1 Topic by Raae (edited by 2010-01-09 23:37:12)

  • Raae
  • Members
  • Offline
  • Registered: 2005-05-19
  • Posts: 6

Topic: [HACK] Use CuteNews' users.db.php on other pages

Name: A secure-page for added users in CN
Author: raee & Jetski
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet)
Description: I just made a login-script which checks against the users.db.php in cutenews/data/, and makes a session cookie. https://cutephp.com/forum/style_emoticons/default/biggrin.gif
This is very usefull if you want to have a page with info, only for users allready added in Cutenews.
It can also be edited, so only f.x users with editor-status has access.
I thought it was pretty usefull.  https://cutephp.com/forum/style_emoticons/default/cool.gif
Requirements:
Demo:
Discussion Topic:
Instructions:
In a file called auth.inc.php have the following

<?PHP    

session_start();

// authenticate username/password against /cutenews/data/users.db.php
// returns: -1 if user does not exist
//           0 if user exists but password is incorrect
//           1 if username and password are correct
function auth($user, $pass){
  
    $result = -1;

    if((trim($user) != "") && (trim($pass) != "")){
  
  // make sure that the script has permission to read this file!
  $data = file("data/users.db.php");
    
  // iterate through file
  foreach ($data as $line){
    
      $arr = explode("|", $line);
      
      // if username matches
      // test password
      if($arr[2] == $user){
    
    // if match, user/pass combination is correct
    // return 1
    if($arr[3] == $pass){
        $result = 1;
        break;
    }else{
        // otherwise return 0
        $result = 0;
        break;
    }
      }
  }
    }
    
    // return value
    return $result;
}

// Check if Sessions have exist or else see if any var's are posted
if(!isset($_SESSION["SESSION_UNAME"]) && !isset($_SESSION["SESSION_UPASS"])){
    $f_user = $_POST['f_user'];
    $f_pass = md5($_POST['f_pass']);
}else{
    $f_user = $_SESSION["SESSION_UNAME"];
    $f_pass = $_SESSION["SESSION_UPASS"];
}

if($_GET['logout'] == "true"){
    $f_user = "";
    $f_pass = "";
    session_unset();
    session_destroy();
    header("Location: ?");
}

if(auth($f_user, $f_pass) == 1){
    $_SESSION["SESSION_UNAME"] = $f_user;
    $_SESSION["SESSION_UPASS"] = $f_pass;
}else{
echo <<<HTML
<html>
<head>
<title>Login</title>
</head>
<body>
<center>
<table border="0" cellspacing="5" cellpadding="5">
<form action="" method="POST">
<tr>
  <td>Username</td>
  <td><input type="text" size="20" name="f_user"></td>
</tr>
<tr>
  <td>Password</td>
  <td><input type="password" size="20" name="f_pass"></td>
</tr>
<tr>
  <td colspan="2" align="center"><input type="submit" name="submit" value="    LogIn    ">
</td>
</tr>
</form>
</table>
</center>
</body>
</html>
HTML;
exit();
}
?>


Then just use

<?PHP include("auth.inc.php");  ?>

at the top of the pages you want to protect.
Unless add this link code

[url=?logout=true]logout[/url]

somewhere on the page soo people can logout.
Also make sure in auth.inc.php 

file("data/users.db.php");

has the currect path to the users.db.php file.

If it happens you're logged out after visitting 1 page, move the session_start() function to the top of the main php file. with main i mean where you're including the hack. The file where you move session_start() to may not be included, it must be the 'control' file.

  • Jetski
  • Cutenews Support Staff
  • Offline
  • Registered: 2004-10-26
  • Posts: 1,457

Re: [HACK] Use CuteNews' users.db.php on other pages

I dont think ive heard of it.. but post away.. me or someone will possibly added it to the hacks section or wateva

  • Raae
  • Members
  • Offline
  • Registered: 2005-05-19
  • Posts: 6

Re: [HACK] Use CuteNews' users.db.php on other pages

Ok, this is my first "how-to"-post, so go easy on me..
The idea struck me when I wanted to create a admin-page for the news-crew on my site. So I though it would be a good idea to let them use their own username and password to login to that page.
So this is how you create a secure page, with the help of the users.db.php-file.

