PHP - User Authentication Using Ip Address

Below code is working fine but i need to redirect on 3 different pages and its giving me error. My table structure is as   User table Email                                  Password admin@yahoo.com             123 tariq@yahoo.com                987 bilal@yahoo.com                 456     if user name is like; admin@yahoo.com the page should redirect on welcome.php if user name is like; info@aiousoft.com the page should redirect to welcome2.php and if user doesnot exist in database then give error as ELSE "user doesnot exist"   thanks   signin.php   <html><head><title>Sign In</title></head><body>
<?php include 'header.php'; ?>
<?php include 'menu.php'; ?>
<center>
<form method="post" action="checklogin.php">
  <h3>Please Signin</h3>
  <table width="400" border="0">
    <tr><td>Email</td>
      <td><input name="email" type="text" id="email"></td></tr>
    <tr><td>Password</td>
      <td><input name="password" type="password" id="password"></td></tr>
  </table>  <p><label>
    <input type="submit" email="submit" value="Submit">
    </label><input email="reset" type="reset">
    </p>
  </form>
</center>
</body>
</html>   checklogin.php <html><head><title>Check Login</title></head><body>
<?php
include 'header.php';
include 'menu.php'; $email=$_POST['email'];
$password=$_POST['password']; @ $db = mysql_pconnect('localhost', 'root', '');
if (!$db)
{ echo 'Error: Could not connect to database. Please try again later.';
exit;}
mysql_select_db('car');
$q=mysql_query("select * from user where email='".$email."'  and password='".$password."' ") or die(mysql_error());
$res=mysql_fetch_row($q);
if($res)
{
 header('location:welcome.php');
}
else
{
  echo' Please signin again as your user name and password is not valid';
}
?>
</body>
</html>     Attached Files  header.php   284bytes   0 downloads  menu.php   308bytes   0 downloads

I'm trying to get the screen to print out the users IP address so I've used the following code. 


echo($_SERVER['REMOTE_ADDR']);


However this only prints out "::1".  Does anyone know why it's printing this and not a proper IP Address?

Thanks

I run a small taxi company and use a php form generated user enquiry at the following url http://www.brightonairportcabs.co.uk/bookingform.html. i would like to capture the ip address of the user of my form.

I have read lots of ways of doing it but do not understand where to put the code.

i have a processor.php file and the webform itself,

Please can someone explain how i would go about getting the user ip to stop some spam that i am getting.

This is an example of the email i get through from a user submitting the form.

Online Booking:

Passenger Booking Name: ------
Email: example@email isp
Telephone: ----- ------
No of Adults: 2
No of Children: 
Field question 1: 
Journey Type: Single-One Way
Vehicle Type: 1-4 Passenger, 2-3 Cases + Hand Luggage
I wish to be picked up from: Home Address
I wish to be dropped at: Heathrow Airport
Journey Date 1: 12/24/2011
Journey Date 2: 
Any Comments, Collection Address, Collection Time, etc: Collection Address:

 
Journey Collection Time: 11am

hopefully you can help in easy instructions,

please let me know if you need any other information such as the coding from the form itself.

many thanks in anticipation

Merry Christmas to all users and i am glad i have come across the forum, i will be a regular visitor but cannot probably input any help, although you never know.

The html Form I'm using works successfully with this php code:

 

<?php
//check if form was sent
if($_POST){
	$to = 's@hmail.com';
	$subject = 'Form1';

	$name = $_POST['name'];
	$email = $_POST['email'];
	$message = $_POST['message'];
	$headers = $name;
	$message .= "\r\n\r\n" . $name;

if( empty($_POST["some_place"]) or $_POST['some_place'] != "glory" )
{
   header("HTTP/1.0 403 Forbidden");
   	}else{
   		mail( $to, $subject, $message, $email, $headers );
   	}
		header('Location: https://.......com');
   exit;
}
?>

The problem is that when the email is received it shows the (from) email address to be my domain account user name @ the server name, like this:
domain1@host3servername.com, where I’d prefer something more like noReply@actualdomain.com

Any help or suggested remedy will be appreciated

I have a form with PHP validation and also a mysqli query checking for duplicates in the database for mailing address and email address in mysql.     It works fine but the customers are adding spaces in the mailing address for example  111 mailing address A V  E, 1 1 1 ma iling address A V  E etc.  and my sql query doesn't see that as an address that's a duplicate.    Their alslo adding email address like my@emailaddress.com and m.y@emailaddress.com, m.y.2@emailaddress.com etc to bypass that comparision also.    Is there anyway to stop this from happening?        

