mikeleege Posted October 4, 2015 Share Posted October 4, 2015 Hi guys, I am pretty new to PHP. I am building a login form where I need the user to login using username and password. The first time he login I need to acquire his IP address or MAC address to limit any future logins to the specific IP address or MAC address he initially logged in from. I used the below codes from online forums to do the normal login form but I don't know how to do the IP registration and check thing, can anyone please help? index.php <?php include('login.php'); // Includes Login Script if(isset($_SESSION['login_user'])){ header("location: profile.php"); } ?> <!DOCTYPE html> <html> <head> <title>Login Form in PHP with Session</title> <link href="style.css" rel="stylesheet" type="text/css"> </head> <body> <div id="main"> <h1>PHP Login Session Example</h1> <div id="login"> <h2>Login Form</h2> <form action="" method="post"> <label>UserName :</label> <input id="name" name="username" placeholder="username" type="text"> <label>Password :</label> <input id="password" name="password" placeholder="**********" type="password"> <input name="submit" type="submit" value=" Login "> <span><?php echo $error; ?></span> </form> </div> </div> </body> </html> Login.php <?php session_start(); // Starting Session $error=''; // Variable To Store Error Message if (isset($_POST['submit'])) { if (empty($_POST['username']) || empty($_POST['password'])) { $error = "Username or Password is invalid"; } else { // Define $username and $password $username=$_POST['username']; $password=$_POST['password']; // Establishing Connection with Server by passing server_name, user_id and password as a parameter $connection = mysql_connect("localhost", "user", "pass"); // To protect MySQL injection for Security purpose $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); // Selecting Database $db = mysql_select_db("db", $connection); // SQL query to fetch information of registerd users and finds user match. $query = mysql_query("select * from login where password='$password' AND username='$username'", $connection); $rows = mysql_num_rows($query); if ($rows == 1) { $_SESSION['login_user']=$username; // Initializing Session header("location: profile.php"); // Redirecting To Other Page } else { $error = "Username or Password is invalid"; } mysql_close($connection); // Closing Connection } } ?> Logout.php <?php session_start(); if(session_destroy()) // Destroying All Sessions { header("Location: index.php"); // Redirecting To Home Page } ?> Profile.php <?php include('session.php'); ?> <!DOCTYPE html> <html> <head> <title>Your Home Page</title> <link href="style.css" rel="stylesheet" type="text/css"> </head> <body> <div id="profile"> <b id="welcome">Welcome : <i><?php echo $login_session; ?></i></b> <b id="logout"><a href="logout.php">Log Out</a></b> </div> </body> </html> Session.php <?php // Establishing Connection with Server by passing server_name, user_id and password as a parameter $connection = mysql_connect("localhost", "user", "pass"); // Selecting Database $db = mysql_select_db("db", $connection); session_start();// Starting Session // Storing Session $user_check=$_SESSION['login_user']; // SQL Query To Fetch Complete Information Of User $ses_sql=mysql_query("select username from login where username='$user_check'", $connection); $row = mysql_fetch_assoc($ses_sql); $login_session =$row['username']; if(!isset($login_session)){ mysql_close($connection); // Closing Connection header('Location: index.php'); // Redirecting To Home Page } ?> Link to comment Share on other sites More sharing options...
Jacques1 Posted October 4, 2015 Share Posted October 4, 2015 (edited) You have much bigger problems than people logging in too often. That code you've found is horribly outdated, poorly written and violates almost every security principle. Plaintext passwords? Connecting to the database as root? Really? It makes no sense to add advanced security features when this doesn't even pass the most basic security checks. Implementing log-in limits is also much harder than it may seem. For example, there are proxy servers and VPNs where thousands of (legitimate) users share the same IP address. Does that mean they'll all be locked out just because one user pressed the log-in button too often? At the same time, actual attackers can easily switch to a different IP, because they typically have large botnets. So a naïve implementation will cause more harm than good. I think you should take care of the basics first: Learn how to use a modern database interface, learn how to hash passwords and learn the basics of security. This will be much more useful than copy-pasting bad code you found somewhere on the Internet. Edited October 4, 2015 by Jacques1 Link to comment Share on other sites More sharing options...
mikeleege Posted October 4, 2015 Author Share Posted October 4, 2015 Well, thanks for your reply. This login interface isn't meant to be used in something critical, I understand the security issues, the page I am implementing will have no more than about 500 users who have no idea about programming but I want to make sure those users login from a single computer only. The website will have no useful information for anyone to invest 5 minutes to attempt hacking it. Link to comment Share on other sites More sharing options...
Jacques1 Posted October 4, 2015 Share Posted October 4, 2015 This isn't just about your toy website. Insecure applications can compromise the entire server, and I'm sure that is a problem. Sure, you can do whatever you like (as long as nobody holds you accountable for it). But it'll be hard to find a programmer who's willing to give up all his self-respect and help you with this. So if you want to go the wrong way, you're probably on your own. Link to comment Share on other sites More sharing options...
