freaker87 Posted April 30, 2012 Share Posted April 30, 2012 Hi all i have made php based program now i want to add a login system so there's any kind of simple, easy and free code available on any site which i can use thnx Quote Link to comment Share on other sites More sharing options...
xyph Posted April 30, 2012 Share Posted April 30, 2012 The article in my signature contains a tutorial of sorts to building your own. I'm not sure of any off the top of my head that you can just plug in to your existing script. Quote Link to comment Share on other sites More sharing options...
Zephni Posted April 30, 2012 Share Posted April 30, 2012 I wrote this not long ago, it handles logging in, and logging out and is well commented. Also if you don't use the usual mysql database its easy to change that here in the MyDb class returns. (Thanks to help from thorpe on this forum) You can set the table and field names that your database uses using this class aswell Any questions just ask. <?php /* File: user_login.class.php Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out. NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE Include this file at the top of each page you wish to protect include("inc/user_login.class.php"); //(This could be put at the top of a global include file) Use the following code to check the user is logged in: $user_login = new user_login; //(This could be put at the top of a global include file) $user_login->validate_user(); //(This should only be left on the pages you wish to check for user validation) You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this: $user_login->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page) */ /* * DB interface * Interface for database methods used with the user_login class */ interface DB { public function query($sql); public function num_rows($sql); } /* * MyDb implements DB * Modify the returns here if your database differs from the usual mysql_ functions */ class MyDb implements DB { public function query($sql) { return mysql_query($sql); } public function num_rows($sql) { return mysql_num_rows($sql); } } /* * user_login class * Main class for logging in users */ class user_login{ private $db; private $auto_redirect = true; public function __construct($db){ $this->db = $db; } // The variables below are default you can change these with the db_table_config public $t_name = "admins"; public $t_user = "username"; public $t_pass = "password"; public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database // Change $login_page and $logged_in_page if your page names are different to this one public $login_page = "login.php"; public $logged_in_page = "logged_in.php"; // $log_in_error_msg is returned on login failure, can be changed with set_error_msg($error_msg) public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist"; // Do not touch anything below unless you know what your doing /* * logged_in_user() * Returns value of the current logged in username */ public function logged_in_user(){ return $_SESSION['user_username']; } /* * automatic_redirect() * Takes 1 bool parameter * Turn automatic redirect on or off. On by default */ public function automatic_redirect($bool){ $this->auto_redirect = $bool; } /* * db_table_config * Takes 4 string parameters * Sets the table name and the username, pass and lastlogin field names for the database. t_lastlogin is optional */ public function db_table_config($t_name, $t_user, $t_pass, $t_lastlogin=NULL){ $this->t_name = $t_name; $this->t_user = $t_user; $this->t_pass = $t_pass; $this->t_lastlogin = $t_lastlogin; } /* * set_pages * Takes 2 string parameters * Sets the login page, and on logged in page. If automatic_redirect(true) is used, the class will set the headers and redirect the user automaticaly */ public function set_pages($login_page, $logged_in_page){ $this->login_page = $login_page; $this->logged_in_page = $logged_in_page; } /* * set_error_msg * Takes 1 string parameter * Sets the error message on login failure */ public function set_error_msg($error_msg){ $this->log_in_error_msg = $error_msg; } /* * log_in() * Takes 2 parameters ($username, $password) * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing */ public function log_in($username, $password){ $username = stripslashes(mysql_real_escape_string($username)); $password = stripslashes(mysql_real_escape_string($password)); $query_login = $this->db->query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'"); $login_accepted = $this->db->num_rows($query_login); if($login_accepted == 1){ if($t_lastlogin != NULL){ $query_update_last_login = $this->db->query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."' WHERE ".$this->t_user."='$username'"); } $_SESSION['user_username'] = $username; $_SESSION['user_password'] = $password; return true; }else{ return false; } } /* * check_user() * Returns true if the current session credentials can be found in the database, otherwise returns false */ public function check_user(){ $query_login = $this->db->query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='".$_SESSION['user_username']."' AND ".$this->t_pass."='".$_SESSION['user_password']."'"); $login_accepted = $this->db->num_rows($query_login); if($login_accepted == 1){ return true; }else{ return false; } } /* * validate_user() * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false */ public function validate_user(){ $login_accepted = $this->check_user(); if($login_accepted == 1){ return true; }else{ $this->log_out(); return false; } } /* * redirect_if_logged_in() * Redirects the user to the specified landing page if the user is logged in */ public function redirect_if_logged_in(){ if($this->auto_redirect == true){ if($this->check_user()){ header("Location: ".$this->logged_in_page); } } } /* * log_out() * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page */ public function log_out(){ $this->destroy_session(); if($this->auto_redirect == true){ header("Location: ".$this->login_page); } } /* * destroy_session() * Removes session and session cookie data */ private function destory_session(){ session_unset(); session_destroy(); session_write_close(); setcookie(session_name(),'',0,'/'); } } ?> Quote Link to comment Share on other sites More sharing options...