I am currently doing the following but wish to change to using JWTs.

A webserver is running some CRM system which has its own authentication system and browsers can access public routes without logging and but must log on first to access private routes. All the routes on the webserver which are prefixed by "api" will be forwarded to specific REST API along with an "account" GUID in the header and the user's ID if it exists. For the routes that require a user to be logged in, the webserver will first check if a session exists, and if not make a preliminary GET request to the REST API which includes the GUID as well as the user's ID and encrypted password (both based on the webserver's CRM DB) in the URL.  Not sure whether anything is possible by including the hashed password and am currently not doing anything with it.  The REST API queries the DB using the GUID and webserver's user ID and returns the REST API's users ID and the webserver stores it in a session. The REST API receives the GUID and potentially the REST API's user ID and queries the DB to retrieve the account and potentially user before executing the route, and returns the response to the webserver which it returns it to the browser.

The new approach might be something like the following:

Before the webserver forwards any request to the REST API, it checks if a session is set, and if not performs a GET request to the REST API along with the GUID and if known user's credentials in the URL and receives a JWT which contains a payload including the account PK, and potentially the user PK, user's access level, etc. All future requests include this JWT in the header. The REST API no longer queries the DB to get the account ID and user authorized settings as it is provided in the JWT.

A couple of questions:

What should be done if a non-logged on user first accesses a public route, gets a JWT, and stores it in a session, but then later logs on and accesses a private route?  The webserver thinks it has a valid JWT and will send it but the REST API will then decrypt it and find there is no user it.  One option is for the webserver to use two sessions, but this sounds kludgy.  Or maybe the REST API returns some header which instructs the webserver to re-authenticate, but not sure if even an option, and if so how to cleanly prevent some loop.  Also, would it be necessary to issue a new JWT or can the payload in a JWT be changed? Is GET appropriate for requesting the JWT's or should I use some other method? Is it appropriate to include the user's access level in the JWT payload?  Will one need to wait until the JWT has expired before their access level changes? Any ideas how to deal with using the user's password on the CRM to also authenticate on the REST API?  The GUID is probably secret enough for the application and if an issue, can just use the GUID and username. Am I going down an reasonable path and anything else obvious I should be considering?

Thanks!

Hi all,

I have an authentication part on my website that checks every page through a session variable if a user is logged in and which user it is.
When I test my code on my computer it works perfectly registration and login goes smooth but when someone on another computer tries it they get the acces denied page.... does anyone know why???

Greets Ryflex

Pardon my noobness, but I'm learning to wrap AJAX into my work and use it to get XML instead of "static" PHP that generates the HTML.  The login/security portion has my head spinning, but it's probably not as difficult as I think and I'm probably just confusing myself. 

In the past, for each PHP page in my site, I would perform a quick salted login check based on the username/password stored in the $_SESSION variables.  Perhaps it was a bit overboard to check on each page, but, well, I did it.

With AJAX, I *NEED* to ensure that the php resulting from an AJAX POST request won't run if the user isn't authenticated, and I need to ensure that they didn't just somehow force a $_SESSION variable to reflect an authenticated session.  I also need to ensure that someone can't just load up the PHP page on it's own, somehow send a POST to it and run it without being authenticated. 

I suppose that beyond the larger picture of "How do I ensure that the user is authenticated, the POST request is authentic, and nobody has forced a change in the $_SESSION stored on the server, I have a few specific questions. 

I know that in part I'm confused about the whole cookie/SESSION process.  In my old PHP site, the SESSION number was stored on the cookie on the user's machine.  If the info is sent via AJAX, does the PHP get the SESSION info from the cookie or does it have to be explicitly sent?  With potentially several users sending AJAX requests at the same time, how will my PHP know which SESSION to use for each request?

Is is secure enough to set an "Autheticated" flag in $_SESSION once the user is authenticated the first time?   Is it really just as simple as sending a username/salted password hash as AJAX/POST and setting an authenticated flag in the SESSION to ensure that the rest of the AJAX application runs without allowing someone to back-door the PHP?

Ive put together a PHP/MySQLi login script for my site.

However I was wandering:
    1. Does Facebook use PHP Cookies or Sessions for their login? (Figured out my own answer )
    2. How does FB set the Cookie/Session so that when I log into facebook.com I am also logged into developers.facebook.com

Thanks in advance.

