Jump to content

Recommended Posts

Hi all. Thanks to the help of this you guys in this forum I finally got myself to this point. The project takes first step ahead. However, because it is built by me a PHP newbie, it's not good and secure enough. I need you guys again to help me make the code more secure. Enough said. Here is the issues:

 

First thing first, the code works!

 

1/ I tried logging in and I input the right username and password, it goes to "Successful log in," and if wrong password, or blank either password or username, it takes back to log in form as it is supposed to, which is wonderful. The thing is, I want it to says something else like "Either blank username or password" and "Wrong username or password" instead of just bring user back to the cold log in form. Please give me some add in into my code.

 

2/ I think the way I'm doing in those codes is not secure, can you help me add up something else to make it more secure?

 

 

===Log-in.html===

<form name="login" id="login" method="post" action="checklogin.php">
<table align="center">
<tr>
<td><label for="username">Username</label></td>
<td><input type="text" name="myusername" id="myusername" /></td>
</tr>
<tr>
<td><label for="password">Password</label></td>
<td><input type="password" name="mypassword" id="mypassword" /></td>
<tr>
<td></td>
<td><input type="submit" name="submit" id="submit" value="Submit" /></td>
</tr>
</tr>
</table>
</form>

 

===checklogin.php===

<?php
if (!isset($_POST['myusername']) || !isset($_POST['mypassword'])) {
header("location:http://www.mysite.com/login.html");
}
//check that the form fields are not empty, and redirect back to the login page if they are
elseif (empty($_POST['myusername']) || empty($_POST['mypassword'])) {
header( "location:http://www.mysite.com/login.html" );
}
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword']; 

$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="****"; // Mysql password 
$db_name="********"; // Database name 
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
//$myusername=$_POST['myusername']; 
//$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if(mysql_num_rows($result)== 1){
$row = mysql_fetch_array($result);

//start the session and register a variable
session_start();
$_SESSION['mysession']="mysession";
//successful login code will go here...

//we will redirect the user to another page where we will make sure they're logged in
  	header( "location:http://www.mysite.com/administrative.php" );  
//echo 'Success!';												}

			  }
else {

  //if nothing is returned by the query, unsuccessful login code goes here...
  header( "location:http://www.mysite.com/login.html" );  
// Cant user header location with page output
  // echo 'Incorrect login name or password. Please try again.';	  }
} 
?>



 

 

===administrative.php==

<?php
session_start();
if($_SESSION["mysession"]<>"mysession"){
header("location:http://www.mysite.com/login.html");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Administrative page</title>

</head>

<body>
<h2>Log in successful!!</h2>
</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/189250-please-help-me-finish-this-log-in/
Share on other sites

Thank you. I don't know if I remember exactly, but I think I read somewhere in this forum, someone used to say "dont use GET" and get rid of passing info using the ? thing, cause ppl will see it on the URL bar and attack it somehow? is it true or I remember it wrong?

Thank you. I don't know if I remember exactly, but I think I read somewhere in this forum, someone used to say "dont use GET" and get rid of passing info using the ? thing, cause ppl will see it on the URL bar and attack it somehow? is it true or I remember it wrong?

 

For forms, people usually use the POST method.  This does not provide extra security, but at least the data doesn't show up in the querystring for everyone to see.

 

In each case the data does go across the internet in plain text.  The only way to secure that is to have this occur inside https:// but very few public community sites go to that trouble.  If you want true security, then you need https://.

 

In this case however, it makes sense to use POST for your form, but you shouldn't confuse that with adding security.  It is in this case the right solution for a form that has a password input on it.

$error='Username or Password are empty';
header("location:http://www.mysite.com/login.html?error=$error");

 

I understand the $error is a variable, but the "error" in the "...login.html?error=$error"

Is it happen to be "error" or it can be "msg," "err," "mymsg" ???

 

I was about to put it like this

header("location:http://www.mysite.com/login.html?$error");

I tho that was how I will pass the $error to the other page and then catch it there! But it's not the right put right?

 

$error='Username or Password are empty';

header("location:http://www.mysite.com/login.html?error=$error");

 

Should be:

$error=urlencode('Username or Password are empty');

header("location:http://www.mysite.com/login.html?error=$error");

 

or

header('Location: http://www.mysite.com/login.html?error=' . urlencode('Username or Password are empty'));

Hi Iggnace, why is the urlencode better than the other?

How about my inquiry regarding to the "error" itself? does it have to be "?error=$result" or it can be any names like "mybad=?result"

 

It doesn't have to be 'error=', it can be anything you want.  However, the ? seperates the url from the query string, so that always comes first, then the name=value pairs seperated by &. 

 

It's under your control however -- as you decide what you want to name these parameters.

Guys, what I missed or did wrong this time? unless I type the right acc, it will let me log in, the other cases, it keeps saying

"Either wrong username or password," but it says that on the URL bar like:

http://www.mysite.com/login.html?result=Either%20wrong%20username%20or%20password (what i see is without the %)

 

=====checklogin.php=====

<?php
if (!isset($_POST['myusername']) || !isset($_POST['mypassword'])) {
$result="Please use log in form!";
header("location:http://www.mysite/login.html?result=$result");

}
//check that the form fields are not empty, and redirect back to the login page if they are
elseif (empty($_POST['myusername']) || empty($_POST['mypassword'])) {
$result="Please enter username and password";
header( "location:http://www.mysite.com/login.html?result=$result" );
}
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword']; 

$host="localhost"; // Host name 
$username="***"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="******"; // Database name 
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
//$myusername=$_POST['myusername']; 
//$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if(mysql_num_rows($result)== 1){
$row = mysql_fetch_array($result);

//start the session and register a variable
session_start();
$_SESSION['mysession']="mysession";
//successful login code will go here...

//we will redirect the user to another page where we will make sure they're logged in
  	header( "location:http://www.mysite.com/administrative.php" );  
//echo 'Success!';												}

			  }
else {

  //if nothing is returned by the query, unsuccessful login code goes here...
$result="Either wrong username or password";
header( "location:http://www.mysite.com/login.html?result=$result" );  

// Cant user header location with page output
  // echo 'Incorrect login name or password. Please try again.';	  }
} 
?>

 

====login.html=====

<form name="login" id="login" method="post" action="checklogin.php">
<?php
$error=$_GET['result'];

?>
<table align="center">
<tr>
<td colspan="2"><?php echo "$error"; ?></td>
</tr>
<tr>
<td><label for="username">Username</label></td>
<td><input type="text" name="myusername" id="myusername" /></td>
</tr>
<tr>
<td><label for="password">Password</label></td>
<td><input type="password" name="mypassword" id="mypassword" /></td>
<tr>
<td></td>
<td><input type="submit" name="submit" id="submit" value="Submit" /></td>
</tr>
</tr>
</table>
</form>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.