473,725 Members | 2,017 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Help me with Login System

28 New Member
Hi all, after thinking for sometimes, I thought it will be great opportunity to learn if I will start from scratch and build my own register/login system. Here is the thread that I will be posting the progress and I hope you guys will help me.

The code below is what I have so far. Just put two scripts in the same directory and that is! I hope you will help me
Thanks!
class.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. //php login sytem
  3. class LoginRegister{
  4.  function __construct(){
  5. }
  6.  
  7. function displogin($status){
  8. if ($status == "login"){
  9.     // post login page
  10.     $enc = base64_encode('login');
  11.     $html = <<<LOGIN
  12.     <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
  13.         <p>Username: <input type=text name = username /></p>
  14.         <p>Password: <input type=password name = password /></p>
  15.         <input type=submit value=Login />
  16.     </form>
  17. LOGIN;
  18.         echo $html;
  19. }//end if
  20.  
  21. else if ($status == "register"){
  22.     //post register page
  23.     $enc = base64_encode('register');
  24.     $html = <<<LOGIN
  25.     <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
  26.         <p>Username: <input type=text name = username /></p>
  27.         <p>Password: <input type=password name = password /></p>
  28.         <input type=submit value=Register />
  29.     </form>
  30. LOGIN;
  31.         echo $html;
  32. }// end elese if
  33.  
  34.  
  35. }
  36.  
  37. function auth($username, $password){
  38.     $sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password' ";
  39.     $res  = mysql_query($sql) or die(mysql_error());
  40.     if (mysql_num_rows($res)==1){
  41.     echo "sucessful logged in as ". $username;
  42.     }//end if
  43.     else{
  44.         echo "<p style = 'color:red; font-weight:bold;'>Username or password not correct.
  45.         <br /> New? Register!</p>";
  46.         $this->displogin('register');
  47.     }// end else
  48. }
  49.  
  50.  
  51. function checkempty($username, $password, $mode){
  52.     if (empty($username) or empty($password)){
  53.     echo "<p style = 'color:red; font-weight:bold;'>Empty Values are not allowed</p>";
  54.     $this->displogin('login');
  55.     }//end if
  56.     else{
  57.     //do checking
  58.     switch($mode){
  59.         case 'login':
  60.         $this->auth($username, $password);
  61.         case 'register':
  62.         $this->adduser($username, $password);
  63.         default:
  64.             echo "<p style = 'color:red; font-weight:bold;'>Wrong Values are not allowed</p>";
  65.             $this->displogin('login');
  66.         }//end switch
  67.     }//end else
  68. }
  69.  
  70. function login($uname, $passwd){
  71.     //username
  72.     $username = stripslashes($uname);
  73.     $username = mysql_real_escape_string($uname);
  74.     //passsword    
  75.     $password = stripslashes($passwd);
  76.     $password = mysql_real_escape_string($passwd);
  77.     //check for empty variables
  78.     $this->checkempty($username, $password, 'login');    
  79. }
  80.  
  81. function register($uname, $passwd){
  82.     //username
  83.     $username = stripslashes($uname);
  84.     $username = mysql_real_escape_string($uname);
  85.     //passsword    
  86.     $password = stripslashes($passwd);
  87.     $password = mysql_real_escape_string($passwd);
  88.     //check for empty variables
  89.     $this->checkempty($username, $password, 'register');    
  90. }
  91.  
  92. function adduser($username, $password){
  93.     $sql = "INSERT INTO users(username, password) VALUES('$username', '$password')";
  94.     //redirect to login page
  95.     echo "<p style = 'color:green; font-weight:bold;'>Thanks for registering. You can now login</p>";
  96.     $this->displogin('login');
  97.     mysql_query($sql) or die(mysql_error());
  98. }
  99.  
  100. }//end class
  101. ?>
  102.  
index.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. require "class.php";
  3. $obj = new  LoginRegister();
  4. $conn = mysql_connect("localhost", "root", "") or die(mysql_error());
  5. mysql_select_db("admin", $conn)or die(mysql_error());
  6. if ((isset($_GET['do']))){
  7.     if (($_GET['do'])==(base64_encode('login'))){
  8.     $obj->login($_POST['username'], $_POST['password']);
  9.      }//end middle first if
  10.      else if(($_GET['do'])== (base64_encode('register'))){
  11.         $obj->register($_POST['username'], $_POST['password']);
  12.      }
  13.      else{
  14.          echo "<p style = 'color:red; font-weight:bold;'>Please Login</p>";
  15.         $obj->displogin('login');    
  16.         //debug
  17.         echo base64_encode('login').'<br />';
  18.         echo $_GET['do'];
  19.      }//end else middle
  20.  
  21. }//end last if 
  22. else{
  23.     echo "<p style = 'color:green; font-weight:bold;'>Please Login</p>";
  24.     $obj->displogin('login');    
  25. }//end else
  26. ?>
  27.  
Oct 31 '09 #1
13 4171
TheServant
1,168 Recognized Expert Top Contributor
Sure. Let us know if you have a question. This section of Bytes is really for people who need some help with something specific. As much as we'd like to read through your code and impart some wisdom and knowledge in layout, syntax and method, proof reading code is not really in the job description. If you get an error, or something is not working as it should, post relavent code and all error messages and a full explanation, so we don't have to spend half our day looking through irrelevant code trying to find an unidentified problem.

