php based login system?

freaker87 · April 30, 2012

Hi all i have made php based program now i want to add a login system so there's any kind of simple, easy and free code available on any site which i can use thnx

xyph · April 30, 2012

The article in my signature contains a tutorial of sorts to building your own.

I'm not sure of any off the top of my head that you can just plug in to your existing script.

Zephni · April 30, 2012

I wrote this not long ago, it handles logging in, and logging out and is well commented. Also if you don't use the usual mysql database its easy to change that here in the MyDb class returns. (Thanks to help from thorpe on this forum)

You can set the table and field names that your database uses using this class aswell

Any questions just ask.

<?php
/* 
	File: user_login.class.php
	Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out.

	NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE

	Include this file at the top of each page you wish to protect
	 include("inc/user_login.class.php"); //(This could be put at the top of a global include file)

	Use the following code to check the user is logged in:
	 $user_login = new user_login;		//(This could be put at the top of a global include file)
	 $user_login->validate_user();		//(This should only be left on the pages you wish to check for user validation)

	You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this:
	 $user_login->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page)
*/

/*
 * DB interface
 * Interface for database methods used with the user_login class
 */
interface DB {
	public function query($sql);
	public function num_rows($sql);
}

/*
 * MyDb implements DB
 * Modify the returns here if your database differs from the usual mysql_ functions
 */
class MyDb implements DB {
	public function query($sql) {
		return mysql_query($sql);
	}

	public function num_rows($sql) {
		return mysql_num_rows($sql);
	}
}

/*
 * user_login class
 * Main class for logging in users
 */
class user_login{
	private $db;
	private $auto_redirect = true;

	public function __construct($db){
		$this->db = $db;	
	}

	// The variables below are default you can change these with the db_table_config
	public $t_name = "admins";
	public $t_user = "username";
	public $t_pass = "password";
	public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database

	// Change $login_page and $logged_in_page if your page names are different to this one
	public $login_page = "login.php";
	public $logged_in_page = "logged_in.php";

	// $log_in_error_msg is returned on login failure, can be changed with set_error_msg($error_msg)
	public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist";

	// Do not touch anything below unless you know what your doing

	/*
	 * logged_in_user()
	 * Returns value of the current logged in username
	 */
	public function logged_in_user(){
		return $_SESSION['user_username'];
	}

	/*
	 * automatic_redirect()
	 * Takes 1 bool parameter
	 * Turn automatic redirect on or off. On by default
	 */
	public function automatic_redirect($bool){
		$this->auto_redirect = $bool;
	}

	 /*
	 * db_table_config
	 * Takes 4 string parameters
	 * Sets the table name and the username, pass and lastlogin field names for the database. t_lastlogin is optional
	 */
	 public function db_table_config($t_name, $t_user, $t_pass, $t_lastlogin=NULL){
		 $this->t_name = $t_name;
		 $this->t_user = $t_user;
		 $this->t_pass = $t_pass;
		 $this->t_lastlogin = $t_lastlogin;
	 }

	 /*
	 * set_pages
	 * Takes 2 string parameters
	 * Sets the login page, and on logged in page. If automatic_redirect(true) is used, the class will set the headers and redirect the user automaticaly
	 */
	 public function set_pages($login_page, $logged_in_page){
		 $this->login_page = $login_page;
		 $this->logged_in_page = $logged_in_page;
	 }

	 /*
	 * set_error_msg
	 * Takes 1 string parameter
	 * Sets the error message on login failure
	 */
	 public function set_error_msg($error_msg){
		 $this->log_in_error_msg = $error_msg;
	 }

	/*
	 * log_in()
	 * Takes 2 parameters ($username, $password)
	 * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing
	 */
	public function log_in($username, $password){
		$username = stripslashes(mysql_real_escape_string($username));
		$password = stripslashes(mysql_real_escape_string($password));

		$query_login = $this->db->query("SELECT * FROM ".$this->t_name."
								 		WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'");

		$login_accepted = $this->db->num_rows($query_login);

		if($login_accepted == 1){
			if($t_lastlogin != NULL){
				$query_update_last_login = $this->db->query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."'
															WHERE ".$this->t_user."='$username'");	
			}
			$_SESSION['user_username'] = $username;
			$_SESSION['user_password'] = $password;
			return true;
		}else{
			return false;	
		}
	}

