473,246 Members | 1,934 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,246 software developers and data experts.

nooB PhP login using MySQL

Ben
Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

Ok, that'll get me through step 1. Any help appreciated.

=B

Mar 29 '07 #1
9 3528
On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:
Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.
I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>
Ok, that'll get me through step 1. Any help appreciated.

=B

firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).

Mar 29 '07 #2
Ben

"shimmyshack" <ma********@gmail.comwrote in message
news:11**********************@l77g2000hsb.googlegr oups.com...
On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:
>Hello, I'll bet this has been asked a million times but I can't seem to
find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I
also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample
code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session
variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password
text
physically in the DB to be encrypted text that is decrypted through the
login process.

I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>>
Ok, that'll get me through step 1. Any help appreciated.

=B


firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).
We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B
Mar 30 '07 #3
Ben wrote:
"shimmyshack" <ma********@gmail.comwrote in message
news:11**********************@l77g2000hsb.googlegr oups.com...
>On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:
>>Hello, I'll bet this has been asked a million times but I can't seem to
find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I
also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample
code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session
variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password
text
physically in the DB to be encrypted text that is decrypted through the
login process.
I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>>Ok, that'll get me through step 1. Any help appreciated.

=B

firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).

We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B

Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Mar 30 '07 #4
Ben
[snip]
>
Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.
Here's a specific question: Can you recomend a site that has a good tutorial
that includes the html form code as well as the Php side and a live sample?
This is not about lazyness I assure you I've spent 8 hours going through
five sites trying to glean this out.

Quite possibly the reason this question comes up so often is there are no
easy to find sites that guide you through a simple, start-to-finish with
examples php login form. Google PhP login yields 503 million hits with no
help for a newbie anywhere in site.

Create one and you'll cash in =) I would glady pay at this point
considering the time wasted chucking through the internet.

Thanks in advance for any links

=B
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 30 '07 #5
Ben wrote:
[snip]
>Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

Here's a specific question: Can you recomend a site that has a good tutorial
that includes the html form code as well as the Php side and a live sample?
This is not about lazyness I assure you I've spent 8 hours going through
five sites trying to glean this out.

Quite possibly the reason this question comes up so often is there are no
easy to find sites that guide you through a simple, start-to-finish with
examples php login form. Google PhP login yields 503 million hits with no
help for a newbie anywhere in site.

Create one and you'll cash in =) I would glady pay at this point
considering the time wasted chucking through the internet.

Thanks in advance for any links

=B
Sorry, I don't have any specific site for just this end.

But before you get into doing a specific job, you really need an
overview of the language itself. PHP and most languages are much
different from VFP. If that's the extent of your programming
experience, you have a lot to learn.

Nothing against you or VFP - but it really is not the same as coding in
a language - be it PHP, Java or whatever.

And then you'll have to understand the client/server transactional
relationship between the browser and the server. That's even more
different.

You've got a little studying to do. I'd recommend starting at the
library (or bookstore) for a good PHP book, preferably with MySQL also.
It will be worth your time.

What you're asking is not hard for an experienced programmer - but very
difficult for someone who's trying to get their feet wet.

I wish I could be of more help. But what you're asking is not simple
for a beginner.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Mar 30 '07 #6
Message-ID: <46**********************@roadrunner.comfrom Ben contained
the following:
>First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"
The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.
>
Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.
On success a session variable is set. Each protected page needs code
which will check for the presence of the session variable. Additionally
or alternatively an expiring cookie may be set. Another way is to set a
timestamp in the db and check that has not expired each time.
>
Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.
It's not usually decrypted, the hashes uses are usually one way.
Ideally the username and password are sent via an encrypted connection.
The reason for encrypting the passwords in the database is simple so
that the db admin does not know what they are. Passwords are encrypted
using a hash function before insertion into the db. When the user tries
to log in the hash function is used again and then the hashed version is
compared with the one in the db.

As others have pointed out, even supplying sample code will require a
lot of hand holding and it may be a better idea to establish and off
list relationship with someone here.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Mar 30 '07 #7
On 30 Mar, 08:55, Geoff Berrow <blthe...@ckdog.co.ukwrote:
Message-ID: <46**********************@roadrunner.comfrom Ben contained
the following:
First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.
Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

On success a session variable is set. Each protected page needs code
which will check for the presence of the session variable. Additionally
or alternatively an expiring cookie may be set. Another way is to set a
timestamp in the db and check that has not expired each time.
Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

It's not usually decrypted, the hashes uses are usually one way.
Ideally the username and password are sent via an encrypted connection.
The reason for encrypting the passwords in the database is simple so
that the db admin does not know what they are. Passwords are encrypted
using a hash function before insertion into the db. When the user tries
to log in the hash function is used again and then the hashed version is
compared with the one in the db.