If you're wanting to write a tutorial, write it in PHP insights.
Nov 1 '09 #2
Apostle
28 New Member
this is newbie start writting the script. So IWhat I wanted is criticism and suggestion. I want to end up with full secure login system. That is my intention and I believe it is in Job descriptin ;)

Sorry for being vague and welcome for help :)
Nov 6 '09 #3
Dormilich
8,658 Recognized Expert Moderator Expert
knowledge has its price… either money (if you hire someone) or effort (to learn it yourself).
Nov 6 '09 #4
TheServant
1,168 Recognized Expert Top Contributor
@Dormilich
True. Apostle, you need to try and improve you script and come to us when you're stuck on something. Type in PHP login script, or login tutorial in Google and you'll have plenty of places to get the basics. Always start with the basics.
Nov 6 '09 #5
dlite922
1,584 Recognized Expert Top Contributor
@Apostle
You need some major help!

What you had is not even a class. Here's what real class looks like:


Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3. /**
  4. *  This class handles interactions for user access and registration
  6. * @date 11/06/2009
  7. * @author  Apostle 
  8. * @file LoginRegister.class.php    
  9. */
  10.  
  11. class LoginRegister
  12. {
  13.  
  14.     /**
  15.     * The DB object used to access the database
  16.     */
  17.     private $DB; 
  18.  
  19.  
  20.     /**
  21.     * Constuctor
  22.     * 
  23.     */
  24.     function __construct()
  25.     {
  26.         $this->DB = new DB(); 
  27.     }
  28.  
  29.     /**
  30.     * Authenticates a username and password and returns true or false depending on validity
  31.     * 
  32.     * @access public
  33.     * @param mixed $username
  34.     * @param mixed $password
  35.     * @return bool
  36.     */
  37.     public function authenticateUser($username, $password)
  38.     {
  39.         // initialize and clean variables
  40.         $cleanUser = mysql_real_escape_string($username); 
  41.         $cleanPass = mysql_real_escape_string($password); 
  42.  
  43.         // Run query and get results
  44.         $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser' AND password = '$cleanPass' ";        
  45.         $result = $this->DB->query($sql); 
  46.  
  47.         // Parse result
  48.         if(!empty($result)) // if not empty
  49.         {
  50.             if($result[0]['count'] == 1) { // make sure count is one and only one user with the same username and passwword.
  51.                 return true; 
  52.             }
  53.         }
  54.  
  55.         return false;                 
  56.     } 
  57.  
  58.  
  59.     /**
  60.     * Registers a new user name and password and returns true of successful and false if not. 
  61.     * 
  62.     * @access public
  63.     * @param mixed $username
  64.     * @param mixed $password
  65.     * @return bool
  66.     */
  67.     public function registerUser($username, $password)
  68.     {
  69.         // initialize and clean variables
  70.         $cleanUser = mysql_real_escape_string($username); 
  71.         $cleanPass = mysql_real_escape_string($password); 
  72.  
  73.         // first check if this user already exists
  74.         if($this->checkUserExist($cleanUser))
  75.         {
  76.             die("Error: A user by this name already exists. You should have already run this check before and told the user before calling registerUser()");             
  77.             exit(0); // make sure you exit!
  78.         }
  79.         else
  80.         {
  81.             // user doesn't exist, add him:
  82.             $sql = "INSERT INTO users(username, password) VALUES('$cleanUser', '$cleanPass')";
