FatesCall Posted May 30, 2015 Share Posted May 30, 2015 (edited) Hi, I need help with scripting a PHP/HTML/CSS website login panel and I am very new to coding PHP and I tried using websites but I prefer talking to people who know what they are doing so I can ask very specific questions, there would be no pay involved but if you could help me out, It would be greatly appreciated. (: Edited May 30, 2015 by FatesCall Quote Link to comment Share on other sites More sharing options...
ginerjm Posted May 30, 2015 Share Posted May 30, 2015 When you say "new to coding PHP" that means it is time to sit down with a good book or online tutorial and start learning. You'll never learn to code if you don't do it. Nobody here is going to write code for you. But - the people here are very happy to help you correct your attempts. Have fun and good luck! Quote Link to comment Share on other sites More sharing options...
FatesCall Posted May 30, 2015 Author Share Posted May 30, 2015 (edited) When you say "new to coding PHP" that means it is time to sit down with a good book or online tutorial and start learning. You'll never learn to code if you don't do it. Nobody here is going to write code for you. But - the people here are very happy to help you correct your attempts. Have fun and good luck! I don't learn well from books or online, I like talking to real people. Edited May 30, 2015 by FatesCall Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted May 30, 2015 Share Posted May 30, 2015 I don't learn well from books or online, I like talking to real people. I'm not saying we are unfriendly talkative people here...but the way we do it here is to paste any relevant code and your problem. The answers should help you see the solution and many times the poster will explain why to do it a certain way. Not sure how you expect to learn without reading, is pretty hard to learn it otherwise. You can ask these specific questions in the forum. Quote Link to comment Share on other sites More sharing options...
FatesCall Posted May 30, 2015 Author Share Posted May 30, 2015 (edited) I'm not saying we are unfriendly talkative people here...but the way we do it here is to paste any relevant code and your problem. The answers should help you see the solution and many times the poster will explain why to do it a certain way. Not sure how you expect to learn without reading, is pretty hard to learn it otherwise. You can ask these specific questions in the forum. okay so this is my problem <div class="login"> <input type="text" placeholder="username" name="user"><br> <input type="password" placeholder="password" name="password"><br> <input type="button" value="Login"> </div> How would I take the Username and Password from that and verify them through a sql database, I just don't know how to pull the info when the user clicks the button Edited May 30, 2015 by FatesCall Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted May 31, 2015 Share Posted May 31, 2015 This is wrapped with form tags...correct? Default method is get in a form, if you use POST for the method would be this. if(isset($_POST['user']) && trim($_POST['user']) !=''){ $user = trim($_POST['user']); } if(isset($_POST['password']) && trim($_POST['password']) !=''){ $password = trim($_POST['password']); } if($user && $password){ //registration: perform new user insert info with hashed password //login: verify that users password same as in database } As for encrypting passwords password_hash() and password_verify() For database functions should be using mysqli or pdo Quote Link to comment Share on other sites More sharing options...
jcbones Posted May 31, 2015 Share Posted May 31, 2015 Well, first you would have to wrap it in a form, and specify the form action and method: <form method="post" action"page_to_submit_to"><div class="login"> <input type="text" placeholder="username" name="user"><br> <input type="password" placeholder="password" name="password"><br> <input type="submit" value="Login"> </form> </div> Which you would then get the values by: echo $_POST['user']; echo $_POST['password']; Since you wouldn't want to tell the user what they typed in, instead you would want to log them in. You would send the values to a database, and see if they match up. /*PDO Connection required*/ //Get the password from the database, that is associated with the user. (Dependent on database design). $sql = 'SELECT password FROM user WHERE username = :user LIMIT 1'; //Using PDO we can prepare the query. $stmt = $pdo->prepare($sql); //Then bind the username to the query. $stmt->bindParam(':user', $_POST['user'], PDO::PARAM_STR); //Then execute the query. $stmt->execute(); //and get the results. No while() here, as there is only one row. $result = $stmt->fetch(PDO::FETCH_ASSOC); //we tell pdo to return an associative array //we now verify that the password matches the hased password we stored in the database. //we always hash passwords in the database for security reasons. //we would have run the password through password_hash() function before storing. if(password_verify($_POST['password'],$result['password'])) { //if the passwords match. /*Login successful Do Stuff*/ } else { //if the passwords do NOT match /*Login error Do Stuff*/ } Quote Link to comment Share on other sites More sharing options...
