HartMan Posted February 15, 2013 Share Posted February 15, 2013 (edited) hello all, first post here. im fairly new to php and am still trying to really get a hold of what im doing. right now im just trying to build a simple login function for my site and am completely stuck. here is what i have so far. in function authuser im trying to create a query, return the result, compare it with those that were posted on index.php and if it matches the database i would like the login function. to start the session. i hope that makes sense. and if there is a better way to do this or something im missing please let me know index.php if($_SERVER['REQUEST_METHOD'] === 'POST') { $username = $_POST['username']; $password = md5($_POST['password']); if(empty($username) || empty($password)){ $data['status'] = 'Please fill out both inputs'; } else { // login authuser($username,$password); } } functions.php function login($username,$password) { session_start(); } function authuser($username,$password) { $sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; $results = mysql_query($sql); $rows = mysql_num_rows($results); if($rows==1) { session_register("admin"); } else { echo "Wrong Username or Password"; } } Edited February 15, 2013 by HartMan Quote Link to comment Share on other sites More sharing options...
worldcom Posted February 15, 2013 Share Posted February 15, 2013 This is my preference for forms. I don't check the method. I want to check that the login form has been submitted. Also, be sure to escape your data from bad people if( isset($_POST['your_form_submit_button_value']) ){ $password = mysql_real_escape_string($_POST['password']); $username = mysql_real_escape_string($_POST['username']); .... // the rest of your code Quote Link to comment Share on other sites More sharing options...
andrew_biggart Posted February 15, 2013 Share Posted February 15, 2013 Hi worldcom, I have recently been working on a login script for my applications. I have created a login / account application using phpass for password hashing to help keep it secure. It's by no means water tight or completed, but you might find it useful. I have started to move this application to github, but haven't had time to create the instructions yet so apologies for that. But everything should be there that you need. Have a look as it might be useful for you. https://github.com/andrewbiggart/phppass Andrew Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted February 15, 2013 Share Posted February 15, 2013 @worldcom: You shouldn't rely on the submit button name to be sent along with the form. Some browsers don't send the submit button along with the form, so you could miss out on some form submissions. Checking the request method is probably the most reliable, but don't quote me on that. Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted February 15, 2013 Share Posted February 15, 2013 Some browsers don't send the submit button along with the form, and......they are? Quote Link to comment Share on other sites More sharing options...
worldcom Posted February 15, 2013 Share Posted February 15, 2013 @PaulRyan you are correct. Me bad. Been a while but I usually put in a hidden post value that I check instead of just the button. eg. <input type"hidden" value="TRUE" name="form_submitted"> I should look at some of my older scripts Quote Link to comment Share on other sites More sharing options...
worldcom Posted February 15, 2013 Share Posted February 15, 2013 Hi worldcom, I have recently been working on a login script for my applications. I have created a login / account application using phpass for password hashing to help keep it secure. It's by no means water tight or completed, but you might find it useful. I have started to move this application to github, but haven't had time to create the instructions yet so apologies for that. But everything should be there that you need. Have a look as it might be useful for you. https://github.com/a...biggart/phppass Andrew I'll have a good look. Just an FYI, I just was pointing out to the OP that you should be checking any input. Also, I'm not sure if we should't be relying on $_SERVER['REQUEST_METHOD'], you should know the method of what you expect either $_GET or $_POST. Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted February 15, 2013 Share Posted February 15, 2013 @Jazzman: I believe they are browsers that run on other Operating Systems other than PC. Such as MAC, Linux, Unix etc. @Worldcom: I myself use a hidden input for forms, it works great if you have multiple forms on a page as some of my applications do. Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 15, 2013 Share Posted February 15, 2013 and......they are? Not hard to find out by searching on Google. IE6 is one. Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted February 15, 2013 Share Posted February 15, 2013 Not hard to find out by searching on Google. IE6 is one. I didn't know IE6 was one of them, I'm not surprised though. Thanks for pointing that out. Quote Link to comment Share on other sites More sharing options...
HartMan Posted February 28, 2013 Author Share Posted February 28, 2013 (edited) sorry it took so long to respond ive changed my code a bit but now when i pass the username and password i get back this error"Trying to get property of non-object in C:\wamp\www\whatscookincatering\lib\functions.php on line 23"here is what my code looks like nowindex.php <?php require '../blog.php'; $data = array(); session_start(); # check required fields if( empty( $_POST['username'] ) || empty( $_POST['password'] ) ){ $data['msg'] = 'Please fill out both fields to log in.'; }else{ $DB = new mysqli( 'localhost', $config['dbusername'], $config['dbpassword'], $config['database'] ); # check if login is correct: $success = check_login( $_POST['username'],$_POST['password'],$DB ); # assign appropriate message: $data['msg'] = $success? 'Thank you for logging in': // success 'Wrong username or password.'; // failure } view('../admin/login', $data); ?> functions.php <?php function view($path, $data = null) { if ( $data ){ extract($data); } $path = 'views/' . $path . '.tmpl.php'; include "../views/layout.php"; } function check_login( $username,$password,mysqli $DB ) { $query = $DB->prepare( "SELECT 1 FROM users WHERE username=? AND password=?" ); $password = md5( $password ); # bind the submitted username/password to the statement $query->bind_param( 'ss',$username,$password ); # query the DB and check number of rows returned to determine success $result = $query->execute(); return ($result->num_rows === 1)? true: false; } ?> this is line 23 "return ($result->num_rows === 1)?" Edited February 28, 2013 by HartMan Quote Link to comment Share on other sites More sharing options...
timothyarden Posted March 1, 2013 Share Posted March 1, 2013 Also might be good to use the MySQLi class as the mysql functions are deprecated. Quote Link to comment Share on other sites More sharing options...
Sanjib Sinha Posted March 1, 2013 Share Posted March 1, 2013 There are lot of classes available over the net. Please search, you'd find. Besides, after getting little bit experienced you may try a good framework, like laravel, that will do the job. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted March 1, 2013 Share Posted March 1, 2013 (edited) Timothy: I recommend reading the posts before you reply, as the author is clearly using MySQLI already. Sanjib Sinha: Unfortunately, your reply is just as helpful as Timothy's. While I do applaud your willingness to help and educate others, please take the time to properly read and understand the thread. That you can actually offer accurate and relevant help to the topic at hand, and not just waste time or (even worse) be a part of the problem. Thank you. HartMan: If you look at the PHP manual for mysqli_statement::execute () you should notice something quite important. Especially if you look at its return type. Edited March 1, 2013 by Christian F. Quote Link to comment Share on other sites More sharing options...
timothyarden Posted March 2, 2013 Share Posted March 2, 2013 Haha, lol - yep thats as obvious as it gets hey Christian F - thats what I get for commenting late at night. Quote Link to comment Share on other sites More sharing options...
timothyarden Posted March 2, 2013 Share Posted March 2, 2013 I think I looked at the first post and just commented that it would be a good idea to upgrade that considering he was using mysql_query Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.