Form Validation & User Authentication

bubblesvoltaireInternet and Web Development

Nov 10, 2013 (3 years and 9 months ago)

146 views

12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 1 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML
CFScript
PHP
CFML  &  CFScript
$_POST  (array)
email
rosborne@fullsail.com
password
mysecret
Form  -­‐  struct
EMAIL
rosborne@fullsail.com
FIELDNAMES
EMAIL,PASSWORD
For m Val i dat i on & User Aut hent i cat i on
Use  your  HTML  skeleton  to  create  a  new  form  that  can  be  used  to  authenticate  (log  in)  a
user  by  their  email  address  and  password:
Notice  that  the  form's  
method
 attribute  is  set  to  
POST
 instead  of  
GET
.  
This  ensures  that  the
submitted  information,  the  email  address  and  password,  are  passed  in  the  body  of  the
HTTP  request  and  not  in  the  URL—they  don't  show  up  in  the  browser's  URL  bar.
A  form  
action
 of  
?
 ensures  that  the  form  submits  back  to  itself.  
If  you  enter  information
and  submit  the  form  nothing  happens  yet,  so  add  some  code  to  the  top  of  your  
body
 that
dumps  out  the  form  variables.  
Form  variables  are  populated  into  PHP's  
$_POST
 scope  and
ColdFusion's  
Form
 scope.
When  you  complete  and  submit  the  form,  you  should  see  the  values  you  entered:
<
form
 
action
=
"?"
 
method
=
"post"
>
       
<
h1
>Log  In</
h1
>
       
<
dl
>
               
<
dt
>Email:</
dt
>
               
<
dd
><
input
 
type
=
"email"
 
name
=
"email"
 
/></
dd
>
               
<
dt
>Password:</
dt
>
               
<
dd
><
input
 
type
=
"password"
 
name
=
"password"
 
/></
dd
>
       
</
dl
>
       
<
input
 
type
=
"submit"
 
value
=
"Continue"
 
/>
</
form
>
<?php
require
 
'dBug.php'
;
new
 
dBug(
$_POST
);
?>
               
 
               
 
<
cfdump
 
var
=
"#Form#"
 
label=
<
cfscript
>
 
writeDump
(
Form
);
</
cfscript
>
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 2 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PASSWORD
mysecret
PHP
CFML
CFScript
PHP
CFML
CFScript
PHP
CFML
CFScript
Before  you  can  authenticate  the  user,  you  should  ensure  the  email  address  is  in  a  valid
format  and  the  password  isn't  blank.  
Since  the  form  is  posting  back  to  itself,  you  can't
assume  it  has  been  submitted—this  may  be  the  first  time  the  page  has  been  loaded.  
You
should  be  paranoid  and  look  to  see  if  the  form  variables  exist.
You  shouldn't  just  check  for  one  form  field,  for  example  just  email  and  not  password,  as
you  can't  assume  the  form  submission  isn't  a  bot  or  a  malicious  user  trying  to  find  holes  in
your  application.  
Once  you  are  sure  all  of  the  form  fields  are  present,  you  can  continue  on
to  clean  up  the  fields  and  make  sure  they  look  okay:
Once  you  are  sure  that  all  of  the  form  inputs  look  okay,  you  can  connect  to  the  database
and  query  for  the  user:
if
 
(isset(
$_POST
[
'email'
       
&&  isset(
$_POST
[
'password'
{
       
//  more  code  will  go  here
}  
//  if  we  got  email  and  password
<
cfif
 
structKeyExists
(
       
and
 
structKeyExists
 
       
<!-­‐-­‐-­‐  more  code  will  go  here  -­‐-­‐-­‐>
</
cfif
>
if  (
structKeyExists
(
Form
       
and
 
structKeyExists
{
       
//  more  code  will  go  here
}
$email
         
=  mb_strtolower(trim(
$password
   
=  trim(
$_POST
$validator
 
=  
new
 
EmailAddressValidator;
if
 
((
$password
 
!==  
''
)
       
&&  
$validator
-­‐>check_email_address(
{
       
//  authentication  code  here
}
<
cfset
 
email  =  
lcase
(
trim
<
cfset
 
password  =  
trim
 
<
cfif
 
(password  neq  
""
       
and
 
isValid
(
"email"
 
