Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > php > answers

Help me with Login System

Newbie
  
Join Date: Dec 2008
Posts: 28
#1: 3 Weeks Ago
Hi all, after thinking for sometimes, I thought it will be great opportunity to learn if I will start from scratch and build my own register/login system. Here is the thread that I will be posting the progress and I hope you guys will help me.

The code below is what I have so far. Just put two scripts in the same directory and that is! I hope you will help me
Thanks!
class.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. //php login sytem
  3. class LoginRegister{
  4.  function __construct(){
  5. }
  6.  
  7. function displogin($status){
  8. if ($status == "login"){
  9.     // post login page
  10.     $enc = base64_encode('login');
  11.     $html = <<<LOGIN
  12.     <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
  13.         <p>Username: <input type=text name = username /></p>
  14.         <p>Password: <input type=password name = password /></p>
  15.         <input type=submit value=Login />
  16.     </form>
  17. LOGIN;
  18.         echo $html;
  19. }//end if
  20.  
  21. else if ($status == "register"){
  22.     //post register page
  23.     $enc = base64_encode('register');
  24.     $html = <<<LOGIN
  25.     <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
  26.         <p>Username: <input type=text name = username /></p>
  27.         <p>Password: <input type=password name = password /></p>
  28.         <input type=submit value=Register />
  29.     </form>
  30. LOGIN;
  31.         echo $html;
  32. }// end elese if
  33.  
  34.  
  35. }
  36.  
  37. function auth($username, $password){
  38.     $sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password' ";
  39.     $res  = mysql_query($sql) or die(mysql_error());
  40.     if (mysql_num_rows($res)==1){
  41.     echo "sucessful logged in as ". $username;
  42.     }//end if
  43.     else{
  44.         echo "<p style = 'color:red; font-weight:bold;'>Username or password not correct.
  45.         <br /> New? Register!</p>";
  46.         $this->displogin('register');
  47.     }// end else
  48. }
  49.  
  50.  
  51. function checkempty($username, $password, $mode){
  52.     if (empty($username) or empty($password)){
  53.     echo "<p style = 'color:red; font-weight:bold;'>Empty Values are not allowed</p>";
  54.     $this->displogin('login');
  55.     }//end if
  56.     else{
  57.     //do checking
  58.     switch($mode){
  59.         case 'login':
  60.         $this->auth($username, $password);
  61.         case 'register':
  62.         $this->adduser($username, $password);
  63.         default:
  64.             echo "<p style = 'color:red; font-weight:bold;'>Wrong Values are not allowed</p>";
  65.             $this->displogin('login');
  66.         }//end switch
  67.     }//end else
  68. }
  69.  
  70. function login($uname, $passwd){
  71.     //username
  72.     $username = stripslashes($uname);
  73.     $username = mysql_real_escape_string($uname);
  74.     //passsword    
  75.     $password = stripslashes($passwd);
  76.     $password = mysql_real_escape_string($passwd);
  77.     //check for empty variables
  78.     $this->checkempty($username, $password, 'login');    
  79. }
  80.  
  81. function register($uname, $passwd){
  82.     //username
  83.     $username = stripslashes($uname);
  84.     $username = mysql_real_escape_string($uname);
  85.     //passsword    
  86.     $password = stripslashes($passwd);
  87.     $password = mysql_real_escape_string($passwd);
  88.     //check for empty variables
  89.     $this->checkempty($username, $password, 'register');    
  90. }
  91.  
  92. function adduser($username, $password){
  93.     $sql = "INSERT INTO users(username, password) VALUES('$username', '$password')";
  94.     //redirect to login page
  95.     echo "<p style = 'color:green; font-weight:bold;'>Thanks for registering. You can now login</p>";
  96.     $this->displogin('login');
  97.     mysql_query($sql) or die(mysql_error());
  98. }
  99.  
  100. }//end class
  101. ?>
  102.  
index.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. require "class.php";
  3. $obj = new  LoginRegister();
  4. $conn = mysql_connect("localhost", "root", "") or die(mysql_error());
  5. mysql_select_db("admin", $conn)or die(mysql_error());
  6. if ((isset($_GET['do']))){
  7.     if (($_GET['do'])==(base64_encode('login'))){
  8.     $obj->login($_POST['username'], $_POST['password']);
  9.      }//end middle first if
  10.      else if(($_GET['do'])== (base64_encode('register'))){
  11.         $obj->register($_POST['username'], $_POST['password']);
  12.      }
  13.      else{
  14.          echo "<p style = 'color:red; font-weight:bold;'>Please Login</p>";
  15.         $obj->displogin('login');    
  16.         //debug
  17.         echo base64_encode('login').'<br />';
  18.         echo $_GET['do'];
  19.      }//end else middle
  20.  
  21. }//end last if 
  22. else{
  23.     echo "<p style = 'color:green; font-weight:bold;'>Please Login</p>";
  24.     $obj->displogin('login');    
  25. }//end else
  26. ?>
  27.  
best answer - posted by TheServant
Sure. Let us know if you have a question. This section of Bytes is really for people who need some help with something specific. As much as we'd like to read through your code and impart some wisdom and knowledge in layout, syntax and method, proof reading code is not really in the job description. If you get an error, or something is not working as it should, post relavent code and all error messages and a full explanation, so we don't have to spend half our day looking through irrelevant code trying to find an unidentified problem.

