Jump to content

Recommended Posts

Hey Guys,

 

I need help with creating a Secure PHP Login Script. I need it to get the login details from a MySQL table and then on login it saves a script after validating the form. I am very new to PHP and I have written all that I know how to do below.

 

<?PHP 

$connect = mysql_connect ('localhost','username','password')

$db = mysql_select_database ('database_name')

 

That is the basics that I understand. I know how to insert data to the tables using MySQL but have no previous experience in validating the table information against the inputted data.

 

Help would be greatly appreciated!

Link to comment
https://forums.phpfreaks.com/topic/133989-solved-simple-secure-php-login-script/
Share on other sites

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

Woah, sounds like you are pretty new to this, so first things first:

 

<?php

$connect = mysql_connect ('localhost','username','password'); //Semi colons are VERY important.
$db = mysql_select_database ('database_name');

?>

 

Now, let's get going:

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = $_POST['username'];
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

Hope that helps. And apologizes if it isn't what you wanted.

 

So this script will allow you to log in with any of the users in the database. I am using the for a form that will provide admin access to an administration panel. I need a way of putting a form on the home website ( I can do that) and processing this script on an html page not having to use the .php extention and if the login is succesful, auto redirecting. Could you please add these minor adjustments?

Wow, then you have a lot to learn :) not insulting you here, just being utterly honest.

 

Do you know how to set a form action in html? You need a form.

 

for each form input the 'name' attribute becomes the php variable when you submit the form. Depending on the method you choose for your form (either post or get) you can then access those pieces of form data through either $_POST['input'] or $_GET['input']. There's a few basic pointers for ya.

Well, to work with permissions, you would need an "access" or "permissions" table with the following structure:

 

user_id - ID of the user (assuming every user has a unique a ID, which you should).

level - (What I do here is to set 0 for users, 1 one for moderators, and 2 for administrators).

 

So you would need to fetch the information from the access table and the members table.

 

Here is the code (with the escaped strings which I have no idea of how in hell I forgot about it):

 

 

<?php

/*Variables that are passed through the forum, assuming your forum has a password and username field.*/
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['pass']);

/*Everything related to database work.*/
mysql_connect ('localhost','username','password');
mysql_select_database ('database_name');

$query = "SELECT * FROM tablename WHERE username = '$username' AND password = '$password'"; //Assuming you have your 'tablename', and a 'username' and 'password' fields on your table.
$result = mysql_query($query); //Throws the query and stores the value in the $result variable.
$num = mysql_num_rows($result); //Now num has a value. If your site does NOT allow more than one unique username, the value on this variable will be either 1 or 0.

/*Time to test.*/

if($num == 1){ //If there is a username with that password in the database:

   #Loggin successful!
   $user = mysql_fetch_array($result);
   $result1 = mysql_query("SELECT * FROM access WHERE user_id = '".$user['id']."'");
   $num_permissions = mysql_num_rows($result1);

   if($result1 == 1){

      $level = mysql_fetch_array($result1);

      switch($level['level']){

         case 1:
         echo "User is a moderator";
         break;

         case 2:
         echo "User is an administrator";
         break;

      }

   } else {

      #What to do if the user has no permissions.

   }

} else { //If there is not a username with that password:

   #Error loggin in!

}
?>

 

That's a quick made example. Can't guarantee it's going to work, but I really recommend you have a read on PHP Sessions and deeper MySQL guides.

Would this actually be effective in ensuring that someone had to log on and not be able to access any other file in the directory that the PHP file is located in. I need a little script I can put in the header of all my HTML pages that will redirect them to the login page if their cookie is not valid.

  • 2 weeks later...

$username = mysql_real_escape_string($_POST['username']);

 

Always escape strings, always.

 

What about taking out <>, and other symbols?

Should you take out brackets and other symbols from user input on things like usernames and passwords and names?

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

Passwords should be hashed, never stored as is.  Once hased, they only contain numbers and letters and should not pose a threat... but you usually only compare values, not display or evaluate them, so it's not an issue most of the time.

 

The best rule of thumb is not to block things by black list, but rather to only allow things by white listing.  This just means, you will know what you want the user to input, and you will only allow those characters.  usernames usually being Letters, numbers, underscores.

 

I know how to replace things, but how do you only allow stuff?

 

Probably should create a new topic.

 

ereg will answer you question on how to test if certain items are in a variable/not in.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.