Jump to content

Member/Login scripts - argh

Mutley

By Mutley
in PHP Coding Help

 Share

Recommended Posts

Mutley Advanced Member

Mutley

Posted
Posted
Does anyone know of any secure scripts, that:

Register
Login/Logout
...and the ability for them to see pages when logged in.

I've seen so many and they are so insecure, I'm not good enough at sorting out cookies/sessions, which is the only thing stopping me doing my own. :(
Link to comment
Share on other sites
JasonLewis Member

JasonLewis

Posted
Posted
if its md5 in the database then just select it from the database and compare it against the one from the form but use md5 on the one from the form.

[code=php:0]
$real_password = mysql_result(mysql_query("SELECT `password` FROM `users` WHERE `username`='{$username}'"),0);
$post_password = $_POST['password'];

if(md5($post_password) != $real_password){
echo "wrong password";
}else{
echo "logged in";
}
[/code]

is that what you are asking?
Link to comment
Share on other sites
Mutley Advanced Member

Mutley

Posted
  • Author
Posted
That doesn't check the cookie though only the database.

When someone logs in it creates a "username" and "password" cookie. At the moment I can make a fake cookie with someones username in and view their information, the password I don't want entering every time with a login form, it needs to use the password cookie.
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
Look at this, an example using cookies
[code]

<?php

if(!empty($_COOKIE['user']) && !empty($_COOKIE['pass']))
{
  $user = htmlspecialchars($_COOKIE['user'], ENT_QUOTES);
  $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES);
 
  $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND user = '$user'");
 
  if(mysql_num_rows($check) <> 1)
  {
    echo "No accsess granted with your current userdata";
    exit();
  }
  else
  {
    echo "Logged in as $user";
  }
}
else
{
  echo "You have to be logged in to visit this section";
  exit();
}

?>

[/code]
Link to comment
Share on other sites
psychohagis Member

psychohagis

Posted
Posted
why are you using cookies? sessions are more secure? I have a script that works fine for me.

[b]Logging in:[/b]
[code]
$server = "YOUR SERVER"; // server to connect to.
$database = "DATABASE"; // the name of the database.
$db_user = "USERNAME"; // mysql username to access the database with.
$db_pass = "PASSWORD"; // mysql password to access the database with.
$table = "TABLE"; // the table that this script will set up and use.




// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

//selects from database using the password and username provided and pulls out verified and id
$match = "select id,verified,rank from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";


//send query
$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry);

//turns id verified and rank in to variables
while ($idgrab = mysql_fetch_array($qry)) {
$userid= $idgrab['id'];
$verified= $idgrab['verified'];
$rank= $idgrab['rank'];
}

//checks that a record was found for the username. If not returns you to sign in with error
if ($num_rows <= 0) {
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=9>'; /*I have a seperate script for printing errors, you may want to do this differently*/
exit;
} else {
//checks whether thse users email is verified  (you may want to edit this out)
if ($verified!=1)
{
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=10>';
} else {

//sets session variables

session_start();
$_SESSION['userid'] = $userid;
$_SESSION['username'] = $_POST['username'];
$_SESSION['rank'] = $rank;

//send them to the nect page if everything is fine.

echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/index.php>';

}

}


[/code]


[b]Then to check whether someones logged in:[/b]
[code]

//start session
session_start();
//check for prescence of session variables
if (!isset($_SESSION['userid']) or $_SESSION['userid'] =='')
{
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=12>';  //ask you to sign in if you are not
}


[/code]
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
[quote author=psychohagis link=topic=121052.msg497564#msg497564 date=1168023521]
why are you using cookies? sessions are more secure?
[/quote]

was that supposed to be a question or a statement ? ...It really doesn't matter much if you do not validate user input from injecting your query, yours is wide open!
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
[quote author=Mutley link=topic=121052.msg497868#msg497868 date=1168048065]
I like yours Alpine but if my cookie is encrypted, does it read it normally or do I need some PHP to decode it?
[/quote]

You don't decrypt the cookie value, you simply compare encrypted value (like the cookie value) with another encrypted value (like the encrypted db-value) to see if they match. If they match, the values before encryption is in most cases identical. This is if the encryption methods are the same on both values ofcourse (md5() etc)
Link to comment
Share on other sites
Mutley Advanced Member

Mutley

Posted
  • Author
Posted
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource on line 10

I've set it up all ok I'm sure, I get "No access granted with your current userdata" but the cookies are there?

[code]<?php

if(!empty($_COOKIE['id']) && !empty($_COOKIE['pass']))
{
  $id = htmlspecialchars($_COOKIE['id'], ENT_QUOTES);
  $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES);
include('secure/sec_con.php');
  $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'");
 
  if(mysql_num_rows($check) <> 1)
  {
    echo "No accsess granted with your current userdata";
    exit();
  }
  else
  {
    echo "Logged in as $id";
  }
}
else
{
  echo "You have to be logged in to visit this section";
  exit();
}

?>[/code]
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
replace
[code]
$check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'");
[/code]

with
[code]
$check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'") or die(mysql_error());
[/code]

and see what the mysql error is
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.