Tuesday, 12 July 2011

PHP Upload single file

PHP Upload single file Simple PHP uploading file scripts.
1. upload.php
2. upload_ac.php


Step
1. Create file upload.php.
2. Create file upload_ac.php.
3. Create folder "upload" for store uploaded files.
Create file upload.php
 <table width="500" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="upload_ac.php" method="post" enctype="multipart/form-data" name="form1" id="form1">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td><strong>Single File Upload </strong></td>
</tr>
<tr>
<td>Select file
<input name="ufile" type="file" id="ufile" size="50" /></td>
</tr>
<tr>
<td align="center"><input type="submit" name="Submit" value="Upload" /></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
Create file upload_ac.php
<?php
//set where you want to store files
//in this example we keep file in folder upload
//$HTTP_POST_FILES['ufile']['name']; = upload file name
//for example upload file name cartoon.gif . $path will be upload/cartoon.gif

$path= "upload/".$HTTP_POST_FILES['ufile']['name'];
if($ufile !=none)
{
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{
echo "Successful<BR/>";
//$HTTP_POST_FILES['ufile']['name'] = file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file

echo "File Name :".$HTTP_POST_FILES['ufile']['name']."<BR/>";
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>";
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>";
echo "<img src=\"$path\" width=\"150\" height=\"150\">";
}
else
{
echo "Error";
}
}
?>

Sending Forgotten Password

Sending Forgotten Password
How you send password via email address when they forgotten their password
Suppose any member forgot his password to login any website.We will send him his password to his email address.

1. forgot_password.php
2. send_password_ac.php

Database
1. members


Syntax
$email_to=$_POST['email_to'];

"SELECT password FROM table_name WHERE email='$email_to'";

Create table "members"
This is our database, table "Members" MS saha's password is "951412dwe" and his e-mail is "mark@phpeaststep.com"


CREATE TABLE `members` (
`id` int(4) NOT NULL auto_increment,
`name` varchar(65) NOT NULL default '',
`lastname` varchar(65) NOT NULL default '',
`email` varchar(65) NOT NULL default '',
`password` varchar(65) NOT NULL default '',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
--
-- Dumping data for table `test_mysql`
--
INSERT INTO `members` VALUES (1, 'Billly', 'Blueton', 'email_1@somewhere.com', '789789');
INSERT INTO `members` VALUES (2, 'Jame', 'Campbell', 'email_2@somewhere.com', '654123ddf');
INSERT INTO `members` VALUES (3, 'Mark', 'Jackson', 'email_4@somewhere.com', '951412dwe');
* replace email_1, 2 , 3 with your e-mail address for testing

forgot_password.php

Create form and text field, name it "email_to" action at "send_password_ac.php"

############### Code

<table width="380" border="0" cellpadding="3" cellspacing="1" >
<tr>
<td width="33%"><strong>Enter your email : </strong></td>
<td width="67%">
<form name="form1" method="post" action="send_password_ac.php">
<input name="email_to" type="text" id="mail_to" size="25">
<input type="submit" name="Submit" value="Submit">
</form>

</td>
</tr>
</table>
send_password_ac.php
What to do?
1. after press submit button the form will send e-mail address to "send_password_ac.php".
2. at "send_password_ac.php" we have to find this e-mail address in our database.
3. if found this e-mail in our database give password to variable name "$your_password" and send this variable to e-mail that sent from our form.
4. if not found this e-mail in database, displays message "Not found your e-mail in our database"

  ############### Code
<?
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name


//Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect to server");
mysql_select_db("$db_name")or die("cannot select DB");
// value sent from form
$email_to=$_POST['email_to'];

// table name

$tbl_name=members;

// retrieve password from table where e-mail = $email_to(mark@phpeasystep.com)
$sql="SELECT password FROM $tbl_name WHERE email='$email_to'";
$result=mysql_query($sql);

// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"

$count=mysql_num_rows($result);

// compare if $count =1 row
if($count==1){

$rows=mysql_fetch_array($result);

// keep password in $your_password
$your_password=$rows['password'];
// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email_to;

// Your subject
$subject="Your password here";

// From
$header="from: your name <your email>";

// Your message
$messages= "Your password for login to our website \r\n";
$messages.="Your password is $your_password \r\n";
$messages.="more message... \r\n";
// send email
$sentmail = mail($to,$subject,$messages,$header);


}

// else if $count not equal 1
else {
echo "Not found your email in our database";
}

// if your email succesfully sent
if($sentmail){
echo "Your Password Has Been Sent To Your Email Address.";
}
else {
echo "Cannot send password to your e-mail address";
}

?>

  ***Update***
I've got a lot of complains about security of sending the real password that exists in dababase. This may cause some troubles.

a new way to send password you can adapt from my verifying email tutorial

concept
- your user insert email to request password form
- find that email in our database
- if found, random a confirmation code and send it to email address to verify the email and also keep confirmation code in temp_database(don't forget to creates it first)
- when your user open email and click on confirmation link
- random and send new random password to email address again
- random new password you can use this code

<?

$random_password=md5(uniqid(rand()));
$new_password=substr($random_password, 0, 8);
echo $new_password;
?>
- After email has been sent, update an old password in database to a new random password.

