Jump to content

Help with login system


tomasantunes

Recommended Posts

Hi could you help me get this login page working?

I made a form which posts to login.php the "user" and "pass".

 

Then this is my code for login.php:

<?php include("mysql_connect.inc.php"); ?>

<?php
$user = $_POST['user'];
$pass = $_POST['pass'];

session_start();
$query = mysqli_query("SELECT * FROM users WHERE username='$user'");
$results = mysqli_query($con, $query) or die(mysqli_error($con));
$resultsarray = mysql_fetch_array($userresults);

if (isset($_POST['user']) && $_POST['user'] == $query && isset($_POST['pass']) && $_POST['pass'] == $query) {
$_SESSION['username'] = $_POST['user'];
echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!";
} else {
echo "<p>Wrong username or password.</p>";

}
mysqli_close($con);
?>

Link to comment
Share on other sites

Thanks. So should I use md5 to make it safe? I've made some alterations but at the moment I get a blank page when I run it.

 

<?php include("mysql_connect.inc.php"); ?>

<?php
$user = $_POST['user'];
$pass = $_POST['pass'];



session_start();
$query = mysqli_query("SELECT username FROM users WHERE username='$user'");
$results = mysqli_query($con, $query) or die(mysqli_error($con));
$resultsarray = mysql_fetch_array($results);

if (isset($_POST['user']) && $_POST['user'] == $resultsarray && isset($_POST['pass']) && $_POST['pass'] == $resultsarray) {
$_SESSION['username'] = $_POST['user'];
echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!";
} else {
echo "<p>Wrong username or password.</p>";

}
mysqli_close($con);
?>

Link to comment
Share on other sites

 

 

So should I use md5 to make it safe?

No, md5 is not safe for handling passwords.

 

If you are using PHP5.5 or newer you should be hashing your passwords using PHP's password hash library (or for older versions of PHP use ircmaxwells password_compat library).

 

To authenticate the user you need to run a query which returns the row where the users username matches. You'd then pass the users raw password and the password hash return from the query into password_verify() to check if the user entered the correct password. Your code should look like

<?php

session_start();
include("mysql_connect.inc.php");

if(isset($_POST['user']) &&  isset($_POST['pass']))
{
    // use prepared statement to query the database to return the record that matches the username 
    $stmt = $con->prepare("SELECT password FROM users WHERE username = ?");
    $stmt->bind_param('s', $_POST['user']);
    $stmt->execute();
    $stmt->bind_result($password_hash); // get the hashed password from the query result

    $stmt->fetch();

    // verify the user entered the correct password
    if(password_verify($_POST['pass'], $password_hash))
    {
        $_SESSION['username'] = $_POST['user'];
        echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!";
    }
    else
    {
        echo "<p>Wrong username or password.</p>";
    }
}

Ofcourse in order for this to work you need to update your existing passwords stored in your database to be hashes returned from password_hash (make sure to use the algorithm shown in example #2)

Edited by Ch0cu3r
Link to comment
Share on other sites

Ch0cu3r, when you hand out security-related code, please make sure that it's actually secure. You know that this exact code will be copied and pasted around for the next 10 years. The session part is completely messed up, and you've been doing this long enough to understand the importance of HTML-escaping.

 

tomasantunes, the main problem is that you're using some very, very bad information source. Whatever book or website or YouTube “tutorial” you got this from: Keep away from them in the future. They're teaching you garbage PHP from the 90s, and you're the one who will suffer the consequences.

 

First of all, you have no security whatsoever. You just drop the raw user input into the query strings, allowing anybody to manipulate the queries and fetch any data they want. Then you somehow thought it's a good idea to store the passwords as plaintext or hash them with MD5. Those two major vulnerabilities already allow an attacker to download all user passwords and see if they work on other websites as well (maybe they've been reused on Facebook, Gmail etc.).

 

So if you go on like that, you'll hurt yourself and, what's even worse, your users.

 

My first suggestion is that you don't manage user passwords until you have a solid understanding of security. It's too early for this right now. Simply make a website which is open to everybody, doesn't store private data and doesn't make any promises with regard to security. That's how I started, and I think it was a very good idea. It allowed me to screw up without putting other people at risk.

 

You definitely need a better information source, and you need to start thinking about security. I don't mean details like “What is the best way to hash a password?”. I'm talking about awareness. There's an excellent online book about security basics which explains the common risks and how to deal with them. Unfortunately, there's no central website for good information about PHP. The only way to separate the wheat from the chaff is to compare many different sources, be critical and think for yourself.

 

Personally, I follow some basic rules:

  • A lot of PHP “programmers” handing out advice are absolutely clueless, so question everything and think for yourself. Don't just adopt techniques you saw somewhere or copy code you found on the Internet.
  • Keep away from fishy “code for free” websites with no credibility whatsoever. Keep away from “w3schools” in particular.
  • Big professional communities like Stackoverflow are helpful, because there's a certain extend of peer review: If somebody talks bullshit, there's hopefully somebody else who points out the error. However, that doesn't always work, so you still need to be critical.
  • Check the date. PHP and web programming in general change, so a “tutorial” from 2004 probably doesn't cover the state of the art.
  • Check the reputation of the author (if possible). In the area of security, for example, Pádraic Brady and Anthony Ferrara actually know what they're talking about.

 

 

 

 

Close, but no cigar. This is one of the better attempts, but the author still screws up (session management, escaping etc.).

 

I stick to my previous recommendation: It's too early for this. Learn PHP, learn security. When you actually know what you're doing, you can either write your own code or choose good code from somebody else.

  • Like 1
Link to comment
Share on other sites

This is what I do when I started out having a login system with passwords, I stated to the my users in an introduction paragraph that if you plan on registering don't use a password that you use for other websites (especially banking). If possible also use a different email address when registering on my website. I also give this advice to friends that I have on Facebook, to use a password and email address that you don't use for other websites. If a person has a hard time remembering passwords there are applications that manages your passwords for you, so you don't have to remember them. Just thought I would throw that out, but Jacques1 has very good advice and strong advice.

Edited by Miggy64
Link to comment
Share on other sites

I'm just making some experiments. I'm not gonna release anything to the public at the moment.

I'm checking out the HybridAuth code, but I can't make it work.

 

I will study the php security online book as soon as I can. Does anyone know any good websites to study more php? Cheers

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.