Hello everyone,

I have a site where users sign up using an email address as their username.  I want to be able to verify that their email address is valid without having to send them a confirmation email that they have to click some link in before they are allowed to sign in to the website.  Maybe something that pings the email server for a specific address, and if the address is not valid, alert the user to enter a valid address.  Does anyone have any ideas or information that you could point me to to assist me with this task?  Thanks in advance for any help or ideas.

hey guys im after a bit of information regarding user authentication please...   now I have previously save a users session id in my database after they have logged in so when leaving and coming back to the site im able to compare session id's to get username etc...is this still the way or am I now a little old fashioned?   a few more things...do I save information such as username, access level as a session or cookie?...and what is the best way to encrypt passwords please?   thank you    

The application that I want to build is quite simple. Here is a bit of the background of the work flow:

In my company, we create video for our client profile. After the video is done, we upload the video to our website and to youtube. It is done automatically.

After a period of time, the client can delete the video. Of course, it will delete the video in our system as well as the video in youtube. For now, the video in our system is deleted automatically. However, youtube video is deleted manually.

Our company has grown to have quite a lot of clients. It's hard for us to keep track clients that requested to delete their videos. We want to be able to have an application that will delete youtube video automatically.

I already tried to play around with youtube authentication in http://code.google.com/apis/youtube/2.0/developers_guide_php.html#Authentication but I have no luck with the authentication.

I want the application to be able to delete the video under my youtube account without having me to login to youtube. In my case right now, every time the application wants to delete the video, I have to send the request to youtube and ask for verification (i.e. I have to do application verification every time).

Here is what I have done so far:


ini_set('display_errors', 1);
ini_set('log_errors', 1);
ini_set('error_log', dirname(__FILE__) . '/error_log.txt');
error_reporting(E_ALL);


require_once('db_class.php');
require_once 'Zend/Loader.php';
Zend_Loader::loadClass('Zend_Gdata_YouTube');
Zend_Loader::loadClass('Zend_Gdata_AuthSub');
Zend_Loader::loadClass('Zend_Gdata_App_Exception');

session_start();
setLogging('on');
$_SESSION['developerKey'] = 'AI39si5H3hL9tcKOMl80IqzoC6nb87ka1QLgHxLp9nFi1l44dLa987_Gi0rbofLePQdFEWf1lrSB8KGs4lXIrcF8TR6PhUcO3Q';

function getAuthSubRequestUrl()
{
    $next = 'http://example.com/youtube_delete_video.php';
    $scope = 'http://gdata.youtube.com';
    $secure = false;
    $session = true;
    return Zend_Gdata_AuthSub::getAuthSubTokenUri($next, $scope, $secure, $session);
}

function updateAuthSubToken($singleUseToken)
{
    try {
        $sessionToken = Zend_Gdata_AuthSub::getAuthSubSessionToken($singleUseToken);
    } catch (Zend_Gdata_App_Exception $e) {
        print 'ERROR - Token upgrade for ' . $singleUseToken
            . ' failed : ' . $e->getMessage();
        return;
    }

    $_SESSION['sessionToken'] = $sessionToken;
        
    generateUrlInformation();
    
    header('Location: ' . $_SESSION['homeUrl']);
}

function getAuthSubHttpClient()
{
    try {
        $httpClient = Zend_Gdata_AuthSub::getHttpClient($_SESSION['sessionToken']);
    } catch (Zend_Gdata_App_Exception $e) {
        print 'ERROR - Could not obtain authenticated Http client object. '
            . $e->getMessage();
        return;
    }
    $httpClient->setHeaders('X-GData-Key', 'key='. $_SESSION['developerKey']);
    return $httpClient;
}

function generateUrlInformation()
{
    if (!isset($_SESSION['operationsUrl']) || !isset($_SESSION['homeUrl'])) {
        $_SESSION['operationsUrl'] = 'http://'. $_SERVER['HTTP_HOST']
                                   . $_SERVER['PHP_SELF'];
        $path = explode('/', $_SERVER['PHP_SELF']);
        $path[count($path)-1] = 'index.php';
        $_SESSION['homeUrl'] = 'http://'. $_SERVER['HTTP_HOST']
                             . implode('/', $path);
    }
}

function loggingEnabled()
{
    if ($_SESSION['logging'] == 'on') {
        return true;
    }
}