  83.             $result = $this->DB->query($sql); 
  84.             if(empty($result)) 
  85.             {
  86.                     die("Something went wrong. Was not able to add user"); 
  87.             }
  88.  
  89.             return true;
  90.         }
  91.  
  92.         return false;
  93.     }
  94.  
  95.  
  96.     /**
  97.     * Checks if a user already exists, returns true if user already exists and false if no user exists with given username.
  98.     * 
  99.     * @access public
  100.     * @param mixed $username
  101.     * @return bool
  102.     */
  103.     public function checkUserExist($username)
  104.     {
  105.         // initialize and clean variables
  106.         $cleanUser = mysql_real_escape_string($username); 
  107.  
  108.         // query
  109.         $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser'";
  110.         $result = $this->DB->query($sql); 
  111.  
  112.         // Parse result
  113.         if(!empty($result)) // if not empty
  114.         {
  115.             // we dont' care about the content, if there is a result this user exists
  116.             return true
  117.         }
  118.  
  119.         return false;     
  120.     }    
  121. }
  122.  
  123.  
  124.  

All your other functions should be in a different file that use this class. I'll leave that for you to learn.

* YOUR BIGGEST MISTAKE *

You did not validate the user input before inserting them in an SQL.

Imagine if I tried to login to your used any bogus user name this for a password: hack' OR 1 = 1 LIMIT 1;

Thus your SQL would look like this when executed:
Expand|Select|Wrap|Line Numbers
  1.  
  2. SELECT * FROM users WHERE username = 'hacker' AND password = 'hack' OR 1=1 LIMIT 1;' ";
  3.  
  4.  
Then your check, which says the number of results should be 1 return true because i'm sure you have at least one user name in your users table where the number 1 is always equal to 1. This is called

SQL INJECTION

Google the **** out of it. You're software is always unsecured without it.

I've done more than enough. I hope you learn PHP before you write unsafe software like this. I really REALLY hope you go read up on tutorials and practice programming and proper software testing before deploying any code.

Good luck,




Dan
Nov 7 '09 #6
Apostle
28 New Member
Thanks Dan for Postive criticism.
I completely rewrote the whole thing and will post it here. For now I it is Here
I will post it here.

The reason I want to write from the scratch is to learn new thing as I go, and I know there are many experts that can drill and expose my ignorance on something and definitely improve my skills.

So feel free to criticize me or advice me on anything (code, good coding habits et al)

Thanks for your time guys :)
Nov 7 '09 #7
TheServant
1,168 Recognized Expert Top Contributor
Writing from scratch is the best for learning, and that is what you should do. However, when you start spending time developing, you can't re-write everything (and have a life) so you will need to learn how to use and modify already tried and tested code.

Again, we're here to help when you get stuck, and generally we don't read through screens of code, but if you post snippets for specific problems, we'll mention any issues with the surrounding code no probs ;)
Nov 7 '09 #8
Apostle
28 New Member
Any recommended code that I can build upon? As per say, I'm beginner in these things and security matters alot in web apps :)
Nov 7 '09 #9
Dormilich
8,658 Recognized Expert Moderator Expert
currently the best measure against SQL Injection is using Prepared Statements (implemented in PHP’s MySQLi & PDO classes)
Nov 7 '09 #10

Sign in to post your reply or Sign up for a free account.

