Login to Customer Records Management PHP Script

The scripts in the two link groups below are Customer Apps for Dealing with Product Keys and Email Addresses, and Administrator Apps for Dealing with Customer Records.

In our ecommerce world, products are sold by many different methods. Amongst these are getting out demos in various ways and when people try them, some of them are very pleased and they buy what's called a key. This unlocks the full feature set of the product when they enter it. There is a need to give the product users limited access to perform a few functions such as changing their emails, retrieving their keys from our database when they misplace them, etc. There is also a need for administrative functions to manage customer records. One needs to sort them, edit them, delete them, add them, view them, search them, register to be an administrator, login as administrator, etc.

If an ecommerce company does not have any of the applications below, it is forced to perform them the 20th century ways—by hand. This means paying for people to answer phones, write emails, keep paper files of customers, etc. The 21st century way is to let software perform these tasks, let websites and videos explain the product features, and let ecommerce close the sale and send the product.

Feel free to use these free Customer Records Management scripts in your business. Note: we know they work well for us (they are well tested), but we assume no liability for how they work in your situation. Similarly, we added lots of security measures such as extensive input filtering, but we make no claims and assume no liability for how securely they work in your situation.

The best security measure to take when using the administrative part of a system like this (meaning the Administrator Apps for Dealing with Customer Records in which category the script below resides, not the Customer Apps for Dealing with Product Keys and Email Addresses) is do not have any links ANYWHERE that link to the URLs of any of the admin files on the server, so neither hackers nor Google finds them. Then use the admin CMS yourself but do not even let your momma use it. Don't even save the link to the admin login as a Favorite, just to be secure. Just stick the login username and password in Roboform and make them impossible to guess. Then use Roboform to logon. The Customer Apps are included online and linked to as part of the product web pages that make life easier for everyone. Their security is mainly handled via extreme input filtering. The Admin Apps like the one below are hidden, unlinked to, and well protected with security measures, password hashes and salts, etc.

This script is called login-to-customer-records-management.php

Customer Apps for Dealing with Product Keys and Email Addresses

Administrator Apps for Dealing with Customer Records

The script login-to-customer-records-management.php processes both login input data from the administrator, and also session data, which it creates when it puts the session_id() into the proper session variable ($_SESSION['sessionid']) for safekeeping. (Of course, it has to start a session first with session_start().)

The PHP script below gives the administrator a chance to login to Customer Records Management.

The script begins with starting a session, then using the session id to create the session variable $_SESSION['sessionid']. The config.php file is included after the defined constant _NODIRECTACCESS gets defined. This gets checked on in the configuration file, and if it is not defined in that file, access to the file is denied. The config.php file uses the defined() function to check whether a given named constant exists. The various scripts that use config.php all use the define() function to define a named constant named '_NODIRECTACCESS' just prior to including config.php. This protects against anyone using the config.php file without first naming that constant with the define() function—a wise security precaution.

Now comes the JavaScript function validatepassword(), which is run from the formpw onsubmit event, and validates the login data, even though the script will do PHP validation as well. Why both? For user convenience! Bad data gets a message and sending the cursor to the input box where the goof is, to await your fix. If all validating was PHP only, you'd have to restart the form if there were any goofs, which would elicit crocodile tears from your users—in this case, the administrators.

Then the JavaScript search() method is used in a couple of input validation functions which use regular expression searches that limit both the size of the input string and the characters it contains. Note that if input is bad, after the alert message to warn the user, the focus() method is used before the return false so the cursor goes to the element with the goof. Returning false halts the submitting.

We use both JavaScript and PHP validation to filter input from the user (in this case, the administrator) since the cardinal rule for user input is: NEVER TRUST IT. If you want to trust it, simply ensure that it will be safe for putting into your MySQL tables as well as displaying on your web pages. By far the best method here is to use the JavaScript for the users' (the administrator) benefit and the PHP for security. If JavaScript is turned off (in which case our scripts won't even work), the PHP validation scripts are your last line of defense to keep things safe. On the other hand, the JavaScript allows the user to get a user-friendly response to unacceptable or wrong input in fields. Rather than making the user restart the form when he goofs, good JavaScript validation scripts use the focus() method to put the cursor back on the field where the goof occured as well as alerting the user to his error. PHP-only validation forces form restart, which is maddening to users.

