#native_company# #native_desc#
#native_cta#

PHP-odbc_group_check

By Jeremy Brooks
on December 22, 2000

Version: 1.0.0

Type: Full Script

Category: Databases

License: GNU General Public License

Description: PHP4 odbc-based scripts to 1. protect a PHP page with user auth info stored in an odbc db (encrypted password, login attempt logging, IP logging, last/current login date, etc) and 2. sets view permissions on a per-page basis (i.e., users in groups 4 and g can view this page, etc). Written for Windows/Apache, but only has a few lines (path to log files and includes/requires) that are plaform-specific. Latest version at http://www.datapriority.com/GC/GC.html . Bug fixes/suggestions are welcome!

*************These 3 scripts must be saved seperately to function...


****************BEGIN auth_test.inc*************

<?
////////////////////////////////////////////////////////////////////////////////////
//This script is the property of Jeremy Brooks ([email protected])
//and is released under the GNU Public License (www.gnu.org).
//Unauthorized use is prohibited.
//
//If you use this script please let me know how (if) it works for you.
//Users are strongly encouraged to send me tweaks, questions, 
//suggestions, or just tell me if, how and where you are using it
//
//if anyone ports this to non-odbc or non-windows use PA-LEEZ send it to me...
//////////////////////////////////////////////////////////////////////////////////////


/////////////////////////////////////////////////////////////////////////////////////
//This set up scripts consists of 3 files:
//auth_test.inc, group_check.inc, and style.inc
/////////////////////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////////////////////
//auth_test.inc works in this manner:
//define location of log files and remote IP var
//declare odbc database info
//start a session
//check for cookie
//if cookie, check for validity
//if no cookie but login has been attempted, MD5 password entered, 
//	verify against database entry (db password field must contain
//	MD5 hashes of passwords!)
//if bad username, error to screen and log
//if bad password, error to screen and log
//if successful, log, update db to reflect current login date, previous login date, 
//	current IP
//if session has timed out, show message and login form.
//
//BTW, style.inc is just a style sheet. You don't need to use it.
//////////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////
//This script was designed for use on an intranet in a Win NT environment
//running a SQL Server 7.0 database on Apache 1.3.11 ane PHP4 and may have some
//specificity's and idiosyncrasies as such. Ye hath been forwarned.
//////////////////////////////////////////////////////////////////////////////////////

//This is the directory where your log file resides
define( "BASE_DIR", "c:webapache" );
define( "AUTH_LOG", BASE_DIR . "logsauth_access_log.txt" );

$ip = getenv("REMOTE_ADDR");

//login form with cookie check

function login_form(){
	$this_page=getenv("REQUEST_URI");
	?>
	<HTML>
	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
	<HEAD>
	<SCRIPT language="JavaScript">
	
			
	var cookiesEnabled = false;
	
	function cookietest_onload()
	{
   		document.cookie = "Enabled=true";
		 var cookieValid = document.cookie;
		 
		if (cookieValid.indexOf("Enabled=true") != -1)
			{
				cookiesEnabled = true;
			 }
		else
			{
				cookiesEnabled = false;
				 document.write("<h2><font color='red'>Error loading page...</font><p>");
				 document.write("You must have cookies enabled to view this page.</h2><p>");
				 document.write("<b>Please enable your cookies, restart your browser, and try again.<p>");
				 document.write("If you need assistance with this, feel free to contact:<p>");
				 document.write("<table border=0 width=400 cellspacing=6><tr><td>Sysadmin Guy</td>");
				 document.write("<td></td><td>Sysadmin Other Guy</td></tr><tr><td>509-555-1212</td>");
				 document.write("<td width='50'><i>OR</i></td><td>509-121-5555</td></tr><tr><td>[email protected]</td>");
				 document.write("<td></td><td>[email protected]</td></tr></table>");
			}

	}
	
	</script>
	<? include ("c:webApacheincstyle.inc"); ?>
	<TITLE>BAMS On-Line User Login</TITLE>
	<script language="JavaScript">
<!-- Begin
function look() {
document.login.this_user.focus();
}
//End -->
</script>
	</HEAD>
	<BODY bgcolor="white" onLoad="BrowserCheck();look();">
	<center>
	<table width="450" border=1>
	<tr><td>
	<img src="my_logo.jpg">
	<CENTER>
	
	<FONT COLOR="blue">Please Log In...</FONT>
	<FORM NAME=login ACTION="<? echo $this_page ?>" METHOD=post>
	<TABLE BORDER=0>
	<TR>
	<TD><B>Username:</B></TD>
	<TD><INPUT NAME="this_user" TYPE="text" SIZE="10"></TD>
	</TR>
	<TR>
	<TD><B>Password:</B></TD>
	<TD><INPUT NAME="this_pass" TYPE="password" SIZE="10"></TD>
	</TR>
	</TABLE>
	<BR>
	<INPUT TYPE="submit" VALUE="Log in">
	<input type="reset" value="Clear">
	<p>
	<font color="red" size='1'><b>All activity on this server is logged. Unauthorized use is strictly prohibited.</b></font>
	</FORM>
	</tr></td></table>
	</center>
	</BODY>
	</HTML>
	
