Jump to content

Archived

This topic is now archived and is closed to further replies.

Amateur Elements

Log In Scripts [Im new]

Recommended Posts

Ok, im very new to php. I mostly only understand using SQL and PRINT funtions. I own the web site amateurelements.com and i am making a new portal for it. How ever i dont know jack crap about log in scripts. Heres what i have

[u][b]LogIn Form[/b][/u]
[code]<?php if ($_SESSION['user']) { ?>
  <?php print "<font class=\"greyfont\">"; ?>
  <b><?php print $_SESSION['user']; ?></b> LOGGED
  &nbsp;&nbsp;&nbsp;<a href="http://amateurelements.com/Forum/index.php?action=profile">
  <?php print "<font class=\"greylink\">"; ?>PROFILE<?php print "</font>"; ?></a>
  - <a href="http://www.amateurelements.com/submit.php">
  <?php print "<font class=\"greylink\">"; ?>SUBMIT CONTENT<?php print "</font>"; ?></a>
  - <a href="http://www.amateurelements.com/logout.php">
  <?php print "<font class=\"greylink\">"; ?>LOGOUT<?php print "</font>"; ?></a>
<? } else { ?>
<img src="http://www.amateurelements.com/spacer.gif" width="1" height="2" />
<form action="http://www.amateurelements.com/login.php" method="post" name="LogInForm" id="LogInForm">
<input type="text" name="username" id="username" value="USER NAME" onclick="value=''"
style="height:20; background-color:666666; color:eedd00; font:'BankGothic Md BT';" />
&nbsp;
<input type="password" name="password" id="password" value="PASSWORD" onclick="value=''"
style="height:20; background-color:666666; color:eedd00; font:'BankGothic Md BT';" />
&nbsp;
<input type="submit" name="login" id="login" value="- LOG -"
style="height:20; background-color:666666; color:eedd00; font:'BankGothic Md BT';" />
</form>
<?php print "<font class=\"greyfont\">"; ?>
Not a member yet? Click
<a href="http://www.amateurelements.com/Forum/register.php">
<?php print "<font class=\"greylink\">"; ?>here</font></a> to register and start uploading!</font>
<? } ?>[/code]

[b][u]LogIn Script[/u][/b]
[code]<?php include("http://www.amateurelements.com/CONFIG/STYLE.php"); ?>
<?php session_start; ?>
<?php $conn = mysql_pconnect("localhost", "amateur", "") or die(mysql_error());
@mysql_select_db(amateur_smf1, $conn) or die(mysql_error()); ?>
<?php
  if ($_GET['login']) {
  $user = $_POST['username'];
  $pass = $_POST['password'];
  $sql = mysql_query("SELECT * FROM amateur_smf1.members WHERE memberName = '$user' AND passwd = '$pass'", $conn)
  or die(  mysql_error());
  if (mysql_num_rows($sql) == 1) {
  $error = false;
  $_SESSION['user'] = $user;
  setcookie("user", $user, 0, "/", "amateurelements.com");
  print "<?php include(\"http://www.amateurelements.com/logged.php\"); ?>";
?>
<?php
  } else {
  $error = "Incorrect username or password!";
  }
  }
?>[/code]

[b][u]Logged.php[/u][/b]
[code]<html><style type="text/css">
<!--
body,td,th {
    font-family: BankGothic Md BT;
    font-size: 14px;
    color: #EEDD00;
}
body {
    background-color: #666666;
    margin-left: 5%;
    margin-top: 5%;
    margin-right: 5px;
    margin-bottom: 5%;
}
-->
</style>
<center>
<table width="90%" height="90%" cellpadding="0" cellspacing="0"><tr>
<td width="100%" height="17" align="center" valign="top">
    <table width="100%" height="17" cellpadding="0" cellspacing="0" bgcolor="#EEDD00"><tr>
    <td width="17" bgcolor="#EEDD00" align="center" valign="top">
        <img src="Images/Basic-Images/Corner-TL.gif">
    </td><td width="100%" height="17" background="Images/Backgrounds-Borders/MainBorder-Top.gif"
    style="background-repeat:repeat-x;">
        <img src="spacer.gif" width="1" height="10">
    </td><td width="17" height="17" bgcolor="#EEDD00" align="center" valign="top">
        <img src="Images/Basic-Images/Corner-TR.gif">
    </td></tr></table>
</td></tr><tr><td width="100%" height="100%" align="center" valign="top">
    <table width="100%" height="100%" cellpadding="0" cellspacing="0" bgcolor="#EEDD00"><tr>
    <td width="10" height="100%" background="Images/Backgrounds-Borders/MainBorder-Left.gif"
    style="background-repeat:repeat-y;">
        <img src="spacer.gif" width="10" height="100%">
    </td><td width="100%" height="100%" align="center" valign="middle" bgcolor="#EEDD00">
        <br><br>
        <font size="6" face="BankGothic Md BT" color="#666666">
          LOGGED IN
        </font><br><br>
        <font class="<?php print "$greylink"; ?>">
          <a href="http://www.amateurelements.com/home.php">
          click here to go back to the index page</a>
        </font>
    </td><td width="10" height="100%" background="Images/Backgrounds-Borders/MainBorder-Right.gif"
    style="background-repeat:repeat-y;">
        <img src="spacer.gif" width="10" height="100%">
    </td></tr></table>
</td></tr><tr><td width="100%" height="17" align="center" valign="bottom">
    <table width="100%" height="17" cellpadding="0" cellspacing="0" bgcolor="#EEDD00"><tr>
    <td width="17" height="17" bgcolor="#EEDD00" align="center" valign="bottom">
        <img src="Images/Basic-Images/Corner-BL.gif">
    </td><td width="100%" height="17" background="Images/Backgrounds-Borders/MainBorder-Bottom.gif"
    style="background-repeat:repeat-x; background-position:bottom;" valign="bottom">
        <img src="spacer.gif" width="1" height="10">
    </td><td width="17" height="17" bgcolor="#EEDD00" align="center" valign="bottom">
        <img src="Images/Basic-Images/Corner-BR.gif">
    </td></tr></table>
</td></tr></table>
</center>
</html>[/code]

Share this post


Link to post
Share on other sites
can you narrow it down to the problem that you are haveing i can help you with one problem you might
have with your sessions
change this

[code]
<?php session_start; ?>
[/code]

to this

[code]
<?php session_start(); ?>
[/code]

or you sessions probably wont start
and also in your login form page you are calling up $_SESSION['user'] without starting sessions you have

[code]
<?php if ($_SESSION['user']) { ?>
  <?php print "<font class=\"greyfont\">"; ?>
  <b><?php print $_SESSION['user']; ?></b> LOGGED
[/code]

change to this

[code]

<?php session_start();?>
<?php if ($_SESSION['user']) { ?>
  <?php print "<font class=\"greyfont\">"; ?>
  <b><?php print $_SESSION['user']; ?></b> LOGGED
[/code]

Share this post


Link to post
Share on other sites
Personally, I wouldn't recommend trying to tackle a login script if you don't know anything about PHP.

I'm not a PHP guru, so I may not catch all of your mistakes, but here's some of the obvious ones.

-Although it's not a mistake per se, you don't need to have an opening and closing PHP tag for every line of code. You only need it when you want to jump in or out of PHP, and even then it's not necessary. You can use the echo or print function to output HTML and related things to the browser. I'd only jump out of PHP if there were large blocks of HTML to display.

-With your logged.php script, it appears that you're trying to control access by having an interior page that the user is automatically directed to after logging in. The problem with this is a user can simply hot link to the interior page and completely bypass the login system. Instead you're going to want to verify their identity on each page.

-NEVER TRUST FORM DATA. You should never assume the user is going to submit exactly what should be submitted. You didn't "clean" the form data at all, you just assumed it would all be good.

-You have no way to check if the user is already logged in. You've set the session and the cookie. You need to make sure the cookie is valid. Someone could easily alter a cookie to make themselves look like another user, so cookies can't be trusted as the only way to log someone in. It's also a good idea to store an md5 hash with your cookie or session info. That way you can verify that the data in the cookie or session is in fact valid. With a hash you can also check to see if a session is valid without needing to compare it to the database every time.

-It would be wise to add error handling functions to alert you when someone appears to have altered a cookie or a session so you can investigate manually.

-You'll need at least a logout script as well. It would also be a good idea to allow users to get lost passwords or user names. This can get complicated depending on how you store passwords in your database. If they're stored as plain text then this idea will work, but you have a security risk. You can use the sql password function to encrypt passwords in the DB, but this is only in the DB and not in your script...so there's still a potential security problem there. The way around this is to hash your passwords, but then you can't email a user their password, so you'd have to assign them a new password.

I didn't even look for syntax errors, these are just some big problems I noticed. I'm sure the PHP guru's around here can contribute more to this.

Share this post


Link to post
Share on other sites
If you dont know how login scripts work, I would recommend that you to look at tutorials thats where you will learn how php works and how to create logins etc.
Below is my favourite tutorial where I learned quite a lot and it assisted me with other php scripts aswell.
So if you like you can visit:
[a href=\"http://www.tutorialized.com/tutorial/PHP-Simple-login-script/9963\" target=\"_blank\"]http://www.tutorialized.com/tutorial/PHP-S...gin-script/9963[/a]

Good Luck
Sab

Share this post


Link to post
Share on other sites
I completely agree with robos. It's not only the cookies but also session variables are unsafe (even if this is very very hard! Nothing is impossible for someone who knows what he sould do...). They can be manipulated by tools. A thing you can do is to create a session table in your db. And when someone logins, insert a row into sessions table with a sessionid which is defined in a session variable. From that one all you will have to do is to get the sessionid variable and check if such a row in sessions table exists. If there is no session variable then this means the user has not logged in and bypass. And when logging out you have delete that row and everything is fine.

Even if the idea is good and used by many sites(I remember phpbb having such a login), it's hard and slows down your site's speed as it checks if the user logged in or not in everypage. And also all I say is theoritical, what practical problems can occur I don't know yet. But a fast thing that comes to my mind, if the user does not click logout and then close the explorer window (as most of us do)? That row will stay. No security problems, I think as the sessionid is not cleared with the closing explorer window and check from sql will return false but think of many many users have clicked that cross! Or not even many users, a bad intended person clicked that (or used a ghost mouse extension to repeat an action thousands maybe millions of time) what could be you db's size? You have to make a check when this row is inserted and other things which will slow down your site again. As I look for now, I hope there is a scheduled task in postgresql (expect cron) which will clear session table's once a day (records later then a day or two)
I do intend to use such an architecture in my site too, but have to research for better options(if there is ant safer). Also what do you think about this kind of a login mechanism? :)

Share this post


Link to post
Share on other sites
I have written quite a few versions of sql session systems. Very easy to use and manipulate, secure and no excess db fields. Here's a look at the code:

[code]
function ps_create ($user_id)
{
    global $c_time;
    global $_config;
    $ps_expire = db_data ("user_level", "ps_expire", "level_id", db_data ("user_list", "user_level", "user_id", $user_id));
    $user_ip = $_SERVER['REMOTE_ADDR'];
    $plops_id = md5 (uniqid ($user_ip).$c_time);
    setcookie ($_config['ps_cookie_name'], $plops_id, $ps_expire + $c_time, "/");
    mysql_query ("DELETE FROM `user_plops` WHERE `plops_expire` + `plops_active` <= '$c_time' && `user_id` = '$user_id' && `user_id` != '-1' || `user_id` = '-1' && `user_ip` = '$user_ip'");
    mysql_query ("INSERT INTO `user_plops` VALUES ('$plops_id', '$user_id', '$user_ip', '$c_time', '$ps_expire')");
    return $plops_id;
}

function ps_data ($pid)
{
    global $c_time;
    global $_config;
    mysql_query ("DELETE FROM `user_plops` WHERE `plops_expire` + `plops_active` <= '$c_time'");
    if (db_data ("user_plops", "user_ip", "plops_id", $pid) == $_SERVER['REMOTE_ADDR'])
    {
        $user_id = db_data ("user_plops", "user_id", "plops_id", $pid);
        $user_data = mysql_fetch_array (mysql_query("SELECT * FROM `user_list` WHERE `user_id` = '$user_id'"));
        $ps_expire = db_data ("user_level", "ps_expire", "level_id", $user_data['user_level']);
        mysql_query ("UPDATE `user_plops` SET `plops_active` = '$c_time' WHERE `plops_id` = '$pid'");
        setcookie ($_config['ps_cookie_name'], $pid, $ps_expire + $c_time, "/");
        return $user_data;
    }
    else
    {
        if (isset ($_COOKIE[$_config['ps_cookie_name']]))
        {
            setcookie ($_config['ps_cookie_name'], "", 0, "/");
        }
    }
}
[/code]

that's all the code. db_data() is just a function for getting database values quickly.

They're not really sessions though. I was told once not to call something by a name that does not apply to it.

PLOPS: "Permission Level Operators for Protected Sessions"

It's a kind of variant session.

I'll explain the code:

ps_create:
You take the user_id from the user_list, and create the session with that user_id and the client ip, generating an md5hash out of them and a unique string. You set the cookie with the "plops_id". then you remove any excess expired sessions, and you enterthe new session into the session DB.

ps_data:
First you clean the data base of any expired sessions.
You then take the plops_id, either from cookie or ?p_id=, you verify the db sessions user_ip vs. the IP from remote_addr, and if this returns true you output the user_list data which corresponds with that user_id. Before finishing the function updates the session of the user, adding an updated active_time (to prevent expiry).

This session function is very similiar to phpbb2, I realized this only after writing it, but it's just that any research would come to this code in any case.

What I have added here however, is an additional option: to set expiry times specific to each user level, whether admin, user etc. This increases security as obviously it is better if admins cannot stay logged in for days.

If you have any question regarding implementation...

Share this post


Link to post
Share on other sites
[code]// Register script
// If all the form data is correct, insert the rows in the db
$pw = md5($pw);
$key = md5(generate_random_string(12));
mysql_query("
INSERT INTO `user_table` (key, username, password, email)
VALUES('$key', '$username', '$pw', '$email')
");

// Login script
$_REQUEST = securify($_REQUEST);
$username = $_REQUEST['user'];
$pw = $_REQUEST['pw'];
$pw = md5($pw);
$sql = mysql_query("
SELECT *
FROM `user_table`
WHERE `username`='$username' AND `password`='$pw'
");

if(!$info = mysql_fetch_array($sql))
{
echo "Error: Invalid username/password";
}
else
{
// Log them in
$_SESSION['id'] = $info['id'];
$_SESSION['key'] = $info['key'];
}

// Check for login
if(isset($_SESSION['id']))
{
// Use COUNT to reduce database load
$key = $_SESSION['key'];
$sql = mysql_query("
SELECT COUNT(*)
FROM `user_table`
WHERE `id`='$id' AND `key`='$key'
");
if(mysql_result($sql, 0) < 1)
{
echo "You are not logged in!";
}
}
else
{
echo "You are not logged in.";
}
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.