andybriggs

<?php include("add_p2.php"); //basic pdo connection (with added option for error handling) if (isset($_POST['submit'])) { try { $stmt = $dbh->prepare("INSERT INTO passwords (description, username, password ) VALUES (:description, :username, :AES_ENCRYPT)"); $stmt->bindParam(':description', $description); $stmt->bindParam(':username', $username); $stmt->bindParam(':password', $password); try { $statement->execute(array( "description" => "description", "username" => "username", "password" => "password" )); } catch(PDOException $e) { echo "Exception caught: $e"; } //insert one row $name = 'one'; $value = 1; $stmt->execute(); header( 'Location: localhost/password_added.php' ); exit(); ?> <?php $dsn = "mysql:host=127.0.0.1;dbname=pword_db;charset=utf8"; $opt = array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC ); $pdo = new PDO($dsn,'root','', $opt); ?> <form action="add_p.php" method="post"> <span class="cursive">Description: </span><br> <textarea name="description" rows="20" cols="50"></textarea> <br> <span class="cursive">Username: </span><br> <input type="text" name="username" /> <br> <span class="cursive">Password: </span><br> <input type="text" name="password" /> <br> <input type="submit"/> </form> Hi, above is the 3 components that should add form data into MySQL database using PDO. all it's doing is entering empty values, I'm really not sure why this is? please could someone help me with pointing me in the right direction, offer hint's making this work Thanks

Hello post-contributors, Please could you suggest a starting point to get a secure (non-bullshit) login system with php? - which areas to consider - what to research on the matter - possibly some links - what do you guys personally use OR what would you use if you needed a secure login system please Thanks

mac_gyverI am keeping login_success.php and have created login_success2.php to keep them separated as a test. I noticed in the log: [02-Aug-2014 18:50:36 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 18:50:37 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_intl.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 18:50:37 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 20:51:09 Europe/Paris] PHP Warning: include(file_with_errors.php): failed to open stream: No such file or directory in C:\wamp\www\login_success.php on line 4 [02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:51:09 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success.php:0 [02-Aug-2014 20:51:09 Europe/Paris] PHP Warning: include(): Failed opening 'file_with_errors.php' for inclusion (include_path='.;C:\php\pear') in C:\wamp\www\login_success.php on line 4 [02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:51:09 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success.php:0 [02-Aug-2014 20:55:05 Europe/Paris] PHP Parse error: syntax error, unexpected 'else' (T_ELSE) in C:\wamp\www\login_success.php on line 42 [02-Aug-2014 20:57:17 Europe/Paris] PHP Parse error: syntax error, unexpected 'endif' (T_ENDIF) in C:\wamp\www\login_success2.php on line 43 [02-Aug-2014 20:57:26 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:57:26 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:57:26 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:57:26 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:59:46 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:59:46 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:59:46 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:59:46 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 21:03:42 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace: [02-Aug-2014 21:03:42 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 21:03:42 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace: [02-Aug-2014 21:03:42 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 ---------------------------------------------------------------------

The code for login check looks like this: <?php if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in error_log("Not logged in: password hashes do not match"); return false; }?> <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p> <p> This is an example protected page. To access this page, users must be logged in. At some stage, we'll also check the role of the user, so pages will be able to determine the type of user authorised to access the page. </p> the browser looks like attached.

<?php error_reporting(E_ALL); ini_set("display_errors", 1); include("file_with_errors.php"); ?> creates attached image "1" my php.ini for error reporting has: ; display_errors ; Default Value: On ; Development Value: On ; Production Value: on ; display_startup_errors ; Default Value: Off ; Development Value: On ; Production Value: on ; error_reporting ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; html_errors ; Default Value: On ; Development Value: On ; Production value: On ; log_errors ; Default Value: on ; Development Value: On ; Production Value: On

it seems whatever's "out there" for security, there will be exploit points and most if not all attempts so far have ended in the same answer or similar yours Jacques1. This seems better than nothing at the moment i have tried using bcrypt, mcrypt but i'm missing something because it's not very straight-forward to me and doesn't seem to work for me, once i get this working i'll try to figure out a "better" way. requinixthanks, but nothing happens when i add error_log() into the code like this (by nothing happens i mean only a blank page is displayed in the browser) doesn't trigger_error() do the same thing?

Hey requinix, Thanks, i just tried to report back errors as suggested but nothing came back in the browser, except the same "not authorized" message. for reference i am using php documentation and have tried error_log() like this: <?php if (login_check($mysqli) == true) : { error_log() ?> And trigger_error like this: <?php if (login_check($mysqli) == true) : { trigger_error("A custom error has been triggered"); }?> This might be correct but nothing is reported back so I don't understand why login_check() is returning false yet, Thanks again

Hi Guys, Here is the code, once logged in using known credentials it should display the content "welcome..." but it doesn't, instead it is showing "you are not authorized..." as if the session['username']); isn't being taken? <?php ini_set('display_errors',1); error_reporting(E_ALL); include_once 'includes/db_connect.php'; include_once 'includes/functions.php'; sec_session_start(); ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Secure Login: Protected Page</title> <link rel="stylesheet" href="styles/main.css" /> </head> <body> <?php if (login_check($mysqli) == true) : ?> <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p> <p> This is an example protected page. To access this page, users must be logged in. At some stage, we'll also check the role of the user, so pages will be able to determine the type of user authorised to access the page. </p> <p>Return to <a href="index.php">login page</a></p> <?php else : ?> <p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login or register</a>. </p> <?php endif; ?> </body> </html> I am using WAMP and have made sure the username and password is in the database correctly, how do i debug this? the error reporting has been switched on but it doesn't help me is the problem with: <?php if (login_check($mysqli) == true) : ?> I am trying to follow this guide: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL Please could i get some help on how to make the login "detect" the username from my MySQL database and display the username Thanks

Hi guys, I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on. At the moment, it would let anyone in without destroying the session and redirecting to index page. What would i "use" that's created in the session? what's the "best" practice My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page. - if someone tried to bypass the log on with the session then access is denied or redirected away. So on my index page to start i have: <?php session_start(); /* clear all session variable */ $_SESSION = array(); /* set a session variable for later use */ $_SESSION['what_page'] = "admin00"; ?> What do i need to have to use the session against unauthorized access? my guess is: if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") { $_SESSION = array(); session_destroy(); header("Location: index.php"); exit(); } So to me that means; - if 'what_page' is not set from the index page, don't go any further, re-direct (back to index) If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working please could you help?

this thread can be closed now admin.

Thank you jamesmp!

Thank you mac_gyver, i have decided out the 2 options to change to BLOB. as for the incorrect usage of hash() function. I thought it goes: 1, use the SHA256 algo 2. hash the salt (previously created) should i be adding raw output = FALSE to output hexis somewhere? I just tried with the now-changed BLOB type but i'm still being sent to index.php, what i'm struggling to understand is that this code previously worked in another database, and those databases have been destroyed so i'm trying to reverse engineer a mysql table via this code.

Sorry to keep updating my own post, but i'm now thinking it might be the session at the start, as what i'm seeing when logging in is the page going to index.php <?PHP session_start(); /* if it was not arrived here via the admin login form then destroy the session and send to index page */ if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "admin00") { $_SESSION = array(); session_destroy(); header("Location: index.php"); exit(); } This is the session created on the index.php page: <?php session_start(); /* clear all session variable */ $_SESSION = array(); /* set a session variable for later use */ $_SESSION['what_page'] = "admin00"; ?> please could i have this checked over real quick

Just for reference I've attached some screenshots.

i have just done some digging on this, and changed to 32 for password.