Strider64 Posted October 4, 2015 Share Posted October 4, 2015 (edited) I will give my .02 cents about this. I don't think I would be very pleased if I were one of the 500 users using that website to find out that the password and other information that I entered wasn't secured at all. Sure they don't know anything about programming, but Hackers do. If there isn't any valuable information in the first place why have a login system? I have logged into the a website from more than one computer (Heck I even logged onto the same computer more than once using different browsers), I really don't see what the big deal is. It's just like visiting the same web page on multiple computers in my book. Edited October 4, 2015 by Strider64 Link to comment Share on other sites More sharing options...
mikeleege Posted October 4, 2015 Author Share Posted October 4, 2015 Hmm, why you guys all are complaining about stuff that I am the one who should worry about! I just wanted to know some specific things yet no one wants to help and instead complaining about what I didn't ask for help for! 1. The users are not entering any passwords or giving any of their personal information to register before logging, instead I am the one who will randomly generate passwords. 2. I am using this for a specific application where I just want to make sure 1 computer is used to access whatever page after the login page. 3. There is nothing valuable in that website but I want to make that because I just want to make that! If someone can tell me how to do what I asked for I will be really thankful. Link to comment Share on other sites More sharing options...
scootstah Posted October 4, 2015 Share Posted October 4, 2015 If someone can tell me how to do what I asked for I will be really thankful. Sure. What you want to do is not possible, sorry. The system you're trying to build is fundamentally flawed and easily circumvented. Why are you adamant in security for this one particular, unnecessary thing when you have blatantly ignored security in many other areas? Hmm, why you guys all are complaining about stuff that I am the one who should worry about! Because we are passionate about what we do and we see someone doing it horribly wrong. We also see someone making the web an unsafe place. Do you know how many big time sites have been compromised recently that have published huge recovered password lists, due to similar security problems? It's insane, ridiculous, and completely preventable. 1 Link to comment Share on other sites More sharing options...
seandisanti Posted October 6, 2015 Share Posted October 6, 2015 Hmm, why you guys all are complaining about stuff that I am the one who should worry about! I just wanted to know some specific things yet no one wants to help and instead complaining about what I didn't ask for help for! 1. The users are not entering any passwords or giving any of their personal information to register before logging, instead I am the one who will randomly generate passwords. 2. I am using this for a specific application where I just want to make sure 1 computer is used to access whatever page after the login page. 3. There is nothing valuable in that website but I want to make that because I just want to make that! If someone can tell me how to do what I asked for I will be really thankful. When someone tells you your house is on fire, don't tell them to mind their own business. Sorry I'm late to the party but I promise I'm trying to help and not just dogpile. You are getting good advice from people with the experience to answer the questions that you don't know to ask, and any case you make for ignoring good advice is a better case against giving you more. Protecting your users and others that may be sharing your server is far more important than whatever you hope to prevent by tying each user to a specific device. Link to comment Share on other sites More sharing options...
mikeleege Posted October 7, 2015 Author Share Posted October 7, 2015 I totally understand that the house is on fire, I am perfectly aware of all the problems, and that is exactly what I want to build, why?, because of the nature of the application of the page it needs that! Link to comment Share on other sites More sharing options...
benanamen Posted October 7, 2015 Share Posted October 7, 2015 Speechless. Link to comment Share on other sites More sharing options...
scootstah Posted October 7, 2015 Share Posted October 7, 2015 I totally understand that the house is on fire, I am perfectly aware of all the problems, and that is exactly what I want to build, why?, because of the nature of the application of the page it needs that! There is no way to tie a user to a specific device. There's no way to uniquely identify a device. The best you can do is use the user's IP address, but there's lots of problems with that. what if the user's IP changes frequently? What if the user regularly uses free hotspots? What if the user is part of a large network with other users that use your service, where they all have the same IP? What if the user uses a VPN or proxy service? So, you simply can't do what you want. Link to comment Share on other sites More sharing options...
moosey_man1988 Posted February 7, 2016 Share Posted February 7, 2016 (edited) These guys are right that is very out of date, I would suggest trying to use PDO rather than mysql connect, for getting a users IP address you can use the $_SERVER['REMOTE_ADDR'] although i don't think this will stop someone who proxies? if ($_POST['submit'] == ' Login ')){ $usersIP = $_SERVER['REMOTE_ADDR']; //now we have the users IP we want to log this in the database $timestamp = date('Y-m-d H:i:s'); $logUserQuery = "INSERT INTO loginIP ('ip','userName','TimeStamp') VALUES(:userIP,:userName,:timestamp)"; $UserResult = $pdo_connection->prepare($logUserQuery); $UserResult->execute(array(':userIP'=>$usersIP, ':userNAme'=>$_POST['username'], ':timestamp'=>$timestamp)); }//end of if statement Edited February 7, 2016 by moosey_man1988 Link to comment Share on other sites More sharing options...
therocker Posted February 7, 2016 Share Posted February 7, 2016 For example, there are proxy servers and VPNs where thousands of (legitimate) users share the same IP address. You keep telling yourself that, but this forum does exactly the same thing you are trying to prevent. So that's actually really uber hypocritical for you saying that since you are in a group that allows you to moderate and approve things. I can't even make a new account using Tor on this forum and you sit there and say that "it's a bad idea to lock out (LEGITIMATE) users" when they share a proxy server. Before you start going on about "security" like you always do, you should make sure the forum you are using and are on doesn't do exactly what you are trying to say because that's already a big no no and no "legitimate" user should listen to that kind of garbage. Link to comment Share on other sites More sharing options...
