Want to write results of submit on login form to log file on server

Report · Nov 21, 2009

I have cobbled together a small family website to share old pictures and memorabilia. This is a members only site and I use a PHP login script that compares the username and password to a list.

I would like to know
a) if anyone is trying to guess their way in.
b) if a member is having trouble logging in.. we have some not so computer savvy family members who possibly get frustrated and give up.
c) which members are logging in.. this is a new endeavor, to run one year on a trial basis.. and is it worth it.

To accomplish this, I would like to add some code to take the results of any submit (on my login form) and append the results of that to some sort of log file that I can periodically review. Given that the basics are in place this would seem (to me) not that difficult a task. But, I have no idea on how to accomplish this and hope someone can show me.

Thank you for your time and help

Ralph

If it helps, this is the PHP code that I am assuming does the login process.

/* No user serviceable parts below this point. */

$php_self = $_SERVER['PHP_SELF'];

/* Sanitize variables: we should only be getting $user and $password from the form. */
$submit = $_POST['submit'];
$user = '';
$password = '';
if ($_GET['user']) {
    $user = $_GET['user'];
    $password = $_GET['password'];
}
if ($_POST['user']) {
    $user = $_POST['user'];
    $password = $_POST['password'];
}

session_start();

/* Check login/password pairs until we find one that is correct, or show login form again. */
$loginsuccessful = FALSE;

foreach ($authorization as $loginpair) {
    if (($user == $loginpair[0]) && ($password == $loginpair[1])) {
      $_SESSION['user'] = $user;
      $_SESSION['password'] = $password;
        $loginsuccessful = TRUE;
    }
    if (($_SESSION['user'] == $loginpair[0]) && ($_SESSION['password'] == $loginpair[1])) {
        $loginsuccessful = TRUE;
    }
}

if ($loginsuccessful === TRUE) {
/* User is logged in, go about our merry way. */
    echo $loginmsg;
} else {
/* User didn't match any of our valid logins, kick them back to the form. */
    $loginmsg = "Invalid username or password.";
    require($indexphp);
    exit;
}

Report · Nov 23, 2009

No, it's not particularly difficult. You're obviously using a login script that you have obtained from somewhere else, because the code is very different from that generated by Dreamweaver. Judging from the code, you're not using a database to store the usernames and passwords. So, you'll probably want to save the details to an external text file.

Add the following code in the place indicated:

if ($_POST['user']) {
    $user = $_POST['user'];
    $password = $_POST['password'];
}

// New code goes here

$logfile = 'log.txt';
$date = date('j M Y H:i:s');
$address = 'Unknown';
if (isset($_SERVER['REMOTE_ADDR'])) {
     $address = $_SERVER['REMOTE_ADDR'];
}
if ($file = fopen($logfile, 'a')) {
  fwrite($file, "\r\n$date $address $user $password");
  fclose($file);
}

// end of new code
session_start();

This will create a text file called log.txt in the same folder as the login script. Since it's a text file, it should ideally be outside the web server root, so you should change the value of $logfile to point to a file outside the server root, but in a folder where the script has permission to write.

Each time someone tries to log in, it will record the date and time, the IP address, if known, and the username and password submitted.

Once you have got this working, I suggest that you amend the following line:

if ($file = fopen($logfile, 'a')) {

Change it to this:

if ($file = @fopen($logfile, 'a')) {

This will suppress any error message if the script fails to open the log file. However, you shouldn't make that change until you have got things working, because suppressing an error message will prevent you from finding out what the problem is if it doesn't work.

Report · Nov 23, 2009

Thank you David P

I will have a go at implementing this tonight

Thanks again

Ralph

Report · Nov 23, 2009

Thanks again David P for your time.

Your script works perfectly... with the script I sent as a sample.

Unfortunately I sent the script of login version1 that I use on my test site. It only checks for one username and password. Version 2, on my main site has 40 odd names and version 1 was modified to suit. Unfortunately your script does nothing when placed as / where you instructed.

My sincere apologies for supplying you the wrong script to work with and wasting your time, if there is not an easy fix.. please ignore / cancel this whole mess.

Version 2 script is this

/* No user serviceable parts below this point. */

$php_self = $_SERVER['PHP_SELF'];

/* Sanitize variables: we should only be getting $user and $password from the form. */
$submit = $_POST['submit'];
$user = '';
$password = '';
if ($_GET['user']) {
    $user = $_GET['user'];
    $password = $_GET['password'];
}
if ($_POST['user']) {
    $user = $_POST['user'];
    $password = $_POST['password'];
}

session_start();

/* Check login/password pairs until we find one that is correct, or show login form again. */
$loginsuccessful = FALSE;

foreach ($authorization as $loginpair) {
    if (($user == $loginpair[0]) && ($password == $loginpair[1])) {
      $_SESSION['user'] = $user;
      $_SESSION['password'] = $password;
        $loginsuccessful = TRUE;
    }
    if (($_SESSION['user'] == $loginpair[0]) && ($_SESSION['password'] == $loginpair[1])) {
        $loginsuccessful = TRUE;
    }
}

if ($loginsuccessful === TRUE) {
/* User is logged in, go about our merry way. */
    echo $loginmsg;
} else {
/* User didn't match any of our valid logins, kick them back to the form. */
    $loginmsg = "Invalid username or password.";
    require($indexphp);
    exit;
}

?>

Report · Nov 24, 2009

The script you have posted here is identical to the original one.