-----------------

First create these files:
- index.html
- login.php
- secure_page.php
- logout.php

-----------------

Then open index.html, and add a form. Like this: 

<html>
<head>
</head>
<body>
<center>
<table border="0" cellspacing="5" cellpadding="5">
<form action="login.php" method="POST">
<tr>
   <td>Username</td>
   <td><input type="text" size="10" name="f_user"></td>
</tr>
<tr>
   <td>Password</td>
   <td><input type="password" size="10" name="f_pass"></td>
</tr>
<tr>
   <td colspan="2" align="center"><input type="submit" name="submit" value="LogIn">
</td>
</tr>
</form>
</table>
</center>
</body>
</html>

Open login.php and add this:
(This page will not show in the browser, it will just run the check-up against users.db.php) 

<?
// authenticate using form variables
$status = authenticate($f_user, $f_pass);
// if  user/pass combination is correct
if ($status == 1)
{
    // initiate a session
    session_start();
    // register some session variables
    session_register("SESSION");

    // including the username
    session_register("SESSION_UNAME");
    $SESSION_UNAME = $f_user;
   
    // redirect to protected page
    header("Location: secure_page.php");
    exit();
}
else
// user/pass check failed
{
    // redirect to error page
    echo "Login failed!";
    exit();
}


// authenticate username/password against /cutenews/data/users.db.php
// returns: -1 if user does not exist
//           0 if user exists but password is incorrect
//           1 if username and password are correct
function authenticate($user, $pass)
{
   $result = -1;

   // make sure that the script has permission to read this file!
   $data = file("news/data/users.db.php");

   // iterate through file
   foreach ($data as $line)
   {
      $arr = explode("|", $line);
      // if username matches
      // test password
      if ($arr[2] == $_POST['f_user'])
      {
         // if match, user/pass combination is correct
         // return 1
         if ($arr[3] == md5($_POST['f_pass']))
         {
            $result = 1;
            break;
         }
         // otherwise return 0
         else
         {
            $result = 0;
            break;
         }
      }

   }
   // return value
   return $result;
}

?>


The script breaks down the users.db.php-file and looks for the username and encrypted password, and compares it to what has been entered in the form.

Then open secure_page.php and design the page how ever you want, but add this to the top: (it can be named whatever, as long as it is the same in every file.) 

<?
// secure_page.php - secure page
// session check
session_start();
if (!session_is_registered("SESSION"))
{
    // if session check fails, invoke error handler
    echo("You little devil, you think you can get in here? HAHAHA.. Fool!");
    exit();
}
?>
<html>
<!--- Your design/webcode --->
</html>

Add a logout in the secure_page.php: 

[url=logout.php]Goodbye[/url]

Then open logout.php, and add this: (it will terminate the session, and make sure your little sister does'nt mess around the page ^_^) 

<?
// logout.php - destroys session and returns to login form

// destroy all session variables
session_start();
session_destroy();

// redirect browser back to index page
header("Location: index.php");
?>

And there you have it..
As I said, I'm new at both php and posting "how-to's", but I hope you guys get the picture.  lol

  • Ifa
  • Weirdo
  • Offline
  • Registered: 2004-10-04
  • Posts: 2,217

Re: [HACK] Use CuteNews' users.db.php on other pages

smile

  • Raae
  • Members
  • Offline
  • Registered: 2005-05-19
  • Posts: 6

Re: [HACK] Use CuteNews' users.db.php on other pages

If you add this inside auth.inc.php, you will be able to select who can access the secure page. Only Administrator, both admin and editors, only journalist and so on. 

    // if username matches
    // test password
      if($arr[2] == $user)
      {
    
      // if user is Admin(1) or Editor(2) only
      $level = 2;
      if($arr[1] <= $level)
      {
    
          // if match, user/pass combination is correct
          // return 1
          if($arr[3] == $pass)
          {
          $result = 1;
          break;
          }
      }
        }
  • Et23
  • Members
  • Offline
  • Registered: 2005-02-04
  • Posts: 24

Re: [HACK] Use CuteNews' users.db.php on other pages

I was just going to ask for this very thing. Thanks.