If you're wanting to write a tutorial, write it in PHP insights.
TheServant's Avatar
Expert
  
Join Date: Feb 2008
Location: Australia
Posts: 913
#2: 2 Weeks Ago

re: Help me with Login System

Sure. Let us know if you have a question. This section of Bytes is really for people who need some help with something specific. As much as we'd like to read through your code and impart some wisdom and knowledge in layout, syntax and method, proof reading code is not really in the job description. If you get an error, or something is not working as it should, post relavent code and all error messages and a full explanation, so we don't have to spend half our day looking through irrelevant code trying to find an unidentified problem.

If you're wanting to write a tutorial, write it in PHP insights.
Newbie
  
Join Date: Dec 2008
Posts: 28
#3: 2 Weeks Ago

re: Help me with Login System

this is newbie start writting the script. So IWhat I wanted is criticism and suggestion. I want to end up with full secure login system. That is my intention and I believe it is in Job descriptin ;)

Sorry for being vague and welcome for help :)
Dormilich's Avatar
Moderator
  
Join Date: Aug 2008
Location: Leipzig, Germany
Posts: 3,629
#4: 2 Weeks Ago

re: Help me with Login System

knowledge has its price… either money (if you hire someone) or effort (to learn it yourself).
TheServant's Avatar
Expert
  
Join Date: Feb 2008
Location: Australia
Posts: 913
#5: 2 Weeks Ago

re: Help me with Login System

Quote:

Originally Posted by Dormilich View Post

knowledge has its price… either money (if you hire someone) or effort (to learn it yourself).

True. Apostle, you need to try and improve you script and come to us when you're stuck on something. Type in PHP login script, or login tutorial in Google and you'll have plenty of places to get the basics. Always start with the basics.
dlite922's Avatar
Expert
  
Join Date: Dec 2007
Location: Moon, Dark Side
Posts: 1,094
#6: 2 Weeks Ago

re: Help me with Login System

Quote:

Originally Posted by Apostle View Post

this is newbie start writting the script. So IWhat I wanted is criticism and suggestion. I want to end up with full secure login system. That is my intention and I believe it is in Job descriptin ;)

Sorry for being vague and welcome for help :)

You need some major help!

What you had is not even a class. Here's what real class looks like:


Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3. /**
  4. *  This class handles interactions for user access and registration
  6. * @date 11/06/2009
  7. * @author  Apostle 
  8. * @file LoginRegister.class.php    
  9. */
  10.  
  11. class LoginRegister
  12. {
  13.  
  14.     /**
  15.     * The DB object used to access the database
  16.     */
  17.     private $DB; 
  18.  
  19.  
  20.     /**
  21.     * Constuctor
  22.     * 
  23.     */
  24.     function __construct()
  25.     {
  26.         $this->DB = new DB(); 
  27.     }
  28.  
  29.     /**
  30.     * Authenticates a username and password and returns true or false depending on validity
  31.     * 
  32.     * @access public
  33.     * @param mixed $username
  34.     * @param mixed $password
  35.     * @return bool
  36.     */
  37.     public function authenticateUser($username, $password)
  38.     {
  39.         // initialize and clean variables
  40.         $cleanUser = mysql_real_escape_string($username); 
  41.         $cleanPass = mysql_real_escape_string($password); 
  42.  
  43.         // Run query and get results
  44.         $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser' AND password = '$cleanPass' ";        
  45.         $result = $this->DB->query($sql); 
  46.  
  47.         // Parse result
  48.         if(!empty($result)) // if not empty
  49.         {
  50.             if($result[0]['count'] == 1) { // make sure count is one and only one user with the same username and passwword.
  51.                 return true; 
  52.             }
  53.         }
  54.  
  55.         return false;                 
  56.     } 
  57.  
  58.  
  59.     /**
  60.     * Registers a new user name and password and returns true of successful and false if not. 
  61.     * 
  62.     * @access public
  63.     * @param mixed $username
  64.     * @param mixed $password
  65.     * @return bool
  66.     */
  67.     public function registerUser($username, $password)
  68.     {
  69.         // initialize and clean variables
  70.         $cleanUser = mysql_real_escape_string($username); 
  71.         $cleanPass = mysql_real_escape_string($password); 
  72.  
  73.         // first check if this user already exists
  74.         if($this->checkUserExist($cleanUser))
  75.         {
  76.             die("Error: A user by this name already exists. You should have already run this check before and told the user before calling registerUser()");             
  77.             exit(0); // make sure you exit!
  78.         }
  79.         else
  80.         {
  81.             // user doesn't exist, add him:
  82.             $sql = "INSERT INTO users(username, password) VALUES('$cleanUser', '$cleanPass')";
  83.             $result = $this->DB->query($sql); 
  84.             if(empty($result)) 
  85.             {
  86.                     die("Something went wrong. Was not able to add user"); 
  87.             }
  88.  
  89.             return true;
  90.         }
  91.  
  92.         return false;
  93.     }
  94.  
  95.  
  96.     /**
  97.     * Checks if a user already exists, returns true if user already exists and false if no user exists with given username.
  98.     * 
  99.     * @access public
  100.     * @param mixed $username
  101.     * @return bool
  102.     */
  103.     public function checkUserExist($username)
  104.     {
  105.         // initialize and clean variables
  106.         $cleanUser = mysql_real_escape_string($username); 
  107.  
  108.         // query
  109.         $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser'";
  110.         $result = $this->DB->query($sql); 
  111.  
  112.         // Parse result
  113.         if(!empty($result)) // if not empty
  114.         {
  115.             // we dont' care about the content, if there is a result this user exists
  116.             return true
  117.         }
  118.  
  119.         return false;     
  120.     }    
  121. }
  122.  
  123.  
  124.  

