tomasantunes Posted August 10, 2014 Share Posted August 10, 2014 Hi could you help me get this login page working? I made a form which posts to login.php the "user" and "pass". Then this is my code for login.php:<?php include("mysql_connect.inc.php"); ?><?php$user = $_POST['user'];$pass = $_POST['pass'];session_start();$query = mysqli_query("SELECT * FROM users WHERE username='$user'");$results = mysqli_query($con, $query) or die(mysqli_error($con));$resultsarray = mysql_fetch_array($userresults);if (isset($_POST['user']) && $_POST['user'] == $query && isset($_POST['pass']) && $_POST['pass'] == $query) {$_SESSION['username'] = $_POST['user'];echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!";} else {echo "<p>Wrong username or password.</p>";}mysqli_close($con);?> Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/ Share on other sites More sharing options...
Millertime1 Posted August 10, 2014 Share Posted August 10, 2014 (edited) First of all I wouldn't use that code in production since it is unsafe. The problem with your code is that it is comparing both POSTS to the sql query statement and not the column for one and also you are using fetch array wrong. Edited August 10, 2014 by Millertime1 Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487341 Share on other sites More sharing options...
tomasantunes Posted August 10, 2014 Author Share Posted August 10, 2014 Thanks. So should I use md5 to make it safe? I've made some alterations but at the moment I get a blank page when I run it. <?php include("mysql_connect.inc.php"); ?><?php$user = $_POST['user'];$pass = $_POST['pass'];session_start();$query = mysqli_query("SELECT username FROM users WHERE username='$user'");$results = mysqli_query($con, $query) or die(mysqli_error($con));$resultsarray = mysql_fetch_array($results);if (isset($_POST['user']) && $_POST['user'] == $resultsarray && isset($_POST['pass']) && $_POST['pass'] == $resultsarray) {$_SESSION['username'] = $_POST['user'];echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!";} else {echo "<p>Wrong username or password.</p>";}mysqli_close($con);?> Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487344 Share on other sites More sharing options...
Ch0cu3r Posted August 10, 2014 Share Posted August 10, 2014 (edited) So should I use md5 to make it safe? No, md5 is not safe for handling passwords. If you are using PHP5.5 or newer you should be hashing your passwords using PHP's password hash library (or for older versions of PHP use ircmaxwells password_compat library). To authenticate the user you need to run a query which returns the row where the users username matches. You'd then pass the users raw password and the password hash return from the query into password_verify() to check if the user entered the correct password. Your code should look like <?php session_start(); include("mysql_connect.inc.php"); if(isset($_POST['user']) && isset($_POST['pass'])) { // use prepared statement to query the database to return the record that matches the username $stmt = $con->prepare("SELECT password FROM users WHERE username = ?"); $stmt->bind_param('s', $_POST['user']); $stmt->execute(); $stmt->bind_result($password_hash); // get the hashed password from the query result $stmt->fetch(); // verify the user entered the correct password if(password_verify($_POST['pass'], $password_hash)) { $_SESSION['username'] = $_POST['user']; echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!"; } else { echo "<p>Wrong username or password.</p>"; } } Ofcourse in order for this to work you need to update your existing passwords stored in your database to be hashes returned from password_hash (make sure to use the algorithm shown in example #2) Edited August 10, 2014 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487349 Share on other sites More sharing options...
tomasantunes Posted August 10, 2014 Author Share Posted August 10, 2014 Thanks a lot! Meanwhile I have downloaded a login script, and restructured my website. It also uses hashing, so I guess it was a good solution. Anyway, it's good to see how the code works. The script I used was https://github.com/panique/php-login-minimal Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487358 Share on other sites More sharing options...
Jacques1 Posted August 10, 2014 Share Posted August 10, 2014 Ch0cu3r, when you hand out security-related code, please make sure that it's actually secure. You know that this exact code will be copied and pasted around for the next 10 years. The session part is completely messed up, and you've been doing this long enough to understand the importance of HTML-escaping. tomasantunes, the main problem is that you're using some very, very bad information source. Whatever book or website or YouTube “tutorial” you got this from: Keep away from them in the future. They're teaching you garbage PHP from the 90s, and you're the one who will suffer the consequences. First of all, you have no security whatsoever. You just drop the raw user input into the query strings, allowing anybody to manipulate the queries and fetch any data they want. Then you somehow thought it's a good idea to store the passwords as plaintext or hash them with MD5. Those two major vulnerabilities already allow an attacker to download all user passwords and see if they work on other websites as well (maybe they've been reused on Facebook, Gmail etc.). So if you go on like that, you'll hurt yourself and, what's even worse, your users. My first suggestion is that you don't manage user passwords until you have a solid understanding of security. It's too early for this right now. Simply make a website which is open to everybody, doesn't store private data and doesn't make any promises with regard to security. That's how I started, and I think it was a very good idea. It allowed me to screw up without putting other people at risk. You definitely need a better information source, and you need to start thinking about security. I don't mean details like “What is the best way to hash a password?”. I'm talking about awareness. There's an excellent online book about security basics which explains the common risks and how to deal with them. Unfortunately, there's no central website for good information about PHP. The only way to separate the wheat from the chaff is to compare many different sources, be critical and think for yourself. Personally, I follow some basic rules: A lot of PHP “programmers” handing out advice are absolutely clueless, so question everything and think for yourself. Don't just adopt techniques you saw somewhere or copy code you found on the Internet. Keep away from fishy “code for free” websites with no credibility whatsoever. Keep away from “w3schools” in particular. Big professional communities like Stackoverflow are helpful, because there's a certain extend of peer review: If somebody talks bullshit, there's hopefully somebody else who points out the error. However, that doesn't always work, so you still need to be critical. Check the date. PHP and web programming in general change, so a “tutorial” from 2004 probably doesn't cover the state of the art. Check the reputation of the author (if possible). In the area of security, for example, Pádraic Brady and Anthony Ferrara actually know what they're talking about. The script I used was https://github.com/panique/php-login-minimal Close, but no cigar. This is one of the better attempts, but the author still screws up (session management, escaping etc.). I stick to my previous recommendation: It's too early for this. Learn PHP, learn security. When you actually know what you're doing, you can either write your own code or choose good code from somebody else. 1 Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487362 Share on other sites More sharing options...
Miggy64 Posted August 11, 2014 Share Posted August 11, 2014 (edited) This is what I do when I started out having a login system with passwords, I stated to the my users in an introduction paragraph that if you plan on registering don't use a password that you use for other websites (especially banking). If possible also use a different email address when registering on my website. I also give this advice to friends that I have on Facebook, to use a password and email address that you don't use for other websites. If a person has a hard time remembering passwords there are applications that manages your passwords for you, so you don't have to remember them. Just thought I would throw that out, but Jacques1 has very good advice and strong advice. Edited August 11, 2014 by Miggy64 Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487369 Share on other sites More sharing options...
tomasantunes Posted August 11, 2014 Author Share Posted August 11, 2014 I'm just making some experiments. I'm not gonna release anything to the public at the moment. I'm checking out the HybridAuth code, but I can't make it work. I will study the php security online book as soon as I can. Does anyone know any good websites to study more php? Cheers Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487481 Share on other sites More sharing options...
gristoi Posted August 14, 2014 Share Posted August 14, 2014 (edited) have a look at codeacademy, and of course php.net Edited August 14, 2014 by gristoi Quote Link to comment https://forums.phpfreaks.com/topic/290380-help-with-login-system/#findComment-1487759 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.