QuickOldCar Posted February 7, 2016 Share Posted February 7, 2016 You keep telling yourself that, but this forum does exactly the same thing you are trying to prevent. So that's actually really uber hypocritical for you saying that since you are in a group that allows you to moderate and approve things. I can't even make a new account using Tor on this forum and you sit there and say that "it's a bad idea to lock out (LEGITIMATE) users" when they share a proxy server. Before you start going on about "security" like you always do, you should make sure the forum you are using and are on doesn't do exactly what you are trying to say because that's already a big no no and no "legitimate" user should listen to that kind of garbage. Jacques didn't write the forum software or has the ability to rewrite it, maybe IPBoard will read this. @mikeleege Do as Jacques suggested, not many developers want to make the net even more insecure. If you want to copy/paste code try this tutorial, is a better direction for you to take. https://daveismyname.com/login-and-registration-system-with-php-bp Scootash already explained there is no way to tie a user to a specific or uniquely identify a device. Best can do is use ip's and not reliable. That's why a developer makes a login system to distinguish that user. Limiting the ability to login more than once is not the right path to take, especially via ip's. The session system you have is poorly done, should check if a session for user is set first, is no need to constantly connect to a db and fetch this information if already set in session. If want to secure a page you check if a certain page is only for that user, you can assign them as owner in a database to a specific page. Using page id's and auto-increment in the database is the best way. Can also do something like wildcard subdomains... bob.mydomain.com or user pages mydomain.com/user/bob that can only be viewed by user named bob or admin, the only user besides admin that has ability to make changes. You check the current user with one stored in session. Link to comment Share on other sites More sharing options...
therocker Posted February 7, 2016 Share Posted February 7, 2016 Jacques didn't write the forum software or has the ability to rewrite it, maybe IPBoard will read this. He doesn't need to nor remake it. Instead of preaching to the choir, why not go and bust down doors on 3rd party scripts/libraries like IPBoard on this subject? Why repeat yourself to people who are just beginning PHP? You're preaching to people who know nothing yet. It'll just go from one ear and out the other. And I'm pretty sure you can modify parts of IPBoard to allow proxy users. I mean if I was going to preach about something, I'd make sure everything I say isn't going to have a flaw. Since the forum we are using now blocks proxy users, the argument is flawed because you should be doing everything in your power to allow everyone in as you keep telling yourself that. Link to comment Share on other sites More sharing options...
Jacques1 Posted February 9, 2016 Share Posted February 9, 2016 So I hurt your feelings back on DevShed? And years later, you still aren't over it? Grow up, kid. Link to comment Share on other sites More sharing options...
therocker Posted February 9, 2016 Share Posted February 9, 2016 So I hurt your feelings back on DevShed? And years later, you still aren't over it? Grow up, kid. Who said anything about DevShed? Obviously your feelings still hurt, that's why you mentioned it when all I said was your argument is flawed because the forum you moderate blocks proxy servers which you so apparently and strongly have feelings for yet you do nothing in your moderating power to up-hold your flawed argument. Obviously people in the "guru" group of this website/forum can moderate, move, and approve things. This also means approving proxy users which makes your argument flawed because you so strongly suggest that blocking IP Addresses are a bad idea yet you're using a forum that does exactly that. In fact, that actually makes your argument uber weak to the point where there are no more points to give out. You might want to make sure your argument isn't so flawed the next time you start an arguement about security. All you talk about is security yet you do the opposite of what you always say. No one on DevShed nor on PHP Freaks wants to argue with you because they're so god damn scared, but I'm not because you're a troll who wants attention. And giving out horrible garbage advice makes it no different than if you were on DevShed. Heck, I'd like to see this come up in one of your topics again. ManiacDan -> disagrees : You don't seem to have lost a single bit of your grating personality in your blessed absence. Wouldn't be suprised if this happened on this forum as well. Link to comment Share on other sites More sharing options...
QuickOldCar Posted February 9, 2016 Share Posted February 9, 2016 PM or email each other personal matters. I don't want to lock the topic in case someone possibly wants to help the OP. Link to comment Share on other sites More sharing options...
Jacques1 Posted February 10, 2016 Share Posted February 10, 2016 The topic is from October 2015, and the OP hasn't been online ever since (besides, he never seemed to be particularly interested in our advice). I suggest you do close this thread to prevent further abuse. Technical issues can be discussed in Questions, Comments & Suggestions. Link to comment Share on other sites More sharing options...
Recommended Posts