	/*
	 * check_user()
	 * Returns true if the current session credentials can be found in the database, otherwise returns false
	 */
	public function check_user(){
		$query_login = $this->db->query("SELECT * FROM ".$this->t_name."
								 		WHERE ".$this->t_user."='".$_SESSION['user_username']."' 
										AND ".$this->t_pass."='".$_SESSION['user_password']."'");

		$login_accepted = $this->db->num_rows($query_login);

		if($login_accepted == 1){
			return true;
		}else{
			return false;	
		}
	}

	/*
	 * validate_user()
	 * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false
	 */
	public function validate_user(){
		$login_accepted = $this->check_user();

		if($login_accepted == 1){
			return true;
		}else{
			$this->log_out();
			return false;	
		}
	}

	/*
	 * redirect_if_logged_in()
	 * Redirects the user to the specified landing page if the user is logged in
	 */
	public function redirect_if_logged_in(){
		if($this->auto_redirect == true){
			if($this->check_user()){
				header("Location: ".$this->logged_in_page);	
			}
		}
	}

	/*
	 * log_out()
	 * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page
	 */
	public function log_out(){
		$this->destroy_session();
		if($this->auto_redirect == true){
			header("Location: ".$this->login_page);
		}
	}

	/*
	 * destroy_session()
	 * Removes session and session cookie data
	 */
	private function destory_session(){
		session_unset();
		session_destroy();
		session_write_close();
		setcookie(session_name(),'',0,'/');	
	}
}
?>

xyph · April 30, 2012

The log-in script above stores passwords in plain-text, so I strongly recommend against using it.

Not meaning to bash the author - it's a great educational tool, but it's not ready for production use.

Zephni · April 30, 2012

He could shove he's own hashing to it if he knows how.

You are right though. But may be easier to work on top of this rather than build one from scratch

Would session_encode() be safe enough?

Zephni · April 30, 2012

Now he can create his own hash and just change the hash in the class below "MyHasher", what dyu think?

<?php
/* 
	Author: Craig Dennis
	File: user_login.class.php
	Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out.

	NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE

	Include this file at the top of each page you wish to protect
	 include("inc/user_login.class.php"); //(This could be put at the top of a global include file)

	Use the following code to check the user is logged in:
	 $user_login = new user_login;		//(This could be put at the top of a global include file)
	 $user_login->validate_user();		//(This should only be left on the pages you wish to check for user validation)

	You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this:
	 $user_login->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page)
*/

/*
 * DB interface
 * Interface for database methods used with the user_login class
 */
interface DB {
	public function query($sql);
	public function num_rows($sql);
}

/*
 * MyDb implements DB
 * Modify the returns here if your database differs from the usual mysql_ functions
 */
class MyDb implements DB {
	public function query($sql) {
		return mysql_query($sql);
	}

	public function num_rows($sql) {
		return mysql_num_rows($sql);
	}
}

class MyHasher {
	private $salt = "a6B2yj90sZ34";

	public function set_salt($salt){
		$this->salt = $salt;
	}

	public function	hash_string($string){
		return sha1(md5($this->salt.$string));
	}

	public function check_hashed_string($user_input, $correct_pass){
		if($this->hash_string($user_input) == $correct_pass){
			return true;
		}else{
			return false;	
		}
	}
}

/*
 * user_login class
 * Main class for logging in users
 */
class user_login{
	private $db;
	private $hasher;
	private $auto_redirect = true;

	public function __construct($db, $hasher){
		$this->db = $db;
		$this->hasher = $hasher;
	}

	// The variables below are default you can change these with the db_table_config
	public $t_name = "admins";
	public $t_user = "username";
	public $t_pass = "password";
	public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database

	// Change $login_page and $logged_in_page if your page names are different to this one
	public $login_page = "login.php";
	public $logged_in_page = "logged_in.php";

	// $log_in_error_msg is returned on login failure, can be changed with set_error_msg($error_msg)
	public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist";

	// Do not touch anything below unless you know what your doing

	/*
	 * logged_in_user()
	 * Returns value of the current logged in username
	 */
	public function logged_in_user(){
		return $_SESSION['user_username'];
	}

	/*
	 * automatic_redirect()
	 * Takes 1 bool parameter
	 * Turn automatic redirect on or off. On by default
	 */
	public function automatic_redirect($bool){
		$this->auto_redirect = $bool;
	}

