Jump to content

Recommended Posts

Hello guys,


 


I'm trying to make a login system linked to a mySQL database and below is what I have so far. The problem I'm having is when I try to submit both a username and password, I think the database query is failing and it leads to a blank page. Any ideas?


 


Thanks you. Any help will be greatly appreciated.


 


Here's the page I'm talking about: http://aerithea.com/login/login.php



<?php
session_start();
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Member System - Login</title>
</head>
<body>

<?php

$form = "<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>

<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>

<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login' /></td>
</tr>
</table>
</form>";

if ($_POST['loginbtn']) {
$user = $_POST['user'];
$password = $_POST['password'];

if ($user) {
if ($password) {

require("connect.php");

$password = md5(md5("q`wkIa4".$password."qwe;lnm"));
//make sure login info correct
$query = msql_query("SELECT * FROM users WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows == 1) {
$row = mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['username'];
$dbpass = $row['password'];
$dbactive = $row['active'];

if($password == $dbpass) {
if($dbactive == 1) {

//set session info
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;

echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page.";

}
else
echo "You must activate your account to login. $form";
}
else
echo "You did not enter the correct password. $form";
}
else
echo "The username you entered was not found. $form";

mysql_close();

}
else
echo "You must enter your password. $form";
}
else
echo "You must enter your username. $form";

}
else
echo $form;



?>

</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/281105-php-login-system/
Share on other sites

Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack.

 

You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors.

 

The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library.

Link to comment
https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444683
Share on other sites

Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack.

 

You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors.

 

The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library.

 

I've been a PHP programmer for a year, self taught, but would a combo of mysql_real_escape_string and pass() be sufficient?

Link to comment
https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444697
Share on other sites

There is a few things I see wrong with the script at the minute.

 

1 - You haven't turned on error reporting, see here Error Reporting

2 - You are using MySQL, you should really be looking into MySQLi

3 - You are not validating the incoming form data before using it in your queries (previously mentioned by another user)

4 - You should be processing all PHP before any output to the browser, before this line

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

5 - You are using MD5() for hasing your passwords, you should look into the PHPass Library

 

This line here, you are using msql instead of mysql.

 

$query = msql_query("SELECT * FROM users WHERE username='$user'");

 

Look into using isset/empty for checking whether variables are set and if they are empty etc.

Link to comment
https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444734
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.