	<?
	
	exit;
	
	}
	
function set_cookie ( $this_user, $encrypted_password ) {
	$DB="my_db";
	$USER="some_user";
	$PASS="some_pass";
	$cnx = odbc_connect($DB, $USER, $PASS);
	$encrypted_password=MD5($this_pass);
	$md5str = MD5( TIME() );
	$now = date("m/d/Y H:i:s");
	$cookie_val = "$this_user-$encrypted_password-$md5str";
	setcookie( "baview_auth", $cookie_val, 0,"/" ,"192.168.101.12", 0);
	$arg = "update auth_info_table set string='$md5str' where username='$this_user'";
	$set_cookie_ok=odbc_exec($cnx, $arg);
	
	odbc_close( $cnx);
	
}

function check_cookie ( $cookie, $this_user, $this_pass ) {
	$DB="my_db";
	$USER="some_user";
	$PASS="some_pass";
	$cnx = odbc_connect($DB, $USER, $PASS);
	$cookie_var = split("-", $cookie);
	$ck_username = $cookie_var[0];
	$ck_password = $cookie_var[1];
	$secret = $cookie_var[2];
	
	$arg = "select 1 as auth from auth_info_table where username='$ck_username' and password='$ck_password' and string='$secret'";
	$row = odbc_exec( $cnx, $arg );
	odbc_close( $cnx);
	if (!$row){
		login_form();
	}
}
	
	$DB="my_db";
	$USER="some_user";
	$PASS="some_pass";
	$cnx = odbc_connect($DB, $USER, $PASS);
	
	session_start();
	
if ($baview_auth){
	check_cookie($baview_auth, $this_user, $this_pass);
		}
elseif ($this_user) {
	$enc_pass = MD5($this_pass);
	$authenticate=odbc_exec($cnx, "SELECT * FROM auth_info_table WHERE username = '$this_user'");
	
	if (!odbc_fetch_row($authenticate)) {
		echo "<center><font color='red' size=3><b>$this_user not found.</b> </font><br><font color='darkblue' size=2><u>Please make sure caps lock is off and try again</u><br> or contact Jeremy Brooks at 509-353-1239<br>or Shawn Hafen at 509-353-6165</font></center><br>";
		error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authentication failure- bad usernamen", 3, AUTH_LOG);
		login_form() ;
		odbc_close( $cnx);
		
		}
		else
		{
		
			while (odbc_fetch_row( $authenticate)); {
				$db_username=odbc_result($authenticate, 16);
				$db_password=odbc_result($authenticate, 37);
				$db_curr_login_date = odbc_result($authenticate, 39);
				$db_GID = odbc_result($authenticate, 44);
				global $db_GID;
				}
			
			if ($enc_pass != $db_password) {
				
				$ip = getenv("REMOTE_ADDR");
				echo "<center><font color='blue' size=3><b>Bad password for $this_user.</b> </font><br><font color='darkblue' size=2><u>Please make sure caps lock is off and try again</u><br> or contact Jeremy Brooks at 509-353-1239 <br>or Shawn Hafen at 509-353-6165";
				error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authentication failure- bad passwordn", 3, AUTH_LOG);
				login_form();
				odbc_close( $cnx);
				
				}
		set_cookie($this_user, $this_pass);
		session_start();
		$uid = $this_user;
		session_register("uid");
		
		$now = date("m/d/Y H:i:s");
		odbc_exec($cnx, "UPDATE auth_info_table SET current_login_date = '$now', last_login_date ='$db_curr_login_date', current_IP = '$ip'  WHERE username = '$this_user'");
		odbc_close( $cnx);
		error_log( date("Ymd H:i:s") . " -- $ip -- Username: '$this_user' authenticatedn", 3, AUTH_LOG);
		
		}
		
		}
else {
	login_form();
	}

if (!$uid && $baview_auth) {
	$yup = $HTTP_COOKIE_VARS["baview_auth"];
	setcookie( "baview_auth", $yup, time() - 3600,"/" ,"192.168.101.12", 0);
	
	echo "<center><font color='red'>Session Expired. Please Log In.</font></center><p>";
	login_form();
	}

