stevied Posted May 15, 2007 Share Posted May 15, 2007 Ok guys. A first time here on the site and a newbie... I am busy designing a site. Well it is pretty much finished. But I got some code from PHP builder (tim) for a secure login. This code has it all. Although it does not fully work. Unless I am doing something worng. Like i can log out with out even logging in. And i get a few errors. I know you guys work hard and this might be a lot of work for you but i would really appreciate it. And also please let me know how secure this code is., Cause my site is intended to have a few thousand users and i dont need it falling apart. thanks. okay to start I am told to edit these 3 and put them in a folder called include (user.php, database.php & pre.php) User.php is as follows <?php $hidden_hash_var='your_password_here'; $LOGGED_IN=false; //clear it out in case someone sets it in the URL or something unset($LOGGED_IN); /* create table user ( user_id int not null auto_increment primary key, user_name text, real_name text, email text, password text, remote_addr text, confirm_hash text, is_confirmed int not null default 0 ); */ function user_isloggedin() { global $user_name,$id_hash,$hidden_hash_var,$LOGGED_IN; //have we already run the hash checks? //If so, return the pre-set var if (isset($LOGGED_IN)) { return $LOGGED_IN; } if ($user_name && $id_hash) { $hash=md5($user_name.$hidden_hash_var); if ($hash == $id_hash) { $LOGGED_IN=true; return true; } else { $LOGGED_IN=false; return false; } } else { $LOGGED_IN=false; return false; } } function user_login($user_name,$password) { global $feedback; if (!$user_name || !$password) { $feedback .= ' ERROR - Missing user name or password '; return false; } else { $user_name=strtolower($user_name); $password=strtolower($password); $sql="SELECT * FROM user WHERE user_name='$user_name' AND password='". md5($password) ."'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1){ $feedback .= ' ERROR - User not found or password incorrect '; return false; } else { if (db_result($result,0,'is_confirmed') == '1') { user_set_tokens($user_name); $feedback .= ' SUCCESS - You Are Now Logged In '; return true; } else { $feedback .= ' ERROR - You haven\'t Confirmed Your Account Yet '; return false; } } } } function user_logout() { setcookie('user_name','',(time()+2592000),'/','',0); setcookie('id_hash','',(time()+2592000),'/','',0); } function user_set_tokens($user_name_in) { global $hidden_hash_var,$user_name,$id_hash; if (!$user_name_in) { $feedback .= ' ERROR - User Name Missing When Setting Tokens '; return false; } $user_name=strtolower($user_name_in); $id_hash= md5($user_name.$hidden_hash_var); setcookie('user_name',$user_name,(time()+2592000),'/','',0); setcookie('id_hash',$id_hash,(time()+2592000),'/','',0); } function user_confirm($hash,$email) { /* Call this function on the user confirmation page, which they arrive at when the click the link in the account confirmation email */ global $feedback,$hidden_hash_var; //verify that they didn't tamper with the email address $new_hash=md5($email.$hidden_hash_var); if ($new_hash && ($new_hash==$hash)) { //find this record in the db $sql="SELECT * FROM user WHERE confirm_hash='$hash'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { $feedback .= ' ERROR - Hash Not Found '; return false; } else { //confirm the email and set account to active $feedback .= ' User Account Updated - You Are Now Logged In '; user_set_tokens(db_result($result,0,'user_name')); $sql="UPDATE user SET email='$email',is_confirmed='1' WHERE confirm_hash='$hash'"; $result=db_query($sql); return true; } } else { $feedback .= ' HASH INVALID - UPDATE FAILED '; return false; } } function user_change_password ($new_password1,$new_password2,$change_user_name,$old_password) { global $feedback; //new passwords present and match? if ($new_password1 && ($new_password1==$new_password2)) { //is this password long enough? if (account_pwvalid($new_password1)) { //all vars are present? if ($change_user_name && $old_password) { //lower case everything $change_user_name=strtolower($change_user_name); $old_password=strtolower($old_password); $new_password1=strtolower($new_password1); $sql="SELECT * FROM user WHERE user_name='$change_user_name' AND password='". md5($old_password) ."'