All your other functions should be in a different file that use this class. I'll leave that for you to learn.

* YOUR BIGGEST MISTAKE *

You did not validate the user input before inserting them in an SQL.

Imagine if I tried to login to your used any bogus user name this for a password: hack' OR 1 = 1 LIMIT 1;

Thus your SQL would look like this when executed:
Expand|Select|Wrap|Line Numbers
  1.  
  2. SELECT * FROM users WHERE username = 'hacker' AND password = 'hack' OR 1=1 LIMIT 1;' ";
  3.  
  4.  
Then your check, which says the number of results should be 1 return true because i'm sure you have at least one user name in your users table where the number 1 is always equal to 1. This is called

SQL INJECTION

Google the **** out of it. You're software is always unsecured without it.

I've done more than enough. I hope you learn PHP before you write unsafe software like this. I really REALLY hope you go read up on tutorials and practice programming and proper software testing before deploying any code.

Good luck,




Dan
Newbie
  
Join Date: Dec 2008
Posts: 28
#7: 2 Weeks Ago

re: Help me with Login System

Thanks Dan for Postive criticism.
I completely rewrote the whole thing and will post it here. For now I it is Here
I will post it here.

The reason I want to write from the scratch is to learn new thing as I go, and I know there are many experts that can drill and expose my ignorance on something and definitely improve my skills.

So feel free to criticize me or advice me on anything (code, good coding habits et al)

Thanks for your time guys :)
TheServant's Avatar
Expert
  
Join Date: Feb 2008
Location: Australia
Posts: 913
#8: 2 Weeks Ago

re: Help me with Login System

Writing from scratch is the best for learning, and that is what you should do. However, when you start spending time developing, you can't re-write everything (and have a life) so you will need to learn how to use and modify already tried and tested code.

Again, we're here to help when you get stuck, and generally we don't read through screens of code, but if you post snippets for specific problems, we'll mention any issues with the surrounding code no probs ;)
Newbie
  
Join Date: Dec 2008
Posts: 28
#9: 2 Weeks Ago

re: Help me with Login System

Any recommended code that I can build upon? As per say, I'm beginner in these things and security matters alot in web apps :)
Dormilich's Avatar
Moderator
  
Join Date: Aug 2008
Location: Leipzig, Germany
Posts: 3,629
#10: 2 Weeks Ago

re: Help me with Login System

currently the best measure against SQL Injection is using Prepared Statements (implemented in PHP’s MySQLi & PDO classes)
Newbie
  
Join Date: Dec 2008
Posts: 28
#11: 2 Weeks Ago

re: Help me with Login System

I have learned a little on MYSQLi, I will check for PDO!
If you don't mind you can provide me a link. For now, I going to google
Dormilich's Avatar
Moderator
  
Join Date: Aug 2008
Location: Leipzig, Germany
Posts: 3,629
#12: 1 Week Ago

re: Help me with Login System

MySQLi
PDO
_________________
Newbie
  
Join Date: Dec 2008
Posts: 28
#13: 1 Week Ago

re: Help me with Login System

Thanks I'm going to check
dlite922's Avatar
Expert
  
Join Date: Dec 2007
Location: Moon, Dark Side
Posts: 1,094
#14: 1 Week Ago

re: Help me with Login System

Learn OOP too while you're at it. Practice makes perfect. In the beginning working with already made code and reverse engineering it, modifying it, and especially improving and testing is the ultimate learning experience. That is how I learned PHP.

The reason I recommend OOP is I no longer see PHP as a scripting language and I use it for large applications.

In my opinion if someone wants to script, go learn Perl, PHP's sister. She's much much better at little scripts that make your life easier.

An advanced login script to me is an entry to a small to medium application. PHP/MySQL is a good choice for this.



Dan
Reply

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,223 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved