Jump to content

[SOLVED] Simple Secure PHP Login Script

Akenatehm

By Akenatehm
in PHP Coding Help

 Share

Recommended Posts

Akenatehm Regular Member

Akenatehm

Posted
Posted

Hey Guys,

 

I need help with creating a Secure PHP Login Script. I need it to get the login details from a MySQL table and then on login it saves a script after validating the form. I am very new to PHP and I have written all that I know how to do below.

 

<?PHP 

$connect = mysql_connect ('localhost','username','password')

$db = mysql_select_database ('database_name')

 

That is the basics that I understand. I know how to insert data to the tables using MySQL but have no previous experience in validating the table information against the inputted data.

 

Help would be greatly appreciated!

Link to comment
Share on other sites
Vermillion Member

Vermillion

Posted
Posted

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

Link to comment
Share on other sites
Akenatehm Regular Member

Akenatehm

Posted
  • Author
Posted

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

 

So this script will allow you to log in with any of the users in the database. I am using the for a form that will provide admin access to an administration panel. I need a way of putting a form on the home website ( I can do that) and processing this script on an html page not having to use the .php extention and if the login is succesful, auto redirecting. Could you please add these minor adjustments?

Link to comment
Share on other sites
br3nn4n Member

br3nn4n

Posted
Posted

Wow, then you have a lot to learn :) not insulting you here, just being utterly honest.

 

Do you know how to set a form action in html? You need a form.

 

for each form input the 'name' attribute becomes the php variable when you submit the form. Depending on the method you choose for your form (either post or get) you can then access those pieces of form data through either $_POST['input'] or $_GET['input']. There's a few basic pointers for ya.

Link to comment
Share on other sites
Vermillion Member

Vermillion

Posted
Posted

Well, to work with permissions, you would need an "access" or "permissions" table with the following structure:

 

user_id - ID of the user (assuming every user has a unique a ID, which you should).

level - (What I do here is to set 0 for users, 1 one for moderators, and 2 for administrators).

 

So you would need to fetch the information from the access table and the members table.

 

Here is the code (with the escaped strings which I have no idea of how in hell I forgot about it):

 

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!
   $user = mysql_fetch_array($result);
   $result1 = mysql_query("SELECT * FROM access WHERE user_id = '".$user['id']."'");
   $num_permissions = mysql_num_rows($result1);

   if($result1 == 1){

      $level = mysql_fetch_array($result1);

      switch($level['level']){

         case 1:
         echo "User is a moderator";
         break;

         case 2:
         echo "User is an administrator";
         break;

      }

   } else {

      #What to do if the user has no permissions.

   }

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

That's a quick made example. Can't guarantee it's going to work, but I really recommend you have a read on PHP Sessions and deeper MySQL guides.

Link to comment
Share on other sites
Akenatehm Regular Member

Akenatehm

Posted
  • Author
Posted

Would this actually be effective in ensuring that someone had to log on and not be able to access any other file in the directory that the PHP file is located in. I need a little script I can put in the header of all my HTML pages that will redirect them to the login page if their cookie is not valid.

Link to comment
Share on other sites
  • 2 weeks later...
xtopolis Member

xtopolis

Posted
Posted

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

Link to comment
Share on other sites
limitphp Advanced Member

limitphp

Posted
Posted

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

Link to comment
Share on other sites
premiso Regular Member

premiso

Posted
Posted

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

 

Probably should create a new topic.

 

ereg will answer you question on how to test if certain items are in a variable/not in.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.