[SOLVED] Simple Secure PHP Login Script

[Akenatehm]

Hey Guys,

 

I need help with creating a Secure PHP Login Script. I need it to get the login details from a MySQL table and then on login it saves a script after validating the form. I am very new to PHP and I have written all that I know how to do below.

 

<?PHP 

$connect = mysql_connect ('localhost','username','password')

$db = mysql_select_database ('database_name')

 

That is the basics that I understand. I know how to insert data to the tables using MySQL but have no previous experience in validating the table information against the inputted data.

 

Help would be greatly appreciated!

[Vermillion]

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

[xtopolis]

$username = mysql_real_escape_string($_POST['username']);

 

Always escape strings, always.

[Akenatehm]

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

 

So this script will allow you to log in with any of the users in the database. I am using the for a form that will provide admin access to an administration panel. I need a way of putting a form on the home website ( I can do that) and processing this script on an html page not having to use the .php extention and if the login is succesful, auto redirecting. Could you please add these minor adjustments?

[br3nn4n]

Wow, then you have a lot to learn not insulting you here, just being utterly honest.

 

Do you know how to set a form action in html? You need a form.

 

for each form input the 'name' attribute becomes the php variable when you submit the form. Depending on the method you choose for your form (either post or get) you can then access those pieces of form data through either $_POST['input'] or $_GET['input']. There's a few basic pointers for ya.

[Akenatehm]

I know how to make a form it's just the PHP side of it that I am un sure of it. Are you able to help?

[Vermillion]

Well, to work with permissions, you would need an "access" or "permissions" table with the following structure:

 

user_id - ID of the user (assuming every user has a unique a ID, which you should).

level - (What I do here is to set 0 for users, 1 one for moderators, and 2 for administrators).

 

So you would need to fetch the information from the access table and the members table.

 

Here is the code (with the escaped strings which I have no idea of how in hell I forgot about it):

 

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!
   $user = mysql_fetch_array($result);
   $result1 = mysql_query("SELECT * FROM access WHERE user_id = '".$user['id']."'");
   $num_permissions = mysql_num_rows($result1);

   if($result1 == 1){

      $level = mysql_fetch_array($result1);

      switch($level['level']){

         case 1:
         echo "User is a moderator";
         break;

         case 2:
         echo "User is an administrator";
         break;

      }

   } else {

      #What to do if the user has no permissions.

   }

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

That's a quick made example. Can't guarantee it's going to work, but I really recommend you have a read on PHP Sessions and deeper MySQL guides.

[Akenatehm]

Thanks, I will check it out. I don't have time to test this script now but I will let you know how it goes in a few hours. Thanks again for your help.

[Akenatehm]

Would this actually be effective in ensuring that someone had to log on and not be able to access any other file in the directory that the PHP file is located in. I need a little script I can put in the header of all my HTML pages that will redirect them to the login page if their cookie is not valid.

[xcoderx]

here is one flatfile based good and simple login system i found sometime back

 

http://xcoderx.fiz.su/login-flatfile.zip

[Akenatehm]

Thanks for that.

[Solsearch]

My first ever post on phpfreaks!

 

What is the difference between mysql_escape_string and mysql_real_escape_string? Is one a newer version of the other?

[xtopolis]

5.3.0  This function now throws an E_DEPRECATED notice.

4.3.0 This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().

[limitphp]

$username = mysql_real_escape_string($_POST['username']);

 

Always escape strings, always.

 

What about taking out <>, and other symbols?

Should you take out brackets and other symbols from user input on things like usernames and passwords and names?

[xtopolis]

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

[limitphp]

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

[premiso]

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

 

Probably should create a new topic.

 

ereg will answer you question on how to test if certain items are in a variable/not in.