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { $feedback .= ' User not found or bad password '.db_error(); return false; } else { $sql="UPDATE user SET password='". md5($new_password1). "' ". "WHERE user_name='$change_user_name' AND password='". md5($old_password). "'"; $result=db_query($sql); if (!$result || db_affected_rows($result) < 1) { $feedback .= ' NOTHING Changed '.db_error(); return false; } else { $feedback .= ' Password Changed '; return true; } } } else { $feedback .= ' Must Provide User Name And Old Password '; return false; } } else { $feedback .= ' New Passwords Doesn\'t Meet Criteria '; return false; } } else { return false; $feedback .= ' New Passwords Must Match '; } } function user_lost_password ($email,$user_name) { global $feedback,$hidden_hash_var; if ($email && $user_name) { $user_name=strtolower($user_name); $sql="SELECT * FROM user WHERE user_name='$user_name' AND email='$email'"; $result=db_query($sql); if (!$result || db_numrows($result) < 1) { //no matching user found $feedback .= ' ERROR - Incorrect User Name Or Email Address '; return false; } else { //create a secure, new password $new_pass=strtolower(substr(md5(time().$user_name.$hidden_hash_var),1,14)); //update the database to include the new password $sql="UPDATE user SET password='". md5($new_pass) ."' WHERE user_name='$user_name'"; $result=db_query($sql); //send a simple email with the new password mail ($email,'Password Reset','Your Password '. 'has been reset to: '.$new_pass,'From: [email protected]'); $feedback .= ' Your new password has been emailed to you. '; return true; } } else { $feedback .= ' ERROR - User Name and Email Address Are Required '; return false; } } function user_change_email ($password1,$new_email,$user_name) { global $feedback,$hidden_hash_var; if (validate_email($new_email)) { $hash=md5($new_email.$hidden_hash_var); //change the confirm hash in the db but not the email - //send out a new confirm email with a new hash $user_name=strtolower($user_name); $password1=strtolower($password1); $sql="UPDATE user SET confirm_hash='$hash' WHERE user_name='$user_name' AND password='". md5($password1) ."'"; $result=db_query($sql); if (!$result || db_affected_rows($result) < 1) { $feedback .= ' ERROR - Incorrect User Name Or Password '; return false; } else { $feedback .= ' Confirmation Sent '; user_send_confirm_email($new_email,$hash); return true; } } else { $feedback .= ' New Email Address Appears Invalid '; return false; } } function user_send_confirm_email($email,$hash) { /* Used in the initial registration function as well as the change email address function */ $message = "Thank You For Registering at PHPBuilder.com". "\nSimply follow this link to confirm your registration: ". "\n\nhttp://www.phpbuilder.com/account/confirm.php?hash=$hash&email=". urlencode($email). "\n\nOnce you confirm, you can use the services on PHPBuilder."; mail ($email,'PHPBuilder Registration Confirmation',$message,'From: [email protected]'); } function user_register($user_name,$password1,$password2,$email,$real_name) { global $feedback,$hidden_hash_var; //all vars present and passwords match? if ($user_name && $password1 && $password1==$password2 && $email && validate_email($email)) { //password and name are valid? if (account_namevalid($user_name) && account_pwvalid($password1)) { $user_name=strtolower($user_name); $password1=strtolower($password1); //does the name exist in the database? $sql="SELECT * FROM user WHERE user_name='$user_name'"; $result=db_query($sql); if ($result && db_numrows($result) > 0) { $feedback .= ' ERROR - USER NAME EXISTS '; return false; } else { //create a new hash to insert into the db and the confirmation email $hash=md5($email.$hidden_hash_var); $sql="INSERT INTO user (user_name,real_name,password,email,remote_addr,confirm_hash,is_confirmed) ". "VALUES ('$user_name','$real_name','". md5($password1) ."','$email','$GLOBALS[REMOTE_ADDR]','$hash','0')"; $result=db_query($sql); if (!$result) { $feedback .= ' ERROR - '.db_error(); return false; } else { //send the confirm email user_send_confirm_email($email,$hash); $feedback .