We use /^[A-Za-z0-9!@#$%^&*()_]{12,20}$/ types of regular expressions to force the data to conform to the needs of the data fields, with the first part showing the acceptable characters and the second part forcing the length—in this case—to be 12 to 20 characters.

Now for the PHP. The entry, password, username, and answer inputs are POSTed to the script. The $Entry variable holds the entry flag which shows if the form was submitted. The $A variable holds the captcha answer which it gets from the captcha script at Register with Captcha to Administer Customer Records PHP Captcha Script via a session variable. $N is 1 if the login messes up and 0 if it doesn't.

The administrator's inputted username gets stuck into a session variable $_SESSION['username'], which will mean something if and when the login is successful and the administrator is sent to the administrator navigation script. Next, if the captcha answer $A equals the captcha script's captcha answer ($_SESSION['a__________a']), then we access the MySQL record for the entered username $U using the MySQL SELECT statement. If such a username cannot be found in the database table, the administrator sees "This user name does not exist. Please try again."

As stated, there is a captcha in the form and the user must give the correct answer to login. The correct answer will be figured in a different PHP script and stuck into the a__________a session variable. When the form is submitted, we check the answer the user gives against this a__________a variable and if it is incorrect, the user sees "Wrong captcha answer. Please try again." and is made to restart the login process. The captchas are all simple: adding or substracting a 1-digit number to/from a 2-digit number.

The administrator's inputted password hash from the db is put into $pw and his record id goes into the session variable $_SESSION['userid'] and his salt from his record goes into $o. The $h=z_____z() code is the password routine stored in the included config.php file. It is a function being run using the entered login password and stored salt, and the resulting hash is put into $h. If this does not equal $pw, the hash in the database for this username, we let the administrator see "Sorry, username/password combination is wrong." If it's a match, we send the administrator to the administrator navigation script. Even though we POST the username to that script, we instead use the session variable $_SESSION['username'] to keep track of this variable, not POSTing the username.

Take a gander at the captcha code: <IMG SRC="captcha-with-sessions.php" alt='captcha'>. A pretty strange type of image, to be sure! Browsers do NOT mind PHP scripts sitting in for PNG, BMP, GIF, or JPG images, believe it or not. The message "If you see no Captcha, disable your ad blocker" is displayed near the captcha because ad blockers with strong settings may knock the captcha out of the form. But Pop-up Blockers do not molest our captcha since it is NOT a pop-up. It's a random PNG image created using functions from the GD library, which is in all recent PHP versions. (To use the recommended bundled version of the GD library, which was first bundled in PHP 4.3.0, get your server hosts to use the configure option "--with-gd". Most already do this.)

The captcha image uses the font Holisb__.ttf, which is the Holiday Springs BTN True Type Font (get at MyFonts.com), but you may use other types if you wish. If you find arial.ttf in your C:\WINDOWS\Fonts\ directory on your computer, make sure it is in your folder with your PHP scripts on your server. Holisb__.ttf does a much cooler job, and will be harder for any automatic spambot script to read (and get the right answer for the arithmetic problem). For the captcha script, go to: Register with Captcha to Administer Customer Records PHP Captcha Script.

Finally, there's the login form where password and username and captcha answer are entered by the administrator. Then he submits the form and the validatepassword() script is the onsubmit event. If it passes this JavaScript validation, it is sent to the PHP script already discussed.

This script is called login-to-customer-records-management.php

<?php
session_start();
$_SESSION['sessionid'] = session_id();

define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Login to Customer Records Management</TITLE>
<meta name="description" content="Login to Customer Records Management">
<meta name="keywords" content="Login to Customer Records Management,search,login Script,login,php,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
h3 {font:bold 15px Verdana;}
.k {text-align:right}
.j {position:absolute;top:50px;left:50%;margin-left:-300px;width:600px}
#myform {position:absolute;top:145px;left:50%;margin-left:-225px;width:450px;border:2px solid black;background-color:#8aa;}
#links {position:absolute;top:210px;left:82%;width:160px}
#t {width:410px;padding:9px;margin-top:-25px}
</style>
<script language="javascript">

