[FX.php List] Login from ASP site

Andrew Denman adenman at tmea.org
Wed Aug 15 12:49:20 MDT 2007


Jon,

It sounds like in the set up last year the button they pressed submitted a
POST to your page with the school id and password.  If they are now just
providing a link (like you did in the email below), then those variables are
going to be in the $_GET variable, not the $_POST.  If you wanted to be able
to use either one, you could use the $_REQUEST variable, which combines all
of the data received from GETs, POSTs, and cookies.  Docs here:
http://us.php.net/manual/en/reserved.variables.php

That should help in solving the problem, but then you have another potential
problem depending on how secure the system needs to be.  By having that data
in a link the directors click, it will be saved in their browsing history.
Someone could go to their computer and easily get back into your system
without logging into the ASP system.  If this is going to be an issue, I
think they're going to have to put the button page back unless someone else
on this list has found another way to deal with this.

Andrew Denman

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Jon Montgomery
Sent: Wednesday, August 15, 2007 1:01 PM
To: fx.php_list at mail.iviking.org
Subject: [FX.php List] Login from ASP site

I have an FX.PHP/FileMaker site that gets some login information from
another site that is ASP.  This worked fine last year when we used it.
However, they have changed some things and I have changed some things.  So
when we went to set up the link again. We are having communication problems
and the there page doesn't want to play with my pages.

They speak ASP and I don't!  I speak PHP (some an any rate) and they don't!
So although we are NOT at a stand off, I am not sure what to tell them and
they are not sure what to tell me.

Last years link used two hidden values, a user id, which I have all of those
in my Accounts table of my FMP data base, and a pass phrase so that we are
sure that anyone who is submitting data into my pages came from their login
security system.

The users login to their system with a user id (School_ID on my pages) and
there own password.  Then on a link on there page the user is sent to my
page were the pass phrase (password) is sent and my page checks it for and
exact match.  I store this passed information in two session variables,
School_ID and password.

Last year, the user had to click an extra button to log into my pages.  They
have changed a few things on there page and are trying to streamline and
take out that extra button.  (For some reason some us music people like to
take any short cut we can find and that extra button really bothered some of
them!)  The reason for the extra button was to send the information,
School_ID and esp. the password hidden.

In the link shown below, you will notice that when trying to access my pages
it kicks them to a login error page and asks them to login again.  That
would tell me that my pages are not picking up the two varables that they
are passing to me.  PLUS it shows the School_ID of the first record of about
600 and the password we are trying to hide in url.  That would tell me that
the FMFind did not work or it found ALL of the records and not the School ID
they were passing which is 9990.

Any help on what to tell them or ask them to do would be helpful.

Here is the url that they get when they try to login and are booted to an
error page:

https://www.igsmasouth.org/ihsa/ihsa_login_verify.php?School_ID=0101&passwor
d=XXXXXXXXX (hidden for security reasons)

My code at the top of my page:

<?php
session_start();

include_once('../FX/FX.php');

include_once('../FX/server_data.php');




$user = $_POST['School_ID'];

$pass = $_POST['password'];



$login = new FX($serverIP,$webCompanionPort);

$login -> SetDBData('Manager_IHSA.fp7','Accounts');

$login -> SetDBPassword('','Admin');

$login -> AddDBParam('School_ID','='.$user);


$loginResult = $login -> FMFind();



$loginData = current($loginResult['data']);



$_SESSION['School_ID'] = $user;

$_SESSION['password'] = $pass;

$_SESSION['School'] = $loginData['School'][0];

$_SESSION['Class'] = $loginData['Class'][0];

$_SESSION['user_level'] = $loginData['user_level'][0];

$_SESSION['solo_site'] = $loginData['solo_site'][0];

$_SESSION['org_site'] = $loginData['org_site'][0];

print_r($_SESSION);



if(!isset($_SESSION['password'])){


//this will change to password !== there passphrase later but is set to this
now so I could login from my own login page for testing.
include_once('ihsa_login_error.php');


}else{



?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml">


Jon Montgomery
Illinois Grade School Music Association


_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list