Need to pick your brain

[SectorDad]

Hello,

I'm new to this forum so I hope the general forum is appropriate for this issue.

I'm currently creating an intranet site for my employer (their first) and have the basic design finished. I created a template (a la Dreamweaver) and so far have the index page and a company directory. What information that is being provided has been designed with AJAX and works perfectly.

What I'm stuck on is this:
My employer would like to be able to update all employees on this site as to who's in and who's not working today. Currently this is done via email. I would like to implement a small area on the template (like maybe in the left sidebar; iframe possibly?) that she can update with a simple GUI.

So my question: Is this something that absolutely has to be done with a CMS or is there another route I can take? I'm not versed in PHP yet, so I haven't really looked at that option too much.

Thanks a bunch,
Chris

[scragar]

Such a system would be fairly easy to impliment with PHP, I would need more information to post any real code.

So I guess a few questions:

• Does it need to be password protected/whatever? If so will the password be hard coded, or what?
• I'm assuming a DB would be required, do you have MySQL, or would I need to plan to use a text file/XML file for such a thing(which would likely be unsecure).
• How will the infomation be input, check boxes? Typing in names and picking matching employee's?

[SectorDad]

Such a system would be fairly easy to impliment with PHP, I would need more information to post any real code.

So I guess a few questions:

• Does it need to be password protected/whatever? If so will the password be hard coded, or what?
• I'm assuming a DB would be required, do you have MySQL, or would I need to plan to use a text file/XML file for such a thing(which would likely be unsecure).
• How will the infomation be input, check boxes? Typing in names and picking matching employee's?

• Yes, it would have to be password protected for a few employees with the same access.
• We have yet to install a DB to the internet server, so the options are open on that one (for a server with IIS).
• The information would be simply typed in.

I'm trying to keep it simple to avoid confusion from the end users that will be utilizing the simple GUI. Thanks!

[scragar]

OK, how about a simple example for how a text file can be used:

PHP Code:

define('EmployeeList', 'list.txt');
$userPasswords = Array(
  'admin'=>'god',
  'root'=>'god',
  'someone'=>'password'
);

if(isset($_POST['username']) && isset($_POST['password']){
  if($userPasswords[strtolower($_POST['username'])] == $_POST['password']) // user's details work out
    file_put_contents(
           EmployeeList, serialize(
           $list = nl2br(htmlentities($_POST['update'],
           ENT_NOQUOTES))), FILE_TEXT);
  else
     echo 'Username or password incorrect.';
};

if( ! isset($list))
  $list = @unserialize(file_get_contents(EmployeeList), FILE_TEXT) || 'List empty'; 

echo <<<HTML

<p>The text file says:</p>
<p>{$list}</p>
<form action='?' method='post'>
<p>Username: <input type='text' name='username' value=''></p>
<p>Password: <input type='password' name='password' value=''></p>
<p>Employee List: <textarea name='update'></textarea></p>
<p><input type='submit' value='Update'></p>
</form>
HTML; 


As I said, this is a basic example, and it should be secure, but you need a database to be completely secure with your passwords stored directly into the file. It also means that to change the password someone needs to use the CMS, and having the passwords in raw text like that is always a bad idea.

[SectorDad]

I agree the text file is not the way to go considering security is important to my employer. Other options?

[scragar]

A database would be the most secure method, failing that a text file would work if you were to employ some form of encryption or hashing, not that any system is particularly secure right now(md5 is having new vulnerabilities found all the time, and the SHA functions, while better, are still vulnerable to several flaws).

Personally I would push the importance of a database, or recommend the use of the latest SHA version(2 at the time of writing, but the competition for version 3 is under way) and a complex salt.

[SectorDad]

Now that we've established the DB, how about the front end (the sidebar and the GUI for the employees)?

[scragar]

I'd recommend using sessions, be sure to add

Code:

<?php session_start(); ?>

to the top of any page you want to be able to access the sessions, then you can do something like:

PHP Code:

mysql_connect('localhost', 'username', 'password');
mysql_select_db('DBName');

if(isset($_POST['username'])){
  $rs = mysql_query("SELECT * FROM `admins` WHERE `username`='"
                    .mysql_real_escape_string($_POST['username'])
                    ."' AND `password`='"
                    .sha1($_POST['password'])."'");
  if(FALSE !== ($row = mysql_fetch_array($rs)))// log in
    $_SESSION['user'] = $row['username'];
  else /////////// bad password or username
    echo 'username or password incorrect.';
};

if( ! isset($_SESSION['user'])){// not logged
  // do something here
}else{
  // show admin menu here
} 


I've got things to do right now, so play around with that for a while, see what you can do, and let me know if you have problems with it later, OK?