Merge pull request #1 from Elyrith/master

Added authentication for user/admin area using the database

README.md

@@ -5,7 +5,9 @@ simplog is a (very) simple PHP blog engine. It's supposed to be implemented into
 
 What's missing?
 ---------------
-Not much really as of 2013-07-27, depending on how you plan to use it. Included is a template to create the MySQL table, a small HTML and PHP file to create new posts, an index.php file that displays your posts and a config file to connect to a database and set number of posts per page. Now there is also a HTML file to find your posts and edit/update them. Note that you need to protect the user directory yourself (with for example a .htaccess file), or else everyone can post on your blog.
+Not much really as of 2013-07-27, depending on how you plan to use it. Included is a template to create the MySQL table, a small HTML and PHP file to create new posts, an index.php file that displays your posts and a config file to connect to a database and set number of posts per page. Now there is also a HTML file to find your posts and edit/update them.
+
+You no longer need to protect the user/ directory yourself. Authentication is done using the database.
 
 Usage
 -----
@@ -13,11 +15,21 @@ simplog.php is intended to be included (with php include) on your webpage, there
 
 How do I create the MySQL table?
 --------------------------------
-Either create a new database and possibly a new user or use an existing database/user and run the command:
+
+Either create a new mysql user and database or use an existing one, then either:
+
+Option 1) Go to http://mydomain.tld/path-to-simplog/install.php
+
+    or...
+
+Option 2) Run this command from the shell:
 
 	mysql -u <user> -p <database> < blogtable.sql
 
-You'll be asked to enter the passwor for the user, enter it. Now you have created the table for the blog. Now you can start filling it with blog posts.
+You'll be asked to enter the password for the user, enter it.
+
+
+Now you have created the table for the blog. Now you can start filling it with blog posts.
 
 Contributing
 ------------

blogtable.sql

@@ -1,7 +1,18 @@
 CREATE TABLE `blog` (
- `postnumber` int(11) NOT NULL AUTO_INCREMENT,
+  `postnumber` int(11) NOT NULL AUTO_INCREMENT,
   `date` date NOT NULL,
   `title` text COLLATE utf8_unicode_ci NOT NULL,
   `posttext` text COLLATE utf8_unicode_ci NOT NULL,
   PRIMARY KEY (`postnumber`)
 ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+CREATE TABLE `users` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `username` varchar(20) NOT NULL,
+  `name` varchar(40) NOT NULL,
+  `password` varchar(64) NOT NULL,
+  `session` int(64),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+INSERT INTO `users` (`id`, `username`, `name`, `password`, `session`) VALUES (NULL, 'admin', 'Admin', PASSWORD('admin'), NULL);

includes/dbconnect.php

@@ -1,4 +1,5 @@
 <?php
+require "config.php";
 
 // Connect to MySQL database
 $link = mysql_connect($host, $user, $password)

includes/login.inc

@@ -0,0 +1,37 @@
+<?php
+
+# Check if the user is logged in and authenticated
+if ( $_COOKIE['session'] ) { // If yes, continue loading page as normal
+
+# If not logged in, check if this is an attempt to login...
+} else if ($_POST['do'] == "authenticate") {
+
+# If we're trying to login...
+
+# Attempt login
+	require "dbconnect.php";
+ 	$sql = "SELECT id,username FROM blog_users WHERE username='$_POST[username]' and password=PASSWORD('$_POST[password]')";
+	$result = mysql_query($sql) or die (mysql_error());
+
+#	echo "Results: " . mysql_num_rows($result); // Debugging line
+
+	if (mysql_num_rows($result) === 1) { // If user found and password matches
+		unset($_POST['do']); // No longer authenticating
+
+# Create cookie and set it
+		$_COOKIE['session'] = '1'; 
+		setcookie('session',$_COOKIE['session']);
+
+	} else { //  If user not found or password doesn't match
+		unset($_POST['do']);
+# Attempt login again. This should be limited in the future.
+		echo "Login failed. Please try again.";
+		include("login_form.inc");
+		break;
+	}
+} else { // If this is the first visit to the user/admin area...
+        echo "Please login:";
+        include "login_form.inc";
+        break;
+}
+?>

