Jump to content

PHP Login System

Thaikhan

By Thaikhan
in PHP Coding Help

 Share

Recommended Posts

Thaikhan Newbie

Thaikhan

Posted
Posted

Hello guys,


 


I'm trying to make a login system linked to a mySQL database and below is what I have so far. The problem I'm having is when I try to submit both a username and password, I think the database query is failing and it leads to a blank page. Any ideas?


 


Thanks you. Any help will be greatly appreciated.


 


Here's the page I'm talking about: http://aerithea.com/login/login.php




<?php

session_start();

?>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en">

	<head>

		<meta http-equiv="content-type" content="text/html; charset=utf-8" />

		<title>Member System - Login</title>

	</head>

<body>


<?php


$form = "<form action='./login.php' method='post'>

<table>

<tr>

	<td>Username:</td>

	<td><input type='text' name='user' /></td>

</tr>


<tr>

	<td>Password:</td>

	<td><input type='password' name='password' /></td>

</tr>


<tr>

	<td></td>

	<td><input type='submit' name='loginbtn' value='Login' /></td>

</tr>

</table>

</form>";


	if ($_POST['loginbtn']) {

		$user = $_POST['user'];

		$password = $_POST['password'];


		if ($user) {

			if ($password) {


				require("connect.php");


				$password = md5(md5("q`wkIa4".$password."qwe;lnm"));

				//make sure login info correct

				$query = msql_query("SELECT * FROM users WHERE username='$user'");

				$numrows = mysql_num_rows($query);

				if ($numrows == 1) {

					$row = mysql_fetch_assoc($query);

					$dbid = $row['id'];

					$dbuser = $row['username'];

					$dbpass = $row['password'];

					$dbactive = $row['active'];


					if($password == $dbpass) {

						if($dbactive == 1) {


							//set session info

							$_SESSION['userid'] = $dbid;

							$_SESSION['username'] = $dbuser;


							echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page.";


						}

						else

							echo "You must activate your account to login. $form";

					}

					else

						echo "You did not enter the correct password. $form";

				}

				else

					echo "The username you entered was not found. $form";


				mysql_close();


			}

			else

				echo "You must enter your password. $form";

		}

		else

			echo "You must enter your username. $form";


	}

	else

		echo $form;




?>


</body>

</html>

Link to comment
Share on other sites
sKunKbad Advanced Member

sKunKbad

Posted
Posted

Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack.

 

You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors.

 

The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library.

Link to comment
Share on other sites
limitbreaker Newbie

limitbreaker

Posted
Posted

Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack.

 

You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors.

 

The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library.

 

I've been a PHP programmer for a year, self taught, but would a combo of mysql_real_escape_string and pass() be sufficient?

Link to comment
Share on other sites
PaulRyan Member

PaulRyan

Posted
Posted

There is a few things I see wrong with the script at the minute.

 

1 - You haven't turned on error reporting, see here Error Reporting

2 - You are using MySQL, you should really be looking into MySQLi

3 - You are not validating the incoming form data before using it in your queries (previously mentioned by another user)

4 - You should be processing all PHP before any output to the browser, before this line

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

5 - You are using MD5() for hasing your passwords, you should look into the PHPass Library

 

This line here, you are using msql instead of mysql.

 

$query = msql_query("SELECT * FROM users WHERE username='$user'");

 

Look into using isset/empty for checking whether variables are set and if they are empty etc.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.