- If you can wait i'm writing on it now, waits for a few day 

Monday, 11 July 2011

Automatic refresh webpage

Automatic refresh webpage / Set time to redirect
When you need your web page automatic refresh in 5 second or any second, use this meta tag. it's a simple code, put it between HEAD tag in your web page. 
 
Overview
This script easy but powerful. Many websites use this scripts to redirect to another page or refresh the same page, for example, my website updates in every 10 minutes and I want to show user my latest content then I put this script to my page and set it refreshs in every 10 minutes.

Automatic Refresh / Redirect
<HEAD>
<meta http-equiv='refresh' content='2;url='file_name or URL'>
</HEAD>
// content = time (second)
// file_name = name of file you want to refresh or redirect 

Sunday, 10 July 2011

PHP - Implementing Secure Login with PHP, JavaScript, and Sessions (without SSL)

login.php

<?php 
//
// LOGIN PAGE
//
//   Server-side:
//     1. Start a session
//     2. Clear the session
//     3. Generate a random challenge string
//     4. Save the challenge string in the session
//     5. Expose the challenge string to the page via a hidden input field
//
//  Client-side:
//     1. When the completes the form and clicks on Login button
//     2. Validate the form (i.e. verify that all the fields have been filled out)
//     3. Set the hidden response field to HEX(MD5(server-generated-challenge + user-supplied-password))
//     4. Submit the form

session_start();
session_unset();
srand();
$challenge = "";
for ($i = 0; $i < 80; $i++) {
    $challenge .= dechex(rand(0, 15));
}
$_SESSION[challenge] = $challenge;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
    <head>
        <title>Login</title>
        <script type="text/javascript" src="http://pajhome.org.uk/crypt/md5/md5.js"></script>
        <script type="text/javascript">
            function login() {
                var loginForm = document.getElementById("loginForm");
                if (loginForm.username.value == "") {
                    alert("Please enter your user name.");
                    return false;
                }
                if (loginForm.password.value == "") {
                    alert("Please enter your password.");
                    return false;
                }
                var submitForm = document.getElementById("submitForm");
                submitForm.username.value = loginForm.username.value;
                submitForm.response.value =
                    hex_md5(loginForm.challenge.value+loginForm.password.value);
                submitForm.submit();
            }
        </script>
    </head>
    <body>
        <h1>Please Login</h1>
        <form id="loginForm" action="#" method="post">
            <table>
                <?php if (isset($_REQUEST[error])) { ?>
                <tr>
                    <td>Error</td>
                    <td style="color: red;"><?php echo $_REQUEST[error]; ?></td>
                </tr>
                <?php } ?>
                <tr>
                    <td>User Name:</td>
                    <td><input type="text" name="username"/></td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><input type="password" name="password"/></td>
                </tr>
                <tr>
                    <td>&nbsp;</td>
                    <td>
                        <input type="hidden" name="challenge" value="<?php echo $challenge; ?>"/>
                        <input type="button" name="submit" value="Login" onclick="login();"/>
                    </td>
                </tr>
            </table>
        </form>
        <form id="submitForm" action="authenticate.php" method="post">
            <div>
                <input type="hidden" name="username"/>
                <input type="hidden" name="response"/>
            </div>
        </form>
    </body>
</html>

authenticate.php

<?php 

//
// AUTHENTICATE PAGE
//
//   Server-side:
//     1. Get the challenge from the user session
//     2. Get the password for the supplied user (local lookup)
//     3. Compute expected_response = MD5(challenge+password)
//     4. If expected_response == supplied response:
//        4.1. Mark session as authenticated and forward to secret.php
//        4.2. Otherwise, authentication failed. Go back to login.php
$userDB = array("john" => "abc123",
"bob"  => "secret",
"anna" => "passwd")
function getPasswordForUser($username) {
// get password from a simple associative array
// but this could be easily rewritten to fetch user info from a real DB
global $userDB;     return $userDB[$username];
} 
function validate($challenge, $response, $password) {
return md5($challenge . $password) == $response;
} 
function authenticate() {
if (isset($_SESSION[challenge]) &&
isset($_REQUEST[username]) &&
isset($_REQUEST[response])) {
$password = getPasswordForUser($_REQUEST[username]);
if (validate($_SESSION[challenge], $_REQUEST[response], $password)) {
$_SESSION[authenticated] = "yes";
$_SESSION[username] = $_REQUEST[username];;
unset($_SESSION[challenge]);
} else {
header("Location:login.php?error=".urlencode("Failed authentication"));
exit;
}
} else {
header("Location:login.php?error=".urlencode("Session expired"));
exit;
}
}
session_start();
authenticate();
header("Location:secret.php");
exit();
?>

common.php

<?php

//
// COMMON PAGE
//
//   Defines require_authentication() function:
//     If the user is not authenticated, forward to the login page
//     

session_start();
function is_authenticated() {
return isset($_SESSION[authenticated]) &amp;&amp;
$_SESSION[authenticated] == "yes";
}
function require_authentication() {
if (!is_authenticated()) {
header("Location:login.php?error=".urlencode("Not authenticated"));
exit;
}
}
?>