FatesCall Posted June 1, 2015 Author Share Posted June 1, 2015 (edited) Well, first you would have to wrap it in a form, and specify the form action and method: <form method="post" action"page_to_submit_to"><div class="login"> <input type="text" placeholder="username" name="user"><br> <input type="password" placeholder="password" name="password"><br> <input type="submit" value="Login"> </form> </div> Which you would then get the values by: echo $_POST['user']; echo $_POST['password']; Since you wouldn't want to tell the user what they typed in, instead you would want to log them in. You would send the values to a database, and see if they match up. /*PDO Connection required*/ //Get the password from the database, that is associated with the user. (Dependent on database design). $sql = 'SELECT password FROM user WHERE username = :user LIMIT 1'; //Using PDO we can prepare the query. $stmt = $pdo->prepare($sql); //Then bind the username to the query. $stmt->bindParam(':user', $_POST['user'], PDO::PARAM_STR); //Then execute the query. $stmt->execute(); //and get the results. No while() here, as there is only one row. $result = $stmt->fetch(PDO::FETCH_ASSOC); //we tell pdo to return an associative array //we now verify that the password matches the hased password we stored in the database. //we always hash passwords in the database for security reasons. //we would have run the password through password_hash() function before storing. if(password_verify($_POST['password'],$result['password'])) { //if the passwords match. /*Login successful Do Stuff*/ } else { //if the passwords do NOT match /*Login error Do Stuff*/ } Can you explain this statement a little bit more, like how I should set the SQL Table up. (Mostly the ":user LIMIT 1" part, I understand the rest) $sql = 'SELECT password FROM user WHERE username = :user LIMIT 1'; and a little on creating the Key for hashing? Edited June 1, 2015 by FatesCall Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted June 4, 2015 Share Posted June 4, 2015 I strongly disagree with ever pulling passwords from database tables (Note: this is a personal opinion). I suggest that you would have a basic user table, conaining :||userID (Primary Key) | userName (Unique Index) | userPassword (Normal Index) | accountStatus (Normal Index) || From this you would simply select userID from the table, not the password. So your SQL would look like: SELECT userID FROM userTable WHERE userName = :user AND userPassword = :pwd AND accountStatus = "Active" Use PDO->prepare to create the statement and then statement->bindParam to attach the form values to the query string :user and :pwd parameters. You can then grab the userID for use in persistence and you can throw out a "Login failed" message in the event the query returns 0 rows. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 4, 2015 Share Posted June 4, 2015 the suggest password hashing method, using password_hash()/password_verify(), cannot be accomplished without retrieving the hashed password value from the database table. Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted June 4, 2015 Share Posted June 4, 2015 the suggest password hashing method, using password_hash()/password_verify(), cannot be accomplished without retrieving the hashed password value from the database table. True, but why would you want to do that in the first place? let's be honest it's of no real world benefit whatsoever. I hold that once a hash is stored in a table it should be left there, only used internally within the database for comparison and never returned as the result of a query. Again, it's a personal point of view, and I noted that already as I appreciate that a lot of people are quite happy throwing password strings all over the place. I also provided an alternative query statement and basic explanation of the process that would be more in line with how I would do it. However, as you correctly stated, I neglected to specifically point out that those functions would become redundant. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 4, 2015 Share Posted June 4, 2015 you would do that so that you can have a separate random salt per user so that any bruit-force password determination would have to be done separately for each password. the hash produced by the password_hash() function contains information on the hashing algorithm used, the cost/iteration factor, the random salt string that was produced when the password was hashed, along with the hashed value. all these are needed to hash an incoming password to see if it compares to the original password. Quote Link to comment Share on other sites More sharing options...
jcbones Posted June 5, 2015 Share Posted June 5, 2015 Can you explain this statement a little bit more, like how I should set the SQL Table up. (Mostly the ":user LIMIT 1" part, I understand the rest) $sql = 'SELECT password FROM user WHERE username = :user LIMIT 1'; and a little on creating the Key for hashing? :user = placeholder for the prepared statement, it is exchanged by the database (If pdo is started properly) when the statement is executed. //Then bind the username to the query. $stmt->bindParam(':user', $_POST['user'], PDO::PARAM_STR); //send the 'user' index from post to the database on execute, so that the exchange of :user can happen. LIMIT 1 = "only return 1 row from the database", this should be redundant, because you shouldn't have more than 1 user with the same username. I'm not sure what you mean by key. The algorithm, the cost, or the salt? password_hash() Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted June 5, 2015 Share Posted June 5, 2015 you would do that so that you can have a separate random salt per user so that any bruit-force password determination would have to be done separately for each password. the hash produced by the password_hash() function contains information on the hashing algorithm used, the cost/iteration factor, the random salt string that was produced when the password was hashed, along with the hashed value. all these are needed to hash an incoming password to see if it compares to the original password. I can see this has the potential to hijack the thread, so I'll just agree to disagree on this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.