	 /*
	 * db_table_config
	 * Takes 4 string parameters
	 * Sets the table name and the username, pass and lastlogin field names for the database. t_lastlogin is optional
	 */
	 public function db_table_config($t_name, $t_user, $t_pass, $t_lastlogin=NULL){
		 $this->t_name = $t_name;
		 $this->t_user = $t_user;
		 $this->t_pass = $t_pass;
		 $this->t_lastlogin = $t_lastlogin;
	 }

	 /*
	 * set_pages
	 * Takes 2 string parameters
	 * Sets the login page, and on logged in page. If automatic_redirect(true) is used, the class will set the headers and redirect the user automaticaly
	 */
	 public function set_pages($login_page, $logged_in_page){
		 $this->login_page = $login_page;
		 $this->logged_in_page = $logged_in_page;
	 }

	 /*
	 * set_error_msg
	 * Takes 1 string parameter
	 * Sets the error message on login failure
	 */
	 public function set_error_msg($error_msg){
		 $this->log_in_error_msg = $error_msg;
	 }

	/*
	 * log_in()
	 * Takes 2 parameters ($username, $password)
	 * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing
	 */
	public function log_in($username, $password){
		$username = stripslashes(mysql_real_escape_string($username));
		$password = stripslashes(mysql_real_escape_string($password));

		$password = $this->hasher->hash_string($password);
		$query_login = $this->db->query("SELECT * FROM ".$this->t_name."
								 		WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'");

		$login_accepted = $this->db->num_rows($query_login);

		if($login_accepted == 1){
			if($t_lastlogin != NULL){
				$query_update_last_login = $this->db->query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."'
															WHERE ".$this->t_user."='$username'");	
			}
			$_SESSION['user_username'] = $username;
			$_SESSION['user_password'] = $password;
			return true;
		}else{
			return false;	
		}
	}

	/*
	 * check_user()
	 * Returns true if the current session credentials can be found in the database, otherwise returns false
	 */
	public function check_user(){
		$query_login = $this->db->query("SELECT * FROM ".$this->t_name."
								 		WHERE ".$this->t_user."='".$_SESSION['user_username']."' 
										AND ".$this->t_pass."='".$_SESSION['user_password']."'");

		$login_accepted = $this->db->num_rows($query_login);

		if($login_accepted == 1){
			return true;
		}else{
			return false;	
		}
	}

	/*
	 * validate_user()
	 * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false
	 */
	public function validate_user(){
		$login_accepted = $this->check_user();

		if($login_accepted == 1){
			return true;
		}else{
			$this->log_out();
			return false;	
		}
	}

	/*
	 * redirect_if_logged_in()
	 * Redirects the user to the specified landing page if the user is logged in
	 */
	public function redirect_if_logged_in(){
		if($this->auto_redirect == true){
			if($this->check_user()){
				header("Location: ".$this->logged_in_page);	
			}
		}
	}

	/*
	 * log_out()
	 * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page
	 */
	public function log_out(){
		$this->destroy_session();
		if($this->auto_redirect == true){
			header("Location: ".$this->login_page);
		}
	}

	/*
	 * destroy_session()
	 * Removes session and session cookie data
	 */
	private function destroy_session(){
		session_unset();
		session_destroy();
		session_write_close();
		setcookie(session_name(),'',0,'/');	
	}
}
?>

xyph · April 30, 2012

I'd still suggest he uses something like PHPass, which has been developed by security experts.

Again, your code is very educational, but not ready for production. Check out the article in my signature

PFMaBiSmAd · April 30, 2012

Also, the code that Zephni posted is undoing (stripslashes) the escaping that it adds to the username, so it is possible to satisfy the log in code without knowing the password (you just need to know, find, or guess any username that is in the table) and since the unescaped username is being stored in a session variable and re-used in other queries, all the queries using that value can be bypassed.

Zephni · April 30, 2012

Ooops that should just be mysql_real_escape_string();

thruska · May 3, 2012

Hi all i have made php based program now i want to add a login system so there's any kind of simple, easy and free code available on any site which i can use thnx

I just released this product:

http://barebonescms.com/documentation/sso/

Which might be a bit overkill for your needs but it will definitely meet your requirement for a login system.

james_2012 · May 9, 2012

I have been using http://www.withinweb.com/phpsecurearea/ which may be of some interest.

Jim

Sign In

php based login system?

Recommended Posts

freaker87

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

Zephni

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

Zephni

Link to comment

Share on other sites

Zephni

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

Zephni

Link to comment

Share on other sites

thruska

Link to comment

Share on other sites

james_2012

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information