Site with login

Hello everyone,

I’m starting a new project, and for this I want to first build a very basic site with login system. I’m most concerned about password handling, how do I do that safe?

Basically I will have a table called users, with the following data:

[LIST]
[]user_id
[]user_name
[]user_pw
[]user_firstname
[*]user_lastname
[/LIST]
Let’s say someone already registered, and he wants to log in. I don’t think just sending the password data back and forth from the server is very safe? Also I could just check someone’s password in the database, and I don’t want that. Can anyone help me out here? It would be much appreciated!

• Maqrkk

ummm well you need to check someone password in the database, there’s no way around it. I fail to see what you think possible security flaws in that are …

Fact of the matter is you NEED to store a password in the database. it should be encrypted.
You also NEED to reference the database for the username and password.

Your basic login script would be something like

pseudo code …

if ( !empty($_POST['submit']) )
{
   #all your database connection crap goes first

   #query your db with something like
   $username = $_POST['username'];
   $password = sha1($_POST['password']);
   $query = "SELECT COUNT(*) AS valid_user FROM table WHERE user_name = $username AND user_pw = $password";
   #if valid_user = 1 goto logged in page
   
   #if valid_user != 1 error reload login page
}

I think encryption is the word I was looking for indeed. How is that done then?

Let’s take as example the Register page, since it needs to be encrypted inside the database, right? Would the user type his password, how do I encrypt it and store it in the database?

[QUOTE=Maqrkk;2335674]I think encryption is the word I was looking for indeed. How is that done then?

Let’s take as example the Register page, since it needs to be encrypted inside the database, right? Would the user type his password, how do I encrypt it and store it in the database?[/QUOTE]

On the register page when you submit their password to the database submit it as

sha1($usersubmittedpassword);

Thanks! Is that completely safe?

Nothing is completely safe. You may want to escape any arguments that the user could submit by using mysql_real_escape_string() on your password and username variables.

A mod of simps code:

if ( !empty($_POST['submit']) )
{
   #all your database connection crap goes first

   #query your db with something like
   $username = mysql_real_escape_string($_POST['username']);
   $password = mysql_real_escape_string($_POST['password']);
   $query = "SELECT COUNT(*) AS valid_user FROM table WHERE user_name = '$username' AND user_pw = SHA1('$password')";
   #if valid_user = 1 goto logged in page
   
   #if valid_user != 1 error reload login page
}  

</span></span>

This will prevent them from submitting “’…’ OR 1=1” which will select all of your user’s names and passwords.

If you want to make the password recoverable, you can use the mysql AES_ENCRYPT function.

[quote=actionAction;2335707]Nothing is completely safe. You may want to escape any arguments that the user could submit by using mysql_real_escape_string() on your password and username variables.

A mod of simps code:

if ( !empty($_POST['submit']) )
{
   #all your database connection crap goes first

   #query your db with something like
   $username = mysql_real_escape_string($_POST['username']);
   $password = mysql_real_escape_string($_POST['password']);
   $query = "SELECT COUNT(*) AS valid_user FROM table WHERE user_name = '$username' AND user_pw = SHA1('$password')";
   #if valid_user = 1 goto logged in page
   
   #if valid_user != 1 error reload login page
}  

</span></span>

This will prevent them from submitting “‘…’ OR 1=1” which will select all of your user’s names and passwords.[/quote]

So mysql_real_escape_string is basically a protection for possible ‘hacks’ users can use to do things I would not want them to do? Thanks for the suggestion. I think I got most of it, thanks! I’ll give it a try

And how safe is that compared to the other method?

Ok I tried the following:

	$username = mysql_real_escape_string($_POST['uname']);
	$password = sha1(mysql_real_escape_string($_POST['pword']));

Which gave me the following error:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '***'@'***' (using password: ***) in D:\***\***.php on line 36

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in D:\***\***.php on line 36

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '***'@'***' (using password: ***) in D:\***\***.php on line 37

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in D:\***\***.php on line 37

Did I do something wrong? This is in the register.php, after I type in values to be registered…

you need to connect to the db before this code is executed.

Usually I just use sprintf to do it right when I define the query string

//First you must connect to db, as noted above
$sql = sprintf("SELECT * FROM tablename WHERE foo='%s'",
                  mysql_real_escape_string($foo)
                  );

Thanks, connecting first does the trick, silly me.
Djheru, what does sprintf do? Your example wasn’t really clear to me, sorry!

sprintf allows you to place tokens in a target string which it will then replace with a given list of arguments

i.e. in Djherus example - the %s in the target string will be replaced by the value of mysql_real_escape_string($foo)

The percent then letter determines the treatment of the argument passed in - in this case %s means it gets treated as string.

It’s possible to pass as many arguments as you want - i.e.

sprintf(“Some values %s, %s, %s”, “one”, “two”, “three”);

Check out

http://uk2.php.net/sprintf

Always useful!

Would produce “Some values one, two, three”

Oh right I get it, thanks! That’s basically a shortcut way then, right?

Ok, the register and log in functions are working partially. Register checks if all fields are filled, then puts it in the database, and login checks if the fields are checked, then if the user exists in the database, and if so checks if the password matches.

However, I’m kind of stuck at this point. How do I tell my index if someone is logged in or not?

Use the PHP SESSION variables to store information about the users session.

Create a session variable called “login_ID” and set it to 0 - when a user is logged in set it to their ID.

$_SESSION[“login_ID”] = $some_database_id_value_for_the_user;

Then you can check this on subsequent pages - you might want to check the documentation on PHP sessions - you will need to start a session

http://uk.php.net/manual/en/function.session-start.php

Oh wow, just what I needed Thanks again!

I’m trying to get this, but it’s pretty tough for a first-timer. How do I detect in the index if a user has a session running? Basically I want to display ‘Logout’ when someone is logged in, and ‘Login’ when someone is logged out. Once I get that right, the rest shouldn’t be too hard… But I can not get this to work with sessions… lots of new information… Can you show me a really basic example of how to get this done?

When you check to see if the username/password matches, set up an if/else conditional where if they don’t match, you display an error message, and if they do match, you set some $_SESSION variables, which have values that are “carried across” different pages. For example, you could set $_SESSION[‘logged_in’] = true and $_SESSION[‘username’] = $_POST[‘username’];

Then, when they navigate from the login page to a different page, the $_SESSION array keeps the values. You can also test the $_SESSION[‘logged_in’] variable to determine what content they see.

edit: In order to use sessions, you must call the PHP built in function session_start(); before any content is sent to the browser, including headers. I usually just place it at the top of the page, immediately after the opening php tag.

Well my index.php is basically a HTML file with some php code in the body. Does that mean I need an additional php area somewhere in the <head>, or even above that with just this: “session_start();”?
Also, I guess session_start initiates a session somehow, and if I do this after session_start();, does it count?

<?php
session_start();
if($_SESSION['logged_in'])
{
$log = 1;
}
else
{
$log = 0;
}
?>

Then could I render the rest of my site by checking $log?