PHP IBM i signon and library lists

[philstewart68]

Questions;
1.) My concern is that I dont want users calling scripts directly, they must go through my signon script.
How do you prevent this?
I dont want users to have to sign on to run each script

2.) How do you set the Ibm i library list from a PHP script?
Do you always need to specify a library name when doing an SQL or program call?
What happens if a table or program(or other object) can be in any number of libraries and your not sure which library it is in?

[scottgcampbell]

1) Use sessions, set a variable in the session when the user has authenticated and at the top of every script (use an include) check the session, if the user is not logged in then redirect to the log in screen.

2) What I did, and I'm not sure about the security implications, is change the ZCOREJOBD to match the library list that I needed, thankfully there was only one set of libraries. Then the programs are available as usual.

[kcookson]

Here are some example scripts for sessions and login. I'm too new at PHP to know if I'm using best practices, but these work.

Here's the login.php page:

Code: Select all

<?php
  session_start();
  // Validate the user name and password by connecting to the AS400.
  if ($_POST["user"] and $_POST["password"]) {     
   $user = $_POST["user"];
   $password = $_POST["password"];
    $conn = i5_connect("arcticsystem", "$user", "$password");
    if (!$conn) {
     //Validation not successful Store error message for later display. 
     $login_result = i5_errormsg();
    } else {
     //Validation successful. Close connection, save login info. 
     $close = i5_close($conn); 
     $_SESSION["user"] = $user;
     $_SESSION["password"] = $password;
      //Optional: redirect to a specific page. This is not required, but if you don't, they will sit on the login page.
     header("Location: main.php");     
    }    
  }
?> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Login</title>
</head>
<body>
<center>
<!-- login form -->   
<form method="post" action="login.php">
  <p>Username: <input type="text" name="user" /></p>
  <p>Password: <input type="password" name="password" /></p>
  <p><input type="submit" value="Login" /></p>
</form>
<p>
<?php
  if (!$_SESSION["user"]) {
    print $login_result;
  }
?>
</p>
</center>
</body>
</html>

Here's the main.php page:

Code: Select all

<?php
  session_start();
  if (!$_SESSION["user"] or !$_SESSION["password"]) {
    header ("Location: login.php");
  }   
  $user = $_SESSION["user"];
  $password = $_SESSION["password"];
  $conn = i5_connect("arcticsystem", "$user", "$password");
  if (!$conn) {
    header ("Location: login.php");
  }    
?>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Some Page</title>
</head>
<body>
  <!--insert content and php scripts here-->
</body>
</html>

[scottgcampbell]

One thing that I would be concerned about would be the users can then disable themselves/others, either on purpose or by accident. Also they could disable profiles that you probably don't want to be disabled, QSYSOPR/QSECOFR/etc. I don't know what the best solution is in this case, do you have a list of allowed profiles, or disallowed profiles.
In my case it is relatively easy since all of the profiles that need to log on all start with a common prefix, so I can disallow anything that doesn't match as an invalid attempt without checking any further. But if you want most people to have access but not others you might need to do something like check the group the user profile is associated with and disallow access based on that. It also gets more complicated when you allow somewhat restricted outside access to the website, you don't want to create user profiles for everyone who needs access, unless it is a small and known group, so you will need some other mechanism for tracking the username/passwords, and validating/encrypting them, and resetting lost passwords etc (LDAP maybe?). Hopefully this might start some discussion of what others are doing to validate/invalidate what I've done and others are doing.

Scott

[philstewart68]

I'm still at a loss to establish the library list on the i5_connect....the db2_connect library list can be dictated by the user profile..is i5_connect the same?

I dont want to specify the program library, because it could be in different libraries depending on what production environment I'm running in.

where do i find what array options are available for i5_connect, I cannot find any help.

[zend_i5]

Here an example how to define a library list in i5_connnect() function:

Code: Select all

<?php
$conn = i5_connect("127.0.0.1", "USER", "PASSWROD", array(I5_OPTIONS_INITLIBL=>"LIB1,LIB2, LIB3"));
if (!$conn) die("
Connection failed. Error number =".i5_errno()." msg=".i5_errormsg());


[hamejo]

Id personaly recomend php Curl, its a great function of php. You can set it to do lots of stuff, such as fake the refferer.
Extreme Brite White

[dkersey]

the connection example below doesn't work. I spent hours on this, and the Option paramater is basically ignored in the previous connection example. Instead you have to do this:

I, as well, changed the JOBD for the base *LIBL, then used below to add libraries.
<?php
$USER = "auserid";
$PASSWORD = "apassword";
$DEVLIB = "libraries to add";

$TKconn = new i5_Connection('127.0.0.1', $USER, $PASSWORD);
if (!$TKconn) {
die(i5_errormsg());
} else {
$TKconn->set_options(null,null,null,null,$DEVLIB);
$TKconn->connect();
}
?>