?>

*************END auth_test.inc*************

*************BEGIN group_check.inc*************

<?
session_start();
//////////////////////////////////////////////////////////////////////////////////////
//This script is the property of Jeremy Brooks ([email protected])
//and is released under the GNU Public License (www.gnu.org).
//Unauthorized use is prohibited.
//
//If you use this script please let me know how (if) it works for you.
//Users are strongly encouraged to send me tweaks, questions, 
//suggestions, or just tell me if, how and where you are using it
//
//if anyone ports this to non-odbc or non-windows use PA-LEEZ send it to me...
/////////////////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////////////////
//This set up scripts consists of 3 files:
//auth_test.inc, group_check.inc, and style.inc
//all files must be in a folder outside your
//	htdocs/html directory
//	(these exaples are used in
//	c:webapacheinc)
/////////////////////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////////////////////
//group_check.inc works in this manner:
//in the user database there is a field called gid that holds a value
//[0-9][a-z] that corresponds to the level of permission granted a user.
//i.e., 1=view reports, 5=create new reports, r=edit tables, etc...
//multiple values are allowed, i.e. 348sfh
//
//create no permission page in function no_permit()
//create a cursor using uid from session declared in auth_test.inc
//get length of gid value from db
//put all seperate values of gid into array
//get length of page permission level ($permit)
//put permit values into array also
//NESTED ARRAY LOOP TIME! (WOO-HOO!!!)
//for each value in god array, compare to each 
//	value in permit array
//if matched values are found, flag = "OK"
//if flag == "OK" by the end of the script, allow
//	user to view page
//otherwise, show denial message
//
//These lines must be at the top of each 
//	protected page (before any output
//	is sent to the browser!):
//
//$permit = "45shp";
//require('c:webApacheincauth_test.inc');
//require('c:webApacheincgroup_check.inc');
//session_start();
//
//where 4, 5, s, h, and p are the permission levels allowed to
//	view the page (any of these levels grant access)
//
//make sure you have enabled sessions in php.ini
//////////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////
//This script was designed for use on an intranet in a Win NT environment
//running a SQL Server 7.0 database on Apache 1.3.11 ane PHP4 and may have some
//specificity's and idiosyncrasies as such. Ye hath been forwarned.
//////////////////////////////////////////////////////////////////////////////////////
function no_permit(){
	?>
	<html>
	<head>
	<? include ("c:webApacheincstyle.inc"); ?>
	<title>Access Denied</title>
	</head>
	<body bgcolor='white'>
	<center><table width=500 border=0>
	<tr>
	<td align='center'>
	<b>Sorry...You don't have permission to use this page.<p>
	If you feel you recieved this message in error, please contact:<br></b><P>
	<i>Sysadmin Guy<br>
	509-454-4666<br>
	[email protected]
	<br>
	<b>or</b>
	<br>
	Some Dude<br>
	509-111-1111<br>
	[email protected]
	</i></b>
	<P>
	<b>Please <a href="javascript:history.back(1)">Click Here</A> to Return to the previous page</b>
	</td>
	</body>
	</html>
	<?
	exit;
	}
	

$DB="my_db";
$USER="some_user";
$PASS="some_pass";

$cnx = odbc_connect($DB, $USER, $PASS);
$row = odbc_exec( $cnx, "SELECT * FROM auth_info_table WHERE username = '$uid'" );

while (odbc_fetch_row( $row)); {
	$db_GID = odbc_result($row, 44);
	}
odbc_close( $cnx);

$GID_length = strlen($db_GID);

$loop = 0;

while ($loop < $GID_length) {
	$GID_part = substr($db_GID, $loop, 1);
	$arr_GID[$loop]=$GID_part;
	$loop++;
	}
	
$permit_length = strlen($permit);

$loop = 0;

while ($loop < $permit_length) {
	$permit_part = substr($permit, $loop, 1);
	$arr_permit[$loop]=$permit_part;
	$loop++;
	}

$GID_count = count($arr_GID);
$permit_count = count($arr_permit);

$flag = "";
for ($GID_idx = 0; $GID_idx < $GID_count; $GID_idx++){
	$GID_temp = $arr_GID[$GID_idx];
	
	for ($permit_idx = 0; $permit_idx < $permit_count; $permit_idx++){
		$permit_temp = $arr_permit[$permit_idx];
		if ($GID_temp == $permit_temp) {
			$flag = "OK";;
			}
		}
	
}

if ($flag <> "OK") {
	
	no_permit();
	}

?>

*************END group_check.inc***************

*************BEGIN style.inc*******************


<script language='JavaScript'>

 <!--

var message='Sorry, that function is disabled.nnACCESS DENIED '; // Message for the alert box



function click(e) {
if (document.all) {
if (event.button == 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which == 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
// --> 

</script>

<STYLE TYPE='text/css'>
<!--
BODY {
   font-family: lucida, helvetica, sans-serif;
   font-size: 10pt;
}
TD, P, UL {
   font-family: lucida, helvetica, sans-serif;
   font-size: 10pt;
}
H2 {
   font-family: lucida, helvetica, sans-serif;
   font-size: 12pt;
}
A { text-decoration: none; }
A:link { color: #000099; }
A:visited { color: #000099; }
-->
</STYLE>


*******************END style.inc*************