Similar topics
18
2470
Help - Secure page by remembering user?
by: | last post by:
Please help. After a number of wrong turns and experiments I need advice on login management system to secure our web pages without inconveniencing our visitors or our internal staff. What I need: A system whereby the user only has to register ONCE and he will have automatic entry to ANY page without havinto to RE-LOGIN even if he comes in
ASP / Active Server Pages
5
2071
ReDirect - Please Help
by: PaulThomas | last post by:
Working with XP-Pro and VS.Net I have set my Start Page to "Home.aspx" but the application always starts the "Login" page - - - How can I change the start page to the Home.aspx??? On the login page that displays I have private void LinkButton1_Click(object sender, System.EventArgs e) { bool MyVar = true; Msg.Text = "ReDirecting to Home.aspx"; Response.Redirect("Home.aspx",MyVar); }
.NET Framework
4
2005
singleton class help needed (repost from vsnet.general posted the
by: Mike | last post by:
Please help this is driving me nuts. I have 2 forms, 1 user class and I am trying to implement a singleton class. Form 1 should create a user object and populate some properties in user. Form2 should then have access to those user properties. I am not getting the property value from user that was set in form1. Sorry for posting so much code but I need help bad. How do i make this work? Thanks Mike
.NET Framework
8
4641
help, button has to be clicked twice?
by: Zelin Lu | last post by:
Hello, All I am building two user controls and dynamicly load one them into a PlaceHolder. But the button on the user control doesn't work fine. I need to click twice to fire the event? Anybody could help me? Thank you very much
C# / C Sharp
9
1852
Please Help: Posting and redirecting to another form.
by: Denise | last post by:
I have posted a similar message in 2 other forums but got no response. I have spent more hours than I can count researching this. Can anyone provide some insight...? Our ASP.Net application needs to transparently log a user on to a separate secure web site (PHP - not controlled by us). We want to save the user the step of typing in his username and password and having to press submit. I could accomplish this by using the <form...
ASP.NET
2
2908
Urgent - need help with logging anonymous and Active Dir users without login form
by: pv | last post by:
Hi everyone, I need help with following scenario, please: Users are accessing same web server from intranet (users previously authenticated in Active Dir) and from extranet (common public users). If user is from intranet, web server should recognize it and application should create additional options in controls regarding groups the user belongs to. If user is from extranet it should be logged in as anonymous and a link to login page...
ASP.NET
6
3358
Help trying to login to myspace programatically in vb.net
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in the past in other places, and while the help was much appreciated, it seemed everyone just wanted to 'theoretically' explain how to do it, but when I tried to do it myself, I couldn't login. I want to simply pass the email address and password to...
.NET Framework
3
1808
vb.net 2003 express edition . help with password protecting
by: Porkie999 | last post by:
-----------------------------------------------------------------------QUESTION hi i am really stuck with this and its only a small problem. i want to be able to type ......... dsfsjfjsjjfs in User Box fjdjskfjds in password box www.thescripts.com in website box then i want to have a button which says "save" which then saves the 3 above pieces of text into a notepad file. So like I said I want to be able to type a login, password and...
.NET Framework
1
7110
Need help, get error "Object does not match target type" in one instanceof an app, when others work
by: =?ISO-8859-1?Q?Lasse_V=E5gs=E6ther_Karlsen?= | last post by:
I get the above error in some of the ASP.NET web applications on a server, and I need some help figuring out how to deal with it. This is a rather long post, and I hope I have enough details that someone who bothers to read all of it have some pointers. Note, I have posted the stack trace and the code exhibiting the problem further down so if you want to start by reading that, search for +++ Also note that I am unable to reproduce...
ASP.NET
0
8888
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8752
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
9401
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9111
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6702
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6011
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4782
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3221
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2634
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us