function validatepassword(){

var ck_password = /^[A-Za-z0-9!@#$%^&*()_]{12,20}$/;
if (document.formpw.password.value.search(ck_password)==-1)
{alert("Please enter 12 to 20 letters, numbers and these for password: !@#$%^&*()_");document.formpw.password.focus();return false;}

var ck_username = /^[A-Za-z0-9_]{12,20}$/;
if (document.formpw.username.value.search(ck_username)==-1)
{alert("Please only enter 12 to 20 letters, numbers and underline for user name.");document.formpw.username.focus();return false}

return true;}

</script>

</head>
<body>

<?php

$Entry=$_POST['entry'];
$U=$_POST['username'];
$P=$_POST['password'];
$A=$_POST['answer'];
$N=0;
$_SESSION['username'] = $U;

if($Entry==1 && $A<>$_SESSION['a__________a']){$N=1;unset($U);echo '<script language="javascript">alert("Wrong captcha answer. Please try again.");window.location="login-to-customer-records-management.php";</script>;';
}else{

if($Entry==1){
$U=substr($U,0,20);
$P=substr($P,0,20);

if (strlen($U)<12) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 12 to 20 characters for user name."); window.location = "login-to-customer-records-management.php"; </script>';
}else{
if (strlen($P)<12) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 12 to 20 characters for password."); window.location = "login-to-customer-records-management.php"; </script>';
}else{
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern4 = '/[^A-Za-z0-9\\!\\@\\#\\$\\%\\^\\&\\*\$\$\\_]/i';
$replacement = '';
$U=strip_tags($U);
$P=strip_tags($P);;
$U=preg_replace($pattern3, $replacement, $U);
$P=preg_replace($pattern4, $replacement, $P);

if($A==$_SESSION['a__________a']){
$check_user_data = mysql_query("SELECT * FROM admin_members WHERE username = '$U' LIMIT 1") or die(mysql_error());

if(mysql_num_rows($check_user_data) == 0)
{$N=1;unset($U);echo '<script language="javascript">alert("This user name does not exist. Please try again.");window.location="login-to-customer-records-management.php";</script>;';
}else{

$get_user_data = mysql_fetch_array($check_user_data);
$pw=$get_user_data['password'];
$id=$get_user_data['id'];
$_SESSION['userid'] = $id;
$o=$get_user_data['salt'];$h=z_____z();

if($pw<>$h){
$N=1;unset($U);
echo '<script language="javascript">alert("Sorry, username/password combination is wrong."); window.location="login-to-customer-records-management.php";</script>';}

}}}}}

if($N==1||$Entry==0){ ?>

<center><h1>Login to Customer Records Management</h1><div id='t'></div></center>

<div id='myform'><BR><center><h3>Login</h3></center><table id='t' border='0' cellspacing=0 cellpadding=2>
<form id='formpw' name="formpw" method="post" action="login-to-customer-records-management.php" onsubmit="return validatepassword()">
<tr><td class='k'><label for="User Name"><b>User Name: </b></td><td><input type="text" name="username" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><label for="Password"><b>Password: </b></td><td><input type="password" name="password" size="20" maxlength="20" value=""></label></td></tr>
<br><br>
<tr><td class='k'><input type="hidden" name="entry" value="1">
 </td><td><IMG SRC="captcha-with-sessions-customer-for-records-management.php" alt='captcha'>
</td></tr>
<tr><td class='k'><label for="Captcha answer"><b>Captcha answer: </b></td><td><input type="text" name="answer" size="20" maxlength="20" value=""></label></td></tr>
<tr><td align=left colspan=2>      
         
  If you see no Captcha, disable your ad blocker.</td></tr>
<tr><td class='k'> </td><td><BR><input type="submit" value="Submit">
           
<input type="reset" value="Reset"></td></tr></form></table><BR>
</div>

<div id='links'><BR>
<a HREF="register-with-captcha-for-customer-records-management.php">Register</a><BR>
</div>

<?php
mysql_close();
}else{
?>

<form name="MyForm" method="POST" action="customer-records-management.php">
<input type="hidden" name="username" value=" ">

</form>

<script language="javascript">
var u = <?php echo json_encode($U); ?>;
document.MyForm.username.value=u;
document.MyForm.submit();
</script>

<?php
}}
?>

Free Personal Status Boards (PSB™)

Login to Customer Records Management PHP Script