= ' Successfully Registered. You Should Have a Confirmation Email Waiting '; return true; } } } else { $feedback .= ' Account Name or Password Invalid '; return false; } } else { $feedback .= ' ERROR - Must Fill In User Name, Matching Passwords, And Provide Valid Email Address '; return false; } } function user_getid() { global $G_USER_RESULT; //see if we have already fetched this user from the db, if not, fetch it if (!$G_USER_RESULT) { $G_USER_RESULT=db_query("SELECT * FROM user WHERE user_name='" . user_getname() . "'"); } if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) { return db_result($G_USER_RESULT,0,'user_id'); } else { return false; } } function user_getrealname() { global $G_USER_RESULT; //see if we have already fetched this user from the db, if not, fetch it if (!$G_USER_RESULT) { $G_USER_RESULT=db_query("SELECT * FROM user WHERE user_name='" . user_getname() . "'"); } if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) { return db_result($G_USER_RESULT,0,'real_name'); } else { return false; } } function user_getemail() { global $G_USER_RESULT; //see if we have already fetched this user from the db, if not, fetch it if (!$G_USER_RESULT) { $G_USER_RESULT=db_query("SELECT * FROM user WHERE user_name='" . user_getname() . "'"); } if ($G_USER_RESULT && db_numrows($G_USER_RESULT) > 0) { return db_result($G_USER_RESULT,0,'email'); } else { return false; } } function user_getname() { if (user_isloggedin()) { return $GLOBALS['user_name']; } else { //look up the user some day when we need it return ' ERROR - Not Logged In '; } } function account_pwvalid($pw) { global $feedback; if (strlen($pw) < 6) { $feedback .= " Password must be at least 6 characters. "; return false; } return true; } function account_namevalid($name) { global $feedback; // no spaces if (strrpos($name,' ') > 0) { $feedback .= " There cannot be any spaces in the login name. "; return false; } // must have at least one character if (strspn($name,"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") == 0) { $feedback .= "There must be at least one character."; return false; } // must contain all legal characters if (strspn($name,"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_") != strlen($name)) { $feedback .= " Illegal character in name. "; return false; } // min and max length if (strlen($name) < 5) { $feedback .= " Name is too short. It must be at least 5 characters. "; return false; } if (strlen($name) > 15) { $feedback .= "Name is too long. It must be less than 15 characters."; return false; } // illegal names if (eregi("^((root)|(bin)|(daemon)|(adm)|(lp)|(sync)|(shutdown)|(halt)|(mail)|(news)" . "|(uucp)|(operator)|(games)|(mysql)|(httpd)|(nobody)|(dummy)" . "|(www)|(cvs)|(shell)|(ftp)|(irc)|(debian)|(ns)|(download))$",$name)) { $feedback .= "Name is reserved."; return 0; } if (eregi("^(anoncvs_)",$name)) { $feedback .= "Name is reserved for CVS."; return false; } return true; } function validate_email ($address) { return (ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@'. '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.' . '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $address)); } ?> then pre.php is as follows: <?php function site_header($title) { echo '<HEAD><TITLE>'.$title.'</TITLE></HEAD><BODY>'; } function site_footer() { } ?> then database.php is as follows: <?php // // SourceForge: Breaking Down the Barriers to Open Source Development // Copyright 1999-2000 © The SourceForge Crew // http://sourceforge.net // // $Id: database.php,v 1.6 2000/04/11 14:17:13 cvs Exp $ // // /etc/local.inc includes the machine specific database connect info $sys_dbhost='server'; $sys_dbuser='user'; $sys_dbpasswd='pass'; $sys_dbname='dbname'; function db_connect() { global $sys_dbhost,$sys_dbuser,$sys_dbpasswd; $conn = mysql_connect($sys_dbhost,$sys_dbuser,$sys_dbpasswd); if (!