Report · Nov 24, 2009

You are absolutely right... ( I am loosing it) My appologies for making this so confusing.

Both scripts I posted are from my main login script. The difference is with the one I did not post, the one on my test site. And when I insert your script in it it works perfectly. http://www.test.lsvs.ca/

The difference is in the section after "session_start();" This is the section that is on my test site and works with your code. It was the first effort and did not include the option to have numerous usernames.

session_start();

if (($user == $authorization['user']) && ($password == $authorization['password'])) {
$_SESSION['user'] = $user;
$_SESSION['password'] = $password;
}

if (($_SESSION['user'] != $authorization['user']) or ($_SESSION['password'] != $authorization['password'])) {
    $loginmsg = "Invalid username or password.";
    require($authorization['indexphp']);
    exit;
} else {
    echo $authorization['loginmsg'];
}

?>

The modification to allow multiple users evidently required this part: When your script is added to this version nothing happens, no file is written. Can / should I try to insert your code into some other section??

session_start();

$loginsuccessful = FALSE;

foreach ($authorization as $loginpair) {
    if (($user == $loginpair[0]) && ($password == $loginpair[1])) {
      $_SESSION['user'] = $user;
      $_SESSION['password'] = $password;
        $loginsuccessful = TRUE;
    }
    if (($_SESSION['user'] == $loginpair[0]) && ($_SESSION['password'] == $loginpair[1])) {
        $loginsuccessful = TRUE;
    }
}

if ($loginsuccessful === TRUE) {
/* User is logged in, go about our merry way. */
    echo $loginmsg;
} else {
    $loginmsg = "Invalid username or password.";
    require($indexphp);
    exit;
}

?>

Report · Nov 24, 2009

I have found out the problem... all to do with my server I guess. I changed the login.php of my test site to reflect what I have on my main and included your script... Works great.

So.. I am guessing that there is some sort of security check to prevent writting to the root of my site. I will email my host and see if that is in fact the case... In the meantime... if you are not totally fed up with me.... you did mention in your original post that I should move the log.txt to some other folder (one that I have permission to write to). Given that this (your code) seems to work when in the /public_html/test folder could your script write to it there.. how could I do that.. if you thought it would work?

Thanks again for you time

Report · Nov 25, 2009

Ralph3616 wrote:
Given that this (your code) seems to work when in the /public_html/test folder could your script write to it there.. how could I do that.. if you thought it would work?

It's just a question of changing this line:

$logfile = 'log.txt';

Assuming that your login script is in the main public_html folder, change it to this:

$logfile = 'test/log.txt';

Report · Nov 25, 2009

Just to add to that: Dreamweaver won't let you use the Repeat Region server behavior with the same recordset more than once, even if you reset the recordset. However, all you need to do is to create the repeat region manually yourself. If it's exactly the same as before, just copy and paste the code. Otherwise, use the Bindings panel to lay out the stuff that you want repeated, and then wrap it in the repeat region code.

Again, for PHP it's this:

<?php do { ?>
What you're repeating goes here
<?php } while ($row_recordsetName = mysql_fetch_assoc($recordsetName));

Report · Nov 25, 2009

Thanks David for all your time....

But until I hear back from my ISP I think I am dead in the water. Adding a folder like you suggested brings up two error messages.

Warning: fopen(menu/log.txt) [function.fopen]: failed to open stream: No such file or directory in /home/lsvs7237/public_html/login.php on line 95

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/lsvs7237/public_html/login.php:95) in /home/lsvs7237/public_html/login.php on line 101

Your last email is way over my head and do not understand how your comment can be relevant, the script works in my test folder so it should not be under the influence of Dreamweaver. I thought I could work around this by moving my login.php to a different folder... that messed everything up as well.. So for the moment.... I am giving up.

I do appreciate your time trying to help me in this matter. If I ever get it working I will post back here to let you know

Many thanks

Ralph

Report · Nov 28, 2009

I finally have it working. The problem (I am thinking) was with my file structure, I have all my web pages in /pages, to get your script to work required moving my home page (the one the login references) to the root.

There is still a peculiarity that I have given up on... if I move the log.txt to my /pages folder (pages/log.txt) it will only work while on the home page... moving to any other page brings up an error message. My take, after all this is that the script will not run across different levels of folders and as each page references my login (and writes to the log.txt) going up or down the folder tree does not work.

Anyway.. thank you again for your help, time and sticking with me as I struggled with this

Report · Nov 28, 2009

Ralph3616 wrote:
My take, after all this is that the script will not run across different levels of folders and as each page references my login (and writes to the log.txt) going up or down the folder tree does not work.

