Jump to content

Recommended Posts

Hi Please comment on my attempt to create a PHP Login system. (Criticism is cool with me)

 

Assuming all mySQL queries has been sanitized

 

Registration

The user's Username and password gets stored in a "User" table.

Username is not encrypted but the password is encrypted.

 

Login

index.php

The index page holds the HTML Login form.

 

home.php

Gets the username and password variable from the form in index.php my use of $_POST

 

a mySQL query runs , (SELECT Username , Password  FROM users WHERE Username = '$Username' and Password = '$Password')

If a result was returned then start a session ,

get the session ID

encrypt the session id and store it into a variable

 

get the username from $_POST

encrypt the username and store it in variable.

 

then encrypt ($Username + $Password) and store this valie in a cookie lets call it UUID= encrypt ($Username + $Password,'Whate ever seed i want to use')

store the Username into a cookie.

 

this all happens in a function.

So on all other pages i would call authenticateme($Username,$Password) which will return

"5474575687568DSGSDFH76dFNGF>LJK" when true and when false it will return

"JFGNXOP{{O&^*%^zsfsd<<"

 

if (authenticateme($Username,$Password)=='5474575687568DSGSDFH76dFNGF>LJK')

{

//Authenticated Code here

}

else

{

//Not authenticated code here

}

 

Next time the user goes to index.php it will first check if the user has logged in or not by taking

the current encrypted session id & username from the cookie encrypt it all together.

 

Then match the result of the encrypted value to the saved cookie UUID, if they match it means its the same user.

 

then redirect to home.php else show the login  form

 

Safe or not save ?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/262282-php-login/
Share on other sites

There was a tutorial that had some errors in it that I got working, it would still need some more checking, but it works.

 

create table sql

CREATE TABLE IF NOT EXISTS `dbusers` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(32) collate utf8_unicode_ci default NULL,
  `password` char(32) collate utf8_unicode_ci default NULL,
  `email` varchar(32) collate utf8_unicode_ci default NULL,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

 

dbConfig.php

<?php
//use your database connection information
$host = "localhost";//usually localhost,change if need different
$db_username = "user";//change database user name
$db_password = "password";//change database password
$db_name = "database";//change database name

$db = mysql_pconnect($host, $db_username, $db_password);
if ( !$db )
        {
        echo "Error connecting to database.\n";
        }

mysql_select_db($db_name,$db);
?>

 

index.php

<?php
session_start();
include('nav.php');
echo "This is the index page";
?>

 

login.php

<?php
session_start();
include('dbConfig.php');

if(isset($_POST)){
$username = trim($_POST['username']); 
$password = trim($_POST['password']);
$md5pass = md5($password);

if (!empty($_POST["username"]) || !empty($_POST["password"])) {
  
$sql_query = mysql_query("SELECT * FROM dbUsers WHERE username='$username'"); 
$row = mysql_fetch_array($sql_query) or die(mysql_error());
$user_id = $row['id'];
$user_name = $row['username'];
$user_password = $row['password'];

if($username == $user_name && $md5pass == $user_password) {
// Login good, create session variables
$_SESSION["valid_id"] = $user_id;
$_SESSION["valid_user"] = $user_name;
$_SESSION["valid_time"] = time();
        
//change where to redirect after login
//header("Location: index.php");
header("Location: members.php");
} else {
$message = "Invalid Login.";
}
} else {
$message = "Insert user name or password.";
}
include('nav.php');
  
  echo "<form action='' method='POST'>";
  echo "Username: (32 Characters Max) <input name='username' size='32'><br />";
  echo "Password: (32 Characters Max) <input type='password' name='password' size='32'><br />";
  echo "<input type='submit' value='Login'>";
  echo "</form>";
  
echo $message;

}

?>

 

logout.php

<?php
session_start();
session_unset();

session_destroy();
// Logged out, return home.
header("Location: index.php");
?>

 

members.php

<?php
session_start();
if (!$_SESSION["valid_user"])
        {
        // User not logged in, redirect to login page
        header("Location: login.php");
        }
include('nav.php');

// Display Member information
echo "<p>User ID: " . $_SESSION["valid_id"];
echo "<p>Username: " . $_SESSION["valid_user"];
echo "<p>Logged in: " . date("m/d/Y", $_SESSION["valid_time"]);

// Display logout link
echo "<p><a href=\"logout.php\">Click here to logout!</a></p>";
?>

 

nav.php

<a href="index.php"> HOME </a> <a href="members.php"> Members </a> <a href="login.php"> Login </a> <a href="logout.php"> Logout </a> <a href="register.php"> Register </a>
<br />

 

register.php

<?php
        // dbConfig.php is a file that contains your
        // database connection information. This
        // tutorial assumes a connection is made from
        // this existing file.
        include ("dbConfig.php");


//Input vaildation and the dbase code
        if ( $_GET["op"] == "reg" )
  {
  $bInputFlag = false;
  foreach ( $_POST as $field )
        {
        if ($field == "")
    {
    $bInputFlag = false;
    }
        else
    {
    $bInputFlag = true;
    }
        }
  // If we had problems with the input, exit with error
  if ($bInputFlag == false)
        {
        die( "Problem with your registration info. "
    ."Please go back and try again.");
        }
$user = mysql_real_escape_string(trim($_POST['username']));
$pass = md5(mysql_real_escape_string(trim($_POST['password'])));
$mail = mysql_real_escape_string(trim($_POST['email']));

  // Fields are clear, add user to database
  //  Setup query

$r = mysql_query("INSERT INTO dbUsers 
(username, password, email) VALUES('$user', '$pass', '$mail' ) ") 
or die(mysql_error());  
  
  // Make sure query inserted user successfully
  if ( !$r )
        {
        die("Error: User not added to database.");
        }
  else
        {
        // Redirect to thank you page.
        header("Location: register.php?op=thanks");
        }
  } // end if


//The thank you page
        elseif ( $_GET["op"] == "thanks" )
  {
  echo "<h2>Thanks for registering!</h2>";
  echo "Redirecting you to log in<br />";
  echo "<meta http-equiv='refresh' content='5;url=login.php'>";
  }
  
//The web form for input ability
        else
  {
include('nav.php');
  
  echo "<form action='?op=reg' method='POST'>\n";
  echo "Username: <input name='username' MAXLENGTH='32'><br />\n";
  echo "Password: <input name='password' MAXLENGTH='32'<br />\n";
  echo "Email Address: <input name='email' MAXLENGTH='32'><br />\n";
  echo "<input type='submit'>\n";
  echo "</form>\n";
  }
        // EOF
?>

Link to comment
https://forums.phpfreaks.com/topic/262282-php-login/#findComment-1344164
Share on other sites

  • 4 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.