xyph Posted April 30, 2012 Share Posted April 30, 2012 The log-in script above stores passwords in plain-text, so I strongly recommend against using it. Not meaning to bash the author - it's a great educational tool, but it's not ready for production use. Quote Link to comment Share on other sites More sharing options...
Zephni Posted April 30, 2012 Share Posted April 30, 2012 He could shove he's own hashing to it if he knows how. You are right though. But may be easier to work on top of this rather than build one from scratch Would session_encode() be safe enough? Quote Link to comment Share on other sites More sharing options...
Zephni Posted April 30, 2012 Share Posted April 30, 2012 Now he can create his own hash and just change the hash in the class below "MyHasher", what dyu think? <?php /* Author: Craig Dennis File: user_login.class.php Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out. NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE Include this file at the top of each page you wish to protect include("inc/user_login.class.php"); //(This could be put at the top of a global include file) Use the following code to check the user is logged in: $user_login = new user_login; //(This could be put at the top of a global include file) $user_login->validate_user(); //(This should only be left on the pages you wish to check for user validation) You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this: $user_login->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page) */ /* * DB interface * Interface for database methods used with the user_login class */ interface DB { public function query($sql); public function num_rows($sql); } /* * MyDb implements DB * Modify the returns here if your database differs from the usual mysql_ functions */ class MyDb implements DB { public function query($sql) { return mysql_query($sql); } public function num_rows($sql) { return mysql_num_rows($sql); } } class MyHasher { private $salt = "a6B2yj90sZ34"; public function set_salt($salt){ $this->salt = $salt; } public function hash_string($string){ return sha1(md5($this->salt.$string)); } public function check_hashed_string($user_input, $correct_pass){ if($this->hash_string($user_input) == $correct_pass){ return true; }else{ return false; } } } /* * user_login class * Main class for logging in users */ class user_login{ private $db; private $hasher; private $auto_redirect = true; public function __construct($db, $hasher){ $this->db = $db; $this->hasher = $hasher; } // The variables below are default you can change these with the db_table_config public $t_name = "admins"; public $t_user = "username"; public $t_pass = "password"; public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database // Change $login_page and $logged_in_page if your page names are different to this one public $login_page = "login.php"; public $logged_in_page = "logged_in.php"; // $log_in_error_msg is returned on login failure, can be changed with set_error_msg($error_msg) public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist"; // Do not touch anything below unless you know what your doing /* * logged_in_user() * Returns value of the current logged in username */ public function logged_in_user(){ return $_SESSION['user_username']; } /* * automatic_redirect() * Takes 1 bool parameter * Turn automatic redirect on or off. On by default */ public function automatic_redirect($bool){ $this->auto_redirect = $bool; } /* * db_table_config * Takes 4 string parameters * Sets the table name and the username, pass and lastlogin field names for the database. t_lastlogin is optional */ public function db_table_config($t_name, $t_user, $t_pass, $t_lastlogin=NULL){ $this->t_name = $t_name; $this->t_user = $t_user; $this->t_pass = $t_pass; $this->t_lastlogin = $t_lastlogin; } /* * set_pages * Takes 2 string parameters * Sets the login page, and on logged in page. If automatic_redirect(true) is used, the class will set the headers and redirect the user automaticaly */ public function set_pages($login_page, $logged_in_page){ $this->login_page = $login_page; $this->logged_in_page = $logged_in_page; } /* * set_error_msg * Takes 1 string parameter * Sets the error message on login failure */ public function set_error_msg($error_msg){ $this->log_in_error_msg = $error_msg; } /* * log_in() * Takes 2 parameters ($username, $password) * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing */ public function log_in($username, $password){ $username = stripslashes(mysql_real_escape_string($username)); $password = stripslashes(mysql_real_escape_string($password)); $password = $this->hasher->hash_string($password); $query_login = $this->db->query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'"); $login_accepted = $this->db->num_rows($query_login); if($login_accepted == 1){ if($t_lastlogin != NULL){ $query_update_last_login = $this->db->query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."' WHERE ".$this->t_user."='$username'"); } $_SESSION['user_username'] = $username; $_SESSION['user_password'] = $password; return true; }else{ return false; } } /* * check_user() * Returns true if the current session credentials can be found in the database, otherwise returns false */ public function check_user(){ $query_login = $this->db->query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='".$_SESSION['user_username']."' AND ".$this->t_pass."='".$_SESSION['user_password']."'"); $login_accepted = $this->db->num_rows($query_login); if($login_accepted == 1){ return true; }else{ return false; } } /* * validate_user() * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false */ public function validate_user(){ $login_accepted = $this->check_user(); if($login_accepted == 1){ return true; }else{ $this->log_out(); return false; } } /* * redirect_if_logged_in() * Redirects the user to the specified landing page if the user is logged in */ public function redirect_if_logged_in(){ if($this->auto_redirect == true){ if($this->check_user()){ header("Location: ".$this->logged_in_page); } } } /* * log_out() * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page */ public function log_out(){ $this->destroy_session(); if($this->auto_redirect == true){ header("Location: ".$this->login_page); } } /* * destroy_session() * Removes session and session cookie data */ private function destroy_session(){ session_unset(); session_destroy(); session_write_close(); setcookie(session_name(),'',0,'/'); } } ?> Quote Link to comment Share on other sites More sharing options...
xyph Posted April 30, 2012 Share Posted April 30, 2012 I'd still suggest he uses something like PHPass, which has been developed by security experts. Again, your code is very educational, but not ready for production. Check out the article in my signature Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 30, 2012 Share Posted April 30, 2012 Also, the code that Zephni posted is undoing (stripslashes) the escaping that it adds to the username, so it is possible to satisfy the log in code without knowing the password (you just need to know, find, or guess any username that is in the table) and since the unescaped username is being stored in a session variable and re-used in other queries, all the queries using that value can be bypassed. Quote Link to comment Share on other sites More sharing options...
Zephni Posted April 30, 2012 Share Posted April 30, 2012 Ooops that should just be mysql_real_escape_string(); Quote Link to comment Share on other sites More sharing options...
thruska Posted May 3, 2012 Share Posted May 3, 2012 Hi all i have made php based program now i want to add a login system so there's any kind of simple, easy and free code available on any site which i can use thnx I just released this product: http://barebonescms.com/documentation/sso/ Which might be a bit overkill for your needs but it will definitely meet your requirement for a login system. Quote Link to comment Share on other sites More sharing options...
james_2012 Posted May 9, 2012 Share Posted May 9, 2012 I have been using http://www.withinweb.com/phpsecurearea/ which may be of some interest. Jim Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.