In this section, we will look at how to setup our PHP pages that will receive our POST requests through AngularJS.
We will want to create 5 files, “access.php” will contain our functions to contact individual PHP pages for one of 4 specific purposes: login, logout, register, and status. The next file “login.php” will return a JSON of the result from logging in, “register.php” will return a JSON of the result from registering and the verification code, “config.php” to hold our database connection information, and finally “status.php” will return a JSON of the login status for the current session.
Let’s setup our JSON returning pages first.
“login.php”: This page will decode the POST (in JSON format) sent by the login page through AngularJS containing the username and password. It will then convert the result from the MySQL call into a JSON format which will be displayed on this page.
<?php require_once "access.php"; $postdata = file_get_contents("php://input"); $request = json_decode($postdata); if ($request->login) { Session::Login($request->username,$request->password); if ($_SESSION['isLogged'] > 0) { $_SESSION['email'] = $request->username; $_SESSION['password'] = $request->password; } } else { Session::Logout(); } $result = array('isLogged' => $_SESSION['isLogged']); header('Content-Type: application/json'); echo json_encode($result); ?>
“register.php”: This page will decode the POST (in JSON format) sent by the registration page through AngularJS containing the username and password to be added to the MySQL user table. The page will then display the verification link and the result of the attempt in JSON format. If the attempt fails, the verification link in the JSON will be empty and can be ignored.
<?php require_once "access.php"; $postdata = file_get_contents("php://input"); $request = json_decode($postdata); $user = $request->username; $pass = $request->password; $result = Session::Register($user,$pass); $txt = ""; if ($result[0] > 0) { $url = "http://localhost"; $txt = $url . "/verify.php?user=" . $user . "&code=" . $result[1]; } $json = json_encode(array('url' => $txt, 'registered' => $result[0])); header('Content-Type: application/json'); echo $json; ?>
“status.php”: This will simply return the session value of our login status based on the stored email and password in the form of a JSON. This is so we can set our AngularJS variable to correctly reflect that status in our view when we load new pages. This is NOT used for actual authentication checks, we do not want to handle security features from the client side through AngularJS.
<?php $result = array('isLogged' => $_SESSION['isLogged']); header('Content-Type: application/json'); echo json_encode($result); ?>
“access.php”: This script will contain all of our functions that are called in the previous 3 pages. Here we will handle database connections, calling procedures and retrieving the results. We will store the result of our login status within a $_SESSION variable, which has a lifetime by default of 24 minutes (this can be changed within the php.ini).
<?php class Session { public static function GetSession() { if (!session_id()) session_start(); } public static function SetLoginState($state) { Session::GetSession(); $_SESSION['isLogged'] = $state; } public static function CheckAccess() { Session::GetSession(); if (!isset($_SESSION['email'])) $_SESSION['email'] = ''; if (!isset($_SESSION['password'])) $_SESSION['password'] = ''; $result = Session::Login($_SESSION['email'], $_SESSION['password']); if ($result <= 0) { header('Location: noaccess.php'); die(); } } public static function GetPDO() { require_once 'config.php'; $pdo = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpw); return $pdo; } public static function Logout() { Session::SetLoginState(0); $_SESSION['email'] = ''; $_SESSION['password'] = ''; } public static function Login($email, $password) { try { if ($email !== "" && $password !== "") { $pdo = Session::GetPDO(); $sql = 'CALL Login(:user,:pass,@result);'; $sp = $pdo->prepare($sql); $sp->bindParam(':user',$email,PDO::PARAM_STR,256); $sp->bindParam(':pass',$password,PDO::PARAM_STR,256); $sp->execute(); $sp->closeCursor(); $row = $pdo->query('SELECT @result AS result')->fetch(PDO::FETCH_ASSOC); Session::SetLoginState($row['result']); } else { Session::SetLoginState(-1); } } catch (PDOException $e) { Session::SetLoginState(-1); die(); } } public static function Activate($email, $vcode) { try { if ($email !== "" && $vcode !== "") { $pdo = Session::GetPDO(); $sql = 'CALL Activate(:user,:vcode,@result)'; $sp = $pdo->prepare($sql); $sp->bindParam(':user',$email,PDO::PARAM_STR,256); $sp->bindParam(':vcode',$vcode,PDO::PARAM_STR,256); $sp->execute(); $sp->closeCursor(); $row = $pdo->query('SELECT @result AS result')->fetch(PDO::FETCH_ASSOC); return $row['result']; } else { return -1; } } catch (PDOException $e) { return -1; die(); } } public static function Register($email, $password) { try { if ($email !== "" && $password !== "") { $pdo = Session::GetPDO(); $sql = 'CALL Register(:user,:pass,@result,@vcode)'; $sp = $pdo->prepare($sql); $sp->bindParam(':user',$email,PDO::PARAM_STR,256); $sp->bindParam(':pass',$password,PDO::PARAM_STR,256); $sp->execute(); $sp->closeCursor(); $row = $pdo->query('SELECT @result AS result, @vcode AS vcode')->fetch(PDO::FETCH_ASSOC); return array($row['result'],$row['vcode']); } else { return array(-1,""); } } catch (PDOException $e) { return array(-1,""); die(); } } } ?>
The main thing to understand here is how we are opening a connection between the PHP script and the MySQL server using the PDO call. We create another file called “config.php” that contains the variables we need to establish the database connection. Simply change the values of the variables within the file to fit your database.
<?php $dbhost = 'localhost'; $dbname = 'webapp'; $dbuser = 'root'; $dbpw = ''; ?>
Since we’re using $_SESSION it’s important to open your php.ini file, and enable the following. We don’t want a nefarious user to attempt a session fixation attack; the gist of which is a third party will get a user to log into your site using a predetermined session id, thus allowing the third party to access the site as the user. If we refuse non-server created session ids we take a step to prevent these attacks. For our purposes, we store the username and password in session variables. We authenticate access to specific pages through the use of these variables.
session.use_strict_mode = 1
The final step is setting up the frontend using PHP and AngularJS.