<?php
/***********************
Makes use of two MySQL tables.
users:
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) default NULL,
`password` varchar(40) default NULL,
`fullname` varchar(30) default NULL,
PRIMARY KEY (`id`)
) TYPE=MyISAM
seeds:
CREATE TABLE `seeds` (
`id` int(11) NOT NULL auto_increment,
`seed` timestamp(14) NOT NULL,
PRIMARY KEY (`id`)
) TYPE=MyISAM
*/
// connect to mysql
$mysql = mysql_connect('localhost','###USERNAME###','###PASSWORD###');
// fail on database errors
if (!$mysql) {
die('false|Could not connect to MySQL');
}
// connect to the database
mysql_select_db('jamesdam_ajaxlogin', $mysql);
// one task of the server is to provide random values to hash with
if ($_GET['task']=='getseed')
{
mysql_query('INSERT INTO seeds VALUES()'); // insert a new row with default values
// get the values from the row back
$result = mysql_query('SELECT id, seed FROM seeds ORDER BY id DESC LIMIT 1');
if (!$result) { // fail on error
die('false|'.mysql_error());
}
$row = mysql_fetch_assoc($result); // only one row so take the first row
echo($row['id'].'|'.$row['seed']); // write back the data in form id|random_value
}
// the other task of the server is to check a username/password combination
else if ($_GET['task']=='checklogin') {
// formulate query for username
$sql = 'SELECT * FROM users WHERE username = \'' . mysql_real_escape_string($_GET['username']) . '\'';
$result = mysql_query($sql);
// fail on sql failure
if (!$result) {
die('false|Could not connect to login database. Please try again');
}
// get the first user with username in the table (should only be one)
$user_row = mysql_fetch_assoc($result);
// if there isn't one
if (!$user_row)
{
// then the username doesn't exist, but don't let the user know that this is the problem
// rather inform them more vaguely that the combination is incorrect; prevents someone from
// fishing for valid usernames
die('false|Invalid username and password combination.');
}
// formulate query for random timestamp for given id
$sql = 'SELECT * FROM seeds WHERE id=' . (int)$_GET['id'];
$result = mysql_query($sql);
// die if no value for given id
if (!$result) {
die('false|Unknown error (hacking attempt).');
}
// get the first (only) seed
$seed_row = mysql_fetch_assoc($result);
// fail if no row
if (!$seed_row) {
die('false|Unknown error (hacking attempt).');
}
// if the md5 hashes are equal to those generated by the clientside js
if (md5($user_row['password'] . $seed_row['seed']) == $_GET['hash']) {
// logged in
echo('true|' . $user_row['fullname']);
// now remove the random key that was made for this request
mysql_query('DELETE FROM s WHERE id=' . (int)$_GET['id']);
}
else
{
// not logged in.. incorrect password
die('false|Invalid username and password combination.');
}
}
?>
Siden er optimalisert for en minimumsoppløsning på 1024*768 og med tanke på FireFox og Chrome, men burde fungere fint i Opera og Safari også. Har du Internet Explorer? Last ned Chrome!