function setLogging($loggingOption, $maxLogItems = 10)
{
    switch ($loggingOption) {
        case 'on' :
            $_SESSION['logging'] = 'on';
            $_SESSION['log_currentCounter'] = 0;
            $_SESSION['log_maxLogEntries'] = $maxLogItems;
            break;

        case 'off':
            $_SESSION['logging'] = 'off';
            break;
    }
}

function logMessage($message, $messageType)
{
    if (!isset($_SESSION['log_maxLogEntries'])) {
        $_SESSION['log_maxLogEntries'] = 20;
    }

    if (!isset($_SESSION['log_currentCounter'])) {
        $_SESSION['log_currentCounter'] = 0;
    }

    $currentCounter = $_SESSION['log_currentCounter'];
    $currentCounter++;

    if ($currentCounter > $_SESSION['log_maxLogEntries']) {
        $_SESSION['log_currentCounter'] = 0;
    }

    $logLocation = 'log_entry_'. $currentCounter . '_' . $messageType;
    $_SESSION[$logLocation] = $message;
    $_SESSION['log_currentCounter'] = $currentCounter;
}

function printCacheWarning()
{
    return '<p class="note">'
         . 'Please note that the change may not be reflected in the API '
         . 'immediately due to caching.<br/>'
         . 'Please refer to the API documentation for more details.</p>';
}


function editVideoData($videoId)
{
    $httpClient = getAuthSubHttpClient();
    $youTubeService = new Zend_Gdata_YouTube($httpClient);
   $videoEntryToUpdate = $youTubeService->getFullVideoEntry($videoId);

    if (!$videoEntryToUpdate instanceof Zend_Gdata_YouTube_VideoEntry) {
        print 'ERROR - Could not find a video entry with id ' . $videoId
            . '<br />' . printCacheWarning();
        return;
    }

    try {
        $putUrl = $videoEntryToUpdate->getEditLink()->getHref();
    } catch (Zend_Gdata_App_Exception $e) {
        print 'ERROR - Could not obtain video entry\'s edit link: '
            . $e->getMessage() . '<br />';
        return;
    }

    $videoEntryToUpdate->setVideoTitle("My Test Movie - Private 10000012");
    $videoEntryToUpdate->setVideoDescription("My Test Movie - Private 10000012");
    $videoEntryToUpdate->setVideoPrivate();

    try {
        $updatedEntry = $youTubeService->updateEntry($videoEntryToUpdate, $putUrl);
        if (loggingEnabled()) {
            logMessage($httpClient->getLastRequest(), 'request');
            logMessage($httpClient->getLastResponse()->getBody(), 'response');
        }
    } catch (Zend_Gdata_App_HttpException $httpException) {
        print 'ERROR ' . $httpException->getMessage()
            . ' HTTP details<br /><textarea cols="100" rows="20">'
            . $httpException->getRawResponseBody()
            . '</textarea><br />'
            . '<a href="session_details.php">'
            . 'click here to view details of last request</a><br />';
        return;
    } catch (Zend_Gdata_App_Exception $e) {
        print 'ERROR - Could not post video meta-data: ' . $e->getMessage();
        return;
    }
        print 'Entry updated successfully.<br /><a href="#" onclick="'
            . 'ytVideoApp.presentFeed(\'search_owner\', 5, 0, \'none\'); '
            . 'ytVideoApp.refreshSearchResults();" >'
            . '(refresh your video listing)</a><br />'
            . printCacheWarning();
}


if (!isset($_GET['token'])) {

$returnURL = getAuthSubRequestUrl();
echo "<a href=".$returnURL.">Link To Google</a>";

} else {
$singleUseToken = $_GET['token'];
updateAuthSubToken($singleUseToken);

/* editVideoData('mJDRXXaFVGw'); */
}



This is how I call the function: http://example.com/youtube_delete_video.php

So, what I need basically is to know
1. how can I store the authentication after I verify it from youtube?
2. What function to populate after I store the authentication? <- I couldn't figure where this part is in the documentation.

PS: example.com is not a real url. It's just for the sake of writing the post he )

Hi,

I'm completely new to LDAP authentication but have managed to get a fairly smooth working script. However, I was wondering what is the easiest way to get a BASEDN from a Fully Qualified Domain Name.

At the moment I have a loop which would take:

example.com

and turn it into
dc=examplem,dc=com

But is that the best way?