$conn) { echo mysql_error(); } return $conn; } function db_query($qstring,$print=0) { global $sys_dbname; return @mysql($sys_dbname,$qstring); } function db_numrows($qhandle) { // return only if qhandle exists, otherwise 0 if ($qhandle) { return @mysql_numrows($qhandle); } else { return 0; } } function db_result($qhandle,$row,$field) { return @mysql_result($qhandle,$row,$field); } function db_numfields($lhandle) { return @mysql_numfields($lhandle); } function db_fieldname($lhandle,$fnumber) { return @mysql_fieldname($lhandle,$fnumber); } function db_affected_rows($qhandle) { return @mysql_affected_rows(); } function db_fetch_array($qhandle) { return @mysql_fetch_array($qhandle); } function db_insertid($qhandle) { return @mysql_insert_id($qhandle); } function db_error() { return "\n\n<P><B>".@mysql_error()."</B><P>\n\n"; } //connect to the db //I usually call from pre.php db_connect(); ?> Then the login.php goes in the root folder I presume: <?php include($DOCUMENT_ROOT.'/include/database.php'); include($DOCUMENT_ROOT.'/include/pre.php'); include($DOCUMENT_ROOT.'/include/user.php'); if (user_isloggedin()) { user_logout(); $user_name=''; } if ($submit) { user_login($user_name,$password); } site_header('Login To PHPBuilder'); if ($feedback) { echo '<FONT COLOR="RED"><H2>'.$feedback.'</H2></FONT>'; } echo '<H3>Login To PHPBuilder</H3> <P> Enter your user name and password and we\'ll set a cookie so we know you\'re logged in. <P> <FORM ACTION="'. $PHP_SELF .'" METHOD="POST"> <B>User Name:</B><BR> <INPUT TYPE="TEXT" NAME="user_name" VALUE="" SIZE="10" MAXLENGTH="15"> <P> <B>Password:</B><BR> <INPUT TYPE="password" NAME="password" VALUE="" SIZE="10" MAXLENGTH="15"> <P> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login To PHPBuilder"> </FORM> <P> <A HREF="register.php">[ Register A New Account ]</A> <P> <A HREF="changepass.php">[ Change Your Password ]</A> <P> <A HREF="changeemail.php">[ Change Your Email Address ]</A>'; site_footer(); ?> and this is the confirm.php in the account folder under root: <?php include($DOCUMENT_ROOT.'/include/database.php'); include($DOCUMENT_ROOT.'/include/pre.php'); include($DOCUMENT_ROOT.'/include/user.php'); if ($hash && $email) { $worked=user_confirm($hash,$email); } else { $feedback = '<H1>ERROR - Missing Params</H1>'; } site_header('Account Confirmation'); if ($feedback) { echo '<FONT COLOR="RED"><H2>'.$feedback.'</H2></FONT>'; } if (!$worked){ echo '<P><H1>Having Trouble Confirming?</H1> <P>A change was just made to the system, try the <A HREF="changeemail.php">Change Your Email Address</A> page to receive a new confirmation email'; } echo '<H3>Your PHPBuilder Account</H3> <P> <A HREF="login.php">Login To PHPBuilder</A> <P> <A HREF="logout.php">Logout</A> <P> <A HREF="register.php">Register A New Account</A> <P> <A HREF="changepass.php">Change Your Password</A> <P> <A HREF="changeemail.php">Change Your Email Address</A>'; site_footer(); ?> okay i left the changeemail and changepass off cause i am sure this is plenty to go over??? to me its like im speaking to a drunk german speaking chinese. in other words... im lost Link to comment https://forums.phpfreaks.com/topic/51484-just-call-me-lost-confused-secure-php-login-script/ Share on other sites More sharing options...
Dragen Posted May 15, 2007 Share Posted May 15, 2007 please put your code in the tags Link to comment https://forums.phpfreaks.com/topic/51484-just-call-me-lost-confused-secure-php-login-script/#findComment-253531 Share on other sites More sharing options...
MadTechie Posted May 15, 2007 Share Posted May 15, 2007 1# read the rules 2# then post! Link to comment https://forums.phpfreaks.com/topic/51484-just-call-me-lost-confused-secure-php-login-script/#findComment-253556 Share on other sites More sharing options...
stevied Posted May 15, 2007 Author Share Posted May 15, 2007 ok not sure what you mean. my first time on this site...? Rules? how do i find that... anyways ill look around thanks Link to comment https://forums.phpfreaks.com/topic/51484-just-call-me-lost-confused-secure-php-login-script/#findComment-253642 Share on other sites More sharing options...
stevied Posted May 15, 2007 Author Share Posted May 15, 2007 ah my apologies ladies & gents. ill get it right next time ???. thanks Link to comment https://forums.phpfreaks.com/topic/51484-just-call-me-lost-confused-secure-php-login-script/#findComment-253645 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.