As others have pointed out, even supplying sample code will require a
lot of hand holding and it may be a better idea to establish and off
list relationship with someone here.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDshttp://www.ckdog.co.uk/rfdmaker/
It is usually called "auth" as in implementing an auth login, here's a
link from the Zend website, it uses php5 techniwues together with the
Zend Framework, which would make a good starting point if you like
Java, and will mean you code will likely to have less insecurities in
it.
http://devzone.zend.com/node/view/id/1665
PHP suffers from a bad rep in that because it can be picked up and
copied and pasted by anyone (myself included) very bad and insecure
code often results. Using a framework helps, but as has been said, if
you make even one little mistake then your code is as wide open as if
you were a rookie, it is not really a 5 minute job as you have to
ensure that there is end to end security, in both directions, which
doesnt just mean "use SSL" and that there are no SQL/XSS injection
flaws, encoding/charset flaws, and a whole load of other
vulnerabilities, not just in the logic, but in the database
implementation (as has been said) eg. making sure you don't use the
same crendentials table for one app as you do another unless you have
looked at the consequences thoroughly.
Once you hace authenticated your user, your entire site must be
tighter than, or people can still leverage the slighest hole to get
access to other's info... it's all fun, no one here wants to make you
think you can just be given a walk through / code which will be
secure.

Mar 30 '07 #8
In article <u0********************************@4ax.com>,
bl******@ckdog.co.uk (Geoff Berrow) wrote:
The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.
*IMPORTANT*
Before doing this and putting it on a public site, google "SQL injection
attack" (with quotes) and make sure you understand the implications and
have guarded against them. If you do not do this an attacker can run
arbitrary SQL commands on your database.
--
To reply email rafe, at the address cix co uk
Mar 30 '07 #9
Message-ID: <me***********************@rafecupl.merula.co.ukfr om Rafe
Culpin contained the following:
>The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.

*IMPORTANT*
Before doing this and putting it on a public site, google "SQL injection
attack" (with quotes) and make sure you understand the implications and
have guarded against them. If you do not do this an attacker can run
arbitrary SQL commands on your database.
Quite, I only intended to give an overview. No user input should be
trusted. The use of mysql_real_escape_string is now second nature to me
and I forgot to mention it.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Mar 30 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: janet | last post by:
hI ... I am newbie to ASP ... i am trying to write a code to accept login and passwor from a user and verify through a table created in MySQL. I am just trying to write a code on my own...
0
by: ./Rob & | last post by:
Hi gang: I'm experiencing a problem with MySQL -- I updated MySQL from version 4.1.0 to 4.1.10 and now when I login as root it doesn't show all the databases I should have access to, nor it...
4
by: Mason Barge | last post by:
I'm learning how to build a website. So far I've gotten pretty good with HTML, CSS, and Paint Shop Pro, and I'm currenly learning the basics of Javascript. I'm hoping, eventually, to build and...
3
by: focussys | last post by:
hi i am a student and am doing this for one of my assignments i am trying to create a login using perl and mysql database.i was succesful in doing that now i want to use cookies for...
0
by: www.gerardvignes.com | last post by:
I'm adding secure login to a PHP 3 web application on Linux/Apache. I can't afford my own SSL certificate, so I'm using the shared SSL provided by my web hosting company. I tried this back in...
2
by: dylanhughes | last post by:
I'm looking for an example of a login system that has multiple fields (2 to be exact) + password. e.g username, company name and password, the user, company and password are checked against a mysql...
1
by: mattsql22 | last post by:
I just installed Red Hat Enterprise 5, along with MySQL. I have run mysql_install_db and I can see the mysql folder that contains the 'mysql' database with the users. Unfortunately, I can't login...
2
by: pinman | last post by:
hi. i'm pretty much a noob to c# and visual studio and am trying to create a simple login method. i have created a users table in the database and can add users by inputing there md5 encrypted...
4
by: .nLL | last post by:
Hi, im am a classic asp developer and started to learn asp.net but got stuck with a simple problem even before i step in to further. to learn i have started from a simple project (a login system...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.