How do you write code for ID/password info get from CSV and login process?

Question

I thought that I should use JSON for ID/pass storing format once, but I reserched about it, then I finally found that JSON is too difiicult to me, so now I am considering to use CSV.

The CSV file would be like this. File name is id.csv.

aaa_id,aaa_pass
bbb_id,bbb_pass
ccc_id,ccc_pass

Left colum is id, and right colum is password and each infos are separated by commas. Login form is login.php. This is my sample for login.php.

<form method="post" action="login-process.php">
id <input type="text" name="id" size="20"><br>
pass <input type="text" name="pass" size="20"><br>
<input type="submit" value="login">
</form>

And now I need to write login-process.php

<?php

error_reporting(0);

$handle = fopen("id.csv", "r");
while (($data = fgetcsv($handle)) !== FALSE) {
    print $data['0'];
    print "=>";
    print $data['1'];
    print "<br>";
}
?> 

When I excute this script, it shows as:

aaa_id=>aaa_pass
bbb_id=>bbb_pass
ccc_id=>ccc_pass

I feel I am closing to final goal, but I need to write authenticate code.

How do I improvement of this code?

Answer 1

Since you didn't cover what I consider to be an astoundingly obvious question to ask, I must ask it:

Why aren't you using a database for this? PHP and MySQL have a beautiful, beautiful relationship that is borderline insulting to ignore for a situation like this. Unless you have a particularly especial circumstance that makes databases unavailable to you - which I honestly can't think of off the top of my head - you should go ahead and switch your code to use databases. They are much faster, much easier, and much better. For the purposes of this site, though, a tutorial on how to do it would be rather lengthy. You should consider reading up on the many online tutorials on this subject or perhaps buy a book.

EDIT:

Avoiding databases because you have to worry about SQL injections is like avoiding making a website at all because you have to worry about XSS attacks, or avoiding writing code at all because you could write a bug. Although SQL injections are popular security holes due to the many naive programmers out there, it is trivial to protect yourself against them by using prepared statements in MySQLi or PDO.

As a side note, storing passwords as plain text is a horrible idea. The proper way to do it is to do a one-way encryption of the password upon insertion into the database, and whenever you want to check if someone provided the correct password you encrypt that password and compare it to the one in the database. If you don't do that, you're just asking for trouble.

Answer 2

Firstly, I agree with what Paolo says, this is definately the wrong approach. In addition to what he said:

• The login process will get slower and slower as you have more users in the file (this will probably be true to an extent for any system, but I think it will be significant here)
• Making changes in the middle of the file will be a complete pain
• Having multiple script instances trying write to the file simultaneously will probably result in corruption/missing data

---

However, if you were to have a form with fields called 'username' and 'password', you could process it like below. I am debating whether I should remove the code in order to avoid the risk of people actually writing stuff like this.

<?php

$username = trim($_POST['username']);
$password = trim($_POST['password']);

if (!strlen($username) || !strlen($password)) {
    die('Please enter a username and password');
}

$success = false;

$handle = fopen("test.csv", "r");

while (($data = fgetcsv($handle)) !== FALSE) {
    if ($data[0] == $username && $data[1] == $password) {
        $success = true;
        break;
    }
}

fclose($handle);

if ($success) {
    // they logged in ok
} else {
    // login failed
}

You probably will want to read up on using Sessions to remember that the user is logged in across multiple page requests.