includes/login_form.inc

@@ -0,0 +1,16 @@
+<form action="<?php echo $_SERVER[REQUEST_URI]; ?>" method="post">
+<input type="hidden" name="do" value="authenticate">
+
+<table border=0>
+<tr>
+	<td><strong>Username</strong></td>
+	<td><input type="text" name="username" size="20" maxlength="20"></td>
+</tr>
+<tr>
+        <td><strong>Password</strong></td>
+        <td><input type="text" name="password" size="20" maxlength="20"></td>
+</tr>
+<tr>
+        <td colspan=2 align="center"><input type="submit" value="Login"></td>
+</tr>
+</table>

install.php

@@ -0,0 +1,48 @@
+<?php
+require "includes/htmlcode.php";
+start_html("Install database");
+include "includes/config.php";
+?>
+
+<h1>Installer</h1>
+
+<?php
+
+# Test connection to database server
+$link = mysql_connect($host, $user, $password)
+    or die("Could not connect to database. Check variables in includes/config.php.");
+
+# Test if database exists
+mysql_select_db($database)
+    or die("Database does not exist. Please create it first. (See includes/config.php for details.)");
+
+# Try to create 'blog' table
+$sql = "CREATE TABLE `blog` (`postnumber` int(11) NOT NULL AUTO_INCREMENT,`date` date NOT NULL,`title` text COLLATE utf8_unicode_ci NOT NULL,`posttext` text COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`postnumber`)) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;";
+#$result = mysql_query($sql) or die (mysql_error());
+$result = mysql_query($sql);
+if (mysql_error()) {
+	echo mysql_error() . ".<br />";
+} else {
+	echo "Table 'Blog' created successfully.<br />";
+}
+
+# Try to create 'blog_users' table
+$sql = "CREATE TABLE `blog_users` (`id` int(11) NOT NULL AUTO_INCREMENT,`username` varchar(20) NOT NULL,`name` varchar(40) NOT NULL,`password` varchar(64) NOT NULL,`session` int(64), PRIMARY KEY (`id`)) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;";
+$result = mysql_query($sql);
+if (mysql_error()) {
+        echo mysql_error() . ".<br />";
+} else {
+	echo "Table 'Users' created successfully.<br />";
+}
+
+# Try to create 'admin' user
+$sql = "INSERT INTO `blog_users` (`id`, `username`, `name`, `password`, `session`) VALUES (NULL, 'admin', 'Admin', PASSWORD('admin'), NULL);";
+$result = mysql_query($sql);
+if (mysql_error()) {
+        echo "User 'admin' already exists.<br />";
+} else {
+        echo "User 'admin/admin' created successfully.<br />";
+}
+
+end_html();
+?>

user/edit.php

@@ -1,6 +1,7 @@
 <?php
 require "../includes/htmlcode.php";
 start_html("Find post to edit");
+include "../includes/login.inc";
 ?>
 
 <h1>Find post to edit</h1>

user/editpost.php

@@ -6,6 +6,8 @@ require "../includes/dbconnect.php";
 require "../includes/htmlcode.php";
 
 start_html("Edit post");
+include "../includes/login.inc";
+
 print "<h1>Edit post</h1>";
 
 $query = "SELECT * FROM blog WHERE date='$_GET[date]' AND title='$_GET[title]'";

user/index.php

@@ -1,6 +1,7 @@
 <?php
 require "../includes/htmlcode.php";
 start_html("simlog user interface");
+include "../includes/login.inc";
 ?>
 
 <h1>simplog user interface</h1>

user/new.php

@@ -1,11 +1,12 @@
 <?php
 require "../includes/htmlcode.php";
 start_html("Create new post");
+include "../includes/login.inc";
 ?>
 
 <h1>Create new post</h1>
 <form action="createpost.php" method="post">
-Date: (YYYY-MM-DD) <input type="date" name="date">
+Date: (DD-MM-YYYY) <input type="date" name="date">
 <br />
 Title: <input type="text" name="title">
 <br /><br />

user/updatepost.php

@@ -6,6 +6,7 @@ require "../includes/dbconnect.php";
 require "../includes/htmlcode.php";
 
 start_html("Post updated");
+include "../includes/login.inc";
 
 
 $query = "UPDATE blog SET date='$_POST[date]', title='$_POST[title]',