetica, sans-serif }
th { font-family: Arial, Helvetica, sans-serif }
-->
</style>
<script language="javascript" src="md5.js"></script>
</head>
<body bgcolor="#ffffff">
<h1>ユーザ管理</h1>
<P>
ログイン中のユーザ: <b><?php print $auth->auth["uname"] ?></b>
ログイン中のユーザ権限: <b><?php print $auth->auth["perm"] ?></b>.<BR>
</P>
<?php
###
### Submit Handler
###
## Some debug output - can be useful to see what's going on
#$debug_output = "<br>\n";
#reset($HTTP_POST_VARS);
#while(list($var,$value)=each($HTTP_POST_VARS)) {
# $debug_output .= "$var: $value<br>\n";
#}
#reset($HTTP_POST_VARS);
#my_msg($debug_output);
# Notify the user if a plain text password is received
if(!empty($password)) {
my_error("<b>Warning:</b> plain text password received. Is Javascript
enabled?");
}
:## Get a database connection
$db = new DB_Example;
## Hash the password if we need to
if (empty($hashpass)) {
if(isset($password)) {
$password = md5($password);
} else {
$password = "";
}
} else {
$password = $hashpass;
}
## Find out if a new password was entered
if ($password == md5("*******")) {
$new_password = false;
} else {
$new_password = true;
}
## $perms array will be unset if a user has had all perms removed.
## If so, set $perms to an empty array to prevent errors from implode.
if (empty($perms)) {
$perms = array();
}
## Check if there was a submission
while ( is_array($HTTP_POST_VARS)
&& list($key, $val) = each($HTTP_POST_VARS)) {
switch ($key) {
## Create a new user
case "create":
echo "Creating<br>";
## Do we have permission to do so?
if (!$perm->have_perm("admin")) {
my_error("ユーザ作成の権限がない");
break;
}
## Do we have all necessary data?
if (empty($username) || empty($password)) {
my_error("<B>ユーザ名</B>と<B>パスワード</B>入れなさい!");
break;
}
## Does the user already exist?
## NOTE: This should be a transaction, but it isn't...
$db->query("select * from auth_user_md5 where username='$username'")
;
if ($db->nf()>0) {
my_error(" <B>$username</B>はすでに存在する!");
break;
}
## Create a uid and insert the user...
$u_id=md5(uniqid($hash_secret));
$permlist = addslashes(implode($perms,","));
$query = "insert into auth_user_md5 values('$u_id','$username',
'$password','$permlist')";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("User \"$username\" created.<BR>");
break;
## Change user parameters
case "u_edit":
## Do we have permission to do so?
if (!$perm->have_perm("admin") && ($auth->auth["uid"] != $u_id)) {
my_error("ユーザ作成の権限がない");
break;
}
## Handle users changing their own password...
if (!$perm->have_perm("admin")) {
if (!$new_password) {
my_error("あたらしい<b>Password</b>入れなさい ");
break;
}
$query = "update auth_user_md5 set password='$password' where
user_id='$u_id'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg(" ". $auth->auth["uname"] ."のパスワードを変更しました。
<BR>");
break;
}
## Do we have all necessary data?
if (empty($username) || empty($password)) {
my_error("<B>ユーザ名</B>と<B>Password</B>を入れなさい!");
break;
}
## Update user information.
$permlist = addslashes(implode($perms,","));
if (!$new_password) {
$password_query = "";
} else {
$password_query = "password='$password',";
}
$query = "update auth_user_md5 set username='$username',
$password_query perms='$permlist' where user_id='$u
_id'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("ユーザ \"$username\"変更しました<BR>");
break;
## Delete the user
case "u_kill":
## Do we have permission to do so?
if (!$perm->have_perm("admin")) {
my_error("権限がありません");
break;
}
## Delete that user.
$query = "delete from auth_user_md5 where user_id='$u_id' and
username='$username'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("ユーザ \"$username\" 削除しました<BR>");
break;
default:
break;
}
}
### Output user administration forms, including all updated
### information, if we come here after a submission...
?>
<script language="javascript">
<!--
function doHashPass(theForm) {
theForm.hashpass.value = MD5(theForm.password.value);
theForm.password.value = "";
return true;
}
// -->
</script>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=2
cellpadding=4 width=540>
<tr valign=top align=left>
<th>ユーザ名</th>
<th>Password</th>
<th>権限</th>
<th align=right>変更項目</th>
</tr>
<?php
if ($perm->have_perm("admin")) {
?>
<!-- create a new user -->
<form name="add" method="post" action="<?php $sess->pself_url() ?>"
onSubmit="doHashPass(this)">
<tr valign=middle align=left>
<td><input type="text" name="username" size=12 maxlength=32 value="">
</td>
<td><input type="text" name="password" size=12 maxlength=32 value="">
</td>
<td><?php print $perm->perm_sel("perms","user");?></td>
<td align=right><input type="submit" name="create" value="ユーザを新規
作成"></td>
<input type="hidden" name="hashpass" value="">
</tr>
</form>
<?php
} // end if admin
## Traverse the result set
$db->query("select * from auth_user_md5 order by username");
while ($db->next_record()) {
?>
<!-- existing user -->
<form method="post" action="<?php $sess->pself_url() ?>" onSubmit=
"doHashPass(this)">
<input type="hidden" name="hashpass" value="">
<tr valign=middle align=left>
?php
if ($perm->have_perm("admin")) {
?>
<td><input type="text" name="username" size=12 maxlength=32 value="<?
php $db->p("username") ?>"></td>
<td><input type="text" name="password" size=12 maxlength=32 value="***
****"></td>
<td><?php print $perm->perm_sel("perms", $db->f("perms")) ?></td>
<td align=right>
<input type="hidden" name="u_id" value="<?php $db->p("user_id") ?>"
>
<input type="submit" name="u_kill" value="ユーザ削除">
<input type="submit" name="u_edit" value="変更">
</td>
<?php
} elseif ($auth->auth["uname"] == $db->f("username")) {
?>
<td><?php $db->p("username") ?></td>
<td><input type="text" name="password" size=12 maxlength=32 value="***
****"></td>
<td><?php $db->p("perms") ?></td>
<td align=right>
<input type="hidden" name="u_id" value="<?php $db->p("user_id") ?>"
>
<input type="submit" name="u_edit" value="変更">
</td>
<?php
} else {
?>
<td><?php $db->p("username") ?></td>
<td>**********</td>
<td><?php $db->p("perms") ?></td>
<td align=right> </td>
<?php
}
?>
</tr>
</form>
<?php
} // while next record
?>
</table>
<?php
page_close();
?>
</body>
</html>
PHP-users メーリングリストの案内