       
<!-­‐-­‐-­‐  authentication  code  here  -­‐-­‐-­‐>
</
cfif
>
email  =  
lcase
(
trim
(
Form
password  =  
trim
(
Form
.password);
       
 
if  ((password  neq  
""
)
       
and
 
isValid
(
"email"
{
       
//  authentication  code  here
}
$db
 
=  
new
 
PDO(
'mysql:host=127.0.0.1;port=8889;dbname=adb'
$stmt
 
=  
$db
-­‐>prepare('
       
 
<
cfquery
 
name=
"user"
>
stmt  =  
new
 
Query(
       
sql  =  "
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 3 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML
CFScript
If  the  user  entered  a  valid  email  address  and  password,  and  a  valid  record  was  returned
from  the  database,  you  can  store  their  information  in  the  Session  scope  to  be  used  later.
Dump  out  the  Session  scope  to  verify  the  information  is  there.
For  both  languages,  Session  concurrency  is  an  issue.  
If  a  user  has  multiple  pages  open  at
the  same  time  and  each  tries  to  modify  the  Session,  the  user  could  see  strange  problems.
For  this  reason,  writes  to  the  Session  scope  are  locked  to  single-­‐thread  them:  only  one
page  request  at  a  time  can  write  to  the  scope.
ColdFusion  and  PHP  use  different  Session-­‐locking  semantics.  
PHP  automatically  locks  the
Session  scope  when  the  
session_start
 function  is  called  at  the  top  of  the  page,  so  the
page  can  safely  assume  that  it  has  exclusive  access  to  the  Session  scope.  
ColdFusion  puts
the  responsibility  of  locking  the  Session  scope  on  the  programmer,  using  the  
cflock
 tag  or
lock
 statement.
Given  valid  login  credentials,  you  should  see  Session  dumps:
       
SELECT  id,  name,  email
       
FROM  Users
       
WHERE  (email  =  :email)
           
AND  (password  =  MD5(:password))
');
$stmt
-­‐>execute(
array
(
       
':email'
       
=>  
$email
       
':password'
 
=>  
$password
));
$user
 
=  
$stmt
-­‐>fetch(PDO::FETCH_ASSOC);
SELECT  id,  name,  email
FROM  Users
WHERE  (email  =  <
cfqueryparam
   
AND
 
(password  =  MD5(<
</
cfquery
>
               
SELECT  id,  name,  email
               
FROM  Users
               
WHERE  (email  =  :email)
                   
AND
 
(password  =  MD5(:password))
       
");
 
stmt.addParam(name  =  
"email"
stmt.addParam(name  =  
"password"
 
user  =  stmt.execute().getResult();
if
 
(
$user
 
!==  FALSE)
{
       
 
       
 
       
$_SESSION
[
'user'
]  =  
       
 
       
new
 
dBug(
$_SESSION
}
<
cfif
 
(user.recordCount  
       
 
       
<
cflock
 
scope=
"Session"
       
 
               
<
cfset
 
Session
       
</
cflock
>
       
<
cfdump
 
var
=
"#Session#"
</
cfif
>
if  (user.recordCount  
eq
{
       
lock  scope=
"Session"
       
{
               
Session
.user  =  user;
       
}
       
writeDump
(
Session
);
}
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 4 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML  &  CFScript
$_SESSION  (array)
user
array
id
1
name
Rick  O
email
rosborne@fullsail.com
Session  -­‐  struct
USER
query
 
EMAIL
ID
NAME
1
rosborne@fullsail.com
1
Rick  O
While  there  are  minor  syntactic  differences  between  PHP  and  CFML  when  it  comes  to
validating  form  data  and  authenticating  users,  you  can  see  that  the  same  process  is  used
for  both:
1
.  
Check  that  
all
 form  fields  were  submitted.
2
.  
Clean  up  any  fields  as  necessary.  
(Trim  spaces,  lowercase  email  addresses,  etc.)
3
.  
Validate  that  each  field  
looks
 okay.  
(Email  formats,  non-­‐empty  required  fields,
number  ranges,  dates,  etc.)
4
.  
Validate  that  each  field  
is
 okay,  for  example  against  a  database.