Use an absolute path to the log.txt file. Assuming the pages folder is in the site root:

$logfile = '/pages/log.txt';

Report · Nov 28, 2009

Tried that before and ran into troubling error messages. But.. tried it again as well as a ../ in front.. Nothing seems to make it work correctly, it will write the file but gives error messages visible on the web pages. You did say I could suppress the errors but.. is that wise, given that they are occurring

I am "reasonably" happy with the way I have it working now.. Moving the log.txt out of the "root" is more of a security matter is it not?.. however it seems someone would have to be both logged in and guess the file name to read it... No?

Ralph

Report · Nov 29, 2009

Ralph3616 wrote:
Tried that before and ran into troubling error messages. But.. tried it again as well as a ../ in front.. Nothing seems to make it work correctly, it will write the file but gives error messages visible on the web pages. You did say I could suppress the errors but.. is that wise, given that they are occurring

No, suppression of error messages is not wise. You should use them to diagnose the problem and eliminate the error. Without knowing what the messages say, I have no way of offering help in resolving the error.

Moving the log.txt out of the "root" is more of a security matter is it not?.. however it seems someone would have to be both logged in and guess the file name to read it... No?

They would not need to be logged in. All they need to do is guess the file name, and if your website has directory indexing enabled, they wouldn't even need to guess.

Report · Nov 29, 2009

I don't know if my host has or has not directory listing enabled. I just checked and in fact can make a direct URL to my "log.txt" which in fact makes it kind of handy for me, I was using my FTP program. Anyway.. I think I will rely on a clever name for my file and leave it at that. Besides I am not defending Fort Knox here, this is a mini family site with old photos and memorabilia, very little value on eBay I would think.

To pursue this further would likely have to involve some major restructuring of my site and possible the login process as well. At this time I do not think it worth it. If this site is deemed a success by the rest of the family and continues past next August I will look at a total restructure then. A true dynamic site with a data base, cookies and all... but that will take some hand holding / guidance that I am not ready to seek out yet.

The origial intent of the whole process was to determine if any members are having trouble logging in and in fact have caught one such incident already so I am happy with the results.

And.. again, I very much appreciated your time and help.

Report · Nov 29, 2009

Use an absolute path to the log.txt file. Assuming the pages folder is in the site root:

$logfile = '/pages/log.txt';

Hi David, I'm trying something similar. Works fine with relative but when using absolute paths I'm getting "Warning: fopen(/log/log.txt) [function.fopen]: failed to open stream: No such file or directory in....." Is there a setting on the server that needs to be configured to allow absolute paths? I'm running on a Windows host.

Report · Nov 29, 2009

bregent wrote:
Hi David, I'm trying something similar. Works fine with relative but when using absolute paths I'm getting "Warning: fopen(/log/log.txt) [function.fopen]: failed to open stream: No such file or directory in....."

OK, I see the problem. This is why it's so important to say what the error message is when something doesn't work. I don't write to text files normally, so the advice I was giving Ralph was simply based on "try this". Now I see the error message I know why it won't work.

Instead of a path relative to the site root, you need to use either a document-relative path or a fully qualified one. Since you're on a Windows server, this will need to start at the drive letter. Something like C:\inetpub\wwwroot\userX\beachwalk-searanch\html_public\test\myfile.txt.

The alternative is to put the file in the PHP include_path.

Report · Nov 29, 2009

Okay.. semi interested again.. Without generating a new set of error messages, I believe my error was the same.. or very similar. My host is running Linux so how would that work for me.. and you mentioned an alternative "The alternative is to put the file in the PHP include_path" where / how could I try this? Would a screen shot of my folder tree help?

Ralph

Report · Nov 30, 2009

Actually, I missed the error messages in one of your earlier posts. Many hosting companies provide a folder called "private" or something similar at the same level as public_html. If you have such a folder, this is what you need:

 $logfile = '/home/lsvs7237/private/log.txt';

Because this is outside the site root, it won't be accessible to anyone snooping, unless they gain access to your FTP credentials. However, you will need to use FTP to download it yourself.

If you don't have such a folder, I would recommend creating a new folder in side public_html. For the sake of this example, I'll call it "secret". Don't link to this folder from anywhere in the site. Then use this:

 $logfile = '/home/lsvs7237/public_html/secret/log.txt';

By not linking to the folder from anywhere in the site, it should remain hidden, but you will still be able to access it through your browser. It's not secure, but as you say, you're not trying to protect Fort Knox. Nevertheless, it's still preferable to store the file outside the site root.

Report · Dec 01, 2009

Thank you... works perfectly now

Report · Dec 02, 2009

Hooray, got there in the end.

Report · Dec 01, 2009

>Instead of a path relative to the site root,

>you need to use either a document-relative

>path or a fully qualified one

Thanks David.

Report · Feb 12, 2011

Hello all

I would like to re visit this issue. With a lot of help my original question was resolved and is working very well.

Now.. I have added cookies to my site to remember users. Unfortunately this bypasses the code developed that shows me when a user logs in. While learning about cookies there are lots of references about tracking users.. but never quite the way I would like to.

So.. my new question? (and perhaps it should be in a new thread)

How can I get the users name and time when the site is accessed logged to a file from cookies set on my home page? I do not yet use MySQL on my site

Thank you for any help or tutorials on this.