497
Implementing User Authentication
// to make it a slightly better password
srand ((double) microtime() * 1000000);
$rand_number = rand(0, 999);
$new_password .= $rand_number;
// set user's password to this in database or return false
if (!($conn = db_connect()))
return false;
$result = mysql_query( "update user
set passwd = password('$new_password')
where username = '$username'");
if (!$result)
return false; // not changed
else
return $new_password; // changed successfully
}
This function generates its random password by getting a random word from a diction-
ary, using the get_random_word() function and suffixing it with a random number
between 0 and 999.The get_random_word() function is also in the user_auth_fns.php
library.This function is shown in Listing 24.19.
Listing 24.19 The get_random_word() Function from user_auth_fns.php—This
Function Gets a Random Word from the Dictionary for Use in
Generating Passwords
function get_random_word($min_length, $max_length)
// grab a random word from dictionary between the two lengths
// and return it
{
// generate a random word
$word = '';
//remember to change this path to suit your system

$dictionary = '/usr/dict/words'; // the ispell dictionary
$fp = fopen($dictionary, 'r');
if(!$fp)
return false;
$size = filesize($dictionary);
// go to a random location in dictionary
srand ((double) microtime() * 1000000);
$rand_location = rand(0, $size);
fseek($fp, $rand_location);
// get the next whole word of the right length in the file
while (strlen($word)< $min_length || strlen($word)>$max_length
|| strstr($word, "'"))
Listing 24.18 Continued
30 525x ch24 1/24/03 3:36 PM Page 497
498
Chapter 24 Building User Authentication and Personalization
{
if (feof($fp))
fseek($fp, 0); // if at end, go to start
$word = fgets($fp, 80); // skip first word as it could be partial
$word = fgets($fp, 80); // the potential password
};
$word=trim($word); // trim the trailing \n from fgets
return $word;
}
To work, this function needs a dictionary. If you are using a UNIX system, the built-in
spell checker ispell comes with a dictionary of words, typically located at
/usr/dict/words, as it is here, or at /usr/share/dict/words. If you don’t find it in
one of these places, on most systems you will be able to find yours by typing
locate dict/words

If you are using some other system or do not want to install ispell, don’t worry! You can
download word lists as used by ispell from
/>This site also has dictionaries in many other languages, so if you would like a random,
say, Norwegian or Esperanto word, you can download one of those dictionaries instead.
These files are formatted with each word on a separate line, separated by newlines.
To get a random word from this file, we pick a random location between 0 and the
filesize, and read from the file there. If we read from the random location to the next
newline, we will most likely only get a partial word, so we skip the line we open the file
to, and take the next word as our word by calling fgets() twice.
The function has two clever bits.The first is that, if we reach the end of the file while
looking for a word, we go back to the beginning:
if (feof($fp))
fseek($fp, 0); // if at end, go to start
The second is that we can seek for a word of a particular length—we check each word
that we pull from the dictionary, and, if it is not between $min_length and
$max_length,we keep searching. At the same time, we also dump words with apostro-
phes (single quotes) in them.We could escape these out when using the word, but it is
easier to just get the next word.
Back in reset_password(), after we have generated a new password, we update the
database to reflect this, and return the new password back to the main script.This will
then be passed on to notify_password(), which will email it to the user.
Let’s have a look at the notify_password() function, shown in Listing 24.20.
Listing 24.19 Continued
30 525x ch24 1/24/03 3:36 PM Page 498
499
Implementing User Authentication
Listing 24.20 The notify_password() Function from user_auth_fns.php—This Function
Emails a Reset Password to a User
function notify_password($username, $password)
// notify the user that their password has been changed

{
if (!($conn = db_connect()))
return false;
$result = mysql_query("select email from user
where username='$username'");
if (!$result)
{
return false; // not changed
}
else if (mysql_num_rows($result)==0)
{
return false; // username not in db
}
else
{
$email = mysql_result($result, 0, 'email');
$from = "From: support@phpbookmark \r\n";
$mesg = "Your PHPBookmark password has been changed to $password \r\n"
."Please change it next time you log in. \r\n";
if (mail($email, 'PHPBookmark login information', $mesg, $from))
return true;
else
return false;
}
}
In this function, given a username and new password, we simply look up the email
address for that user in the database, and use PHP’s mail() function to send it to her.
It would be more secure to give users a truly random password—made from any
combination of upper and lowercase letters, numbers, and punctuation—rather than our
random word and number. However, a password like ‘zigzag487’ will be easier for our

user to read and type than a truly random one. It is often confusing for users to work
out whether a character in a random string is 0 or O (zero or capital O), or 1 or l (one
or a lowercase L).
On our system, the dictionary file contains about 45,000 words. If a cracker knew
how we were creating passwords, and knew a user’s name, he would still have to try
22,500,000 passwords on average to guess one.This level of security seems adequate for
this type of application even if our users disregard the emailed advice to change it.
30 525x ch24 1/24/03 3:36 PM Page 499
500
Chapter 24 Building User Authentication and Personalization
Implementing Bookmark Storage and Retrieval
Now we’ll move on and look at how a user’s bookmarks are stored, retrieved, and
deleted.
Adding Bookmarks
Users can add bookmarks by clicking on the Add BM link in the user menu. This will
take them to the form shown in Figure 24.9.
Figure 24.9 The add_bm_form.php script supplies a form
where users can add bookmarks to their bookmark pages.
Again, this script is simple and uses just the output functions, so we will not go through
it here.When the form is submitted, it calls the add_bms.php script, which is shown in
Listing 24.21.
Listing 24.21 add_bms.php—This Script Adds New Bookmarks to a User’s Personal
Page
<?php
require_once('bookmark_fns.php');
session_start();
//create short variable name
$new_url = $HTTP_POST_VARS['new_url'];
do_html_header('Adding bookmarks');
check_valid_user();

30 525x ch24 1/24/03 3:36 PM Page 500
501
Implementing Bookmark Storage and Retrieval
if (!filled_out($HTTP_POST_VARS))
{
echo 'You have not filled out the form completely.
Please try again.';
display_user_menu();
do_html_footer();
exit;
}
else
{
// check URL format
if (strstr($new_url, 'http://')===false)
$new_url = 'http://'.$new_url;
// check URL is valid
if (@fopen($new_url, 'r'))
{
// try to add bm
if (add_bm($new_url))
echo 'Bookmark added.';
else
echo 'Could not add bookmark.';
}
else
echo 'Not a valid URL.';
}
// get the bookmarks this user has saved
if ($url_array = get_user_urls($HTTP_SESSION_VARS['valid_user']));

display_user_urls($url_array);
display_user_menu();
do_html_footer();
?>
Again this script follows the pattern of validation, database entry, and output.
To v alidate, we first check whether the user has filled out the form using
filled_out().
We then perform two URL checks. First, using strstr(),we see whether the URL
begins with http://. If it doesn’t, we add this to the start of the URL. After we’ve done
this, we can actually check that the URL really exists. As you might recall from Chapter
17,“Using Network and Protocol Functions,” we can use fopen() to open an URL that
starts with http://. If we can open this file, we assume the URL is valid and call the
function add_bm() to add it to the database.
Listing 24.21 Continued
30 525x ch24 1/24/03 3:36 PM Page 501