nooB PhP login using MySQL

Ben

Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

Ok, that'll get me through step 1. Any help appreciated.

=B

Mar 29 '07 #1

shimmyshack

On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:

Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>
Ok, that'll get me through step 1. Any help appreciated.

=B

firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).

Mar 29 '07 #2

Ben

"shimmyshack" <ma********@gmail.comwrote in message
news:11**********************@l77g2000hsb.googlegr oups.com...

On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:

>Hello, I'll bet this has been asked a million times but I can't seem to
find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I
also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample
code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session
variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password
text
physically in the DB to be encrypted text that is decrypted through the
login process.

I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>>
Ok, that'll get me through step 1. Any help appreciated.

=B

firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).

We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B

Mar 30 '07 #3

Jerry Stuckle

Ben wrote:

"shimmyshack" <ma********@gmail.comwrote in message
news:11**********************@l77g2000hsb.googlegr oups.com...

>On 29 Mar, 23:06, "Ben" <nos...@thankyou.comwrote:

>>Hello, I'll bet this has been asked a million times but I can't seem to
find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I
also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample
code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session
variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password
text
physically in the DB to be encrypted text that is decrypted through the
login process.

I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.

>>Ok, that'll get me through step 1. Any help appreciated.

=B

firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).

We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B

Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 30 '07 #4

Ben

[snip]

>
Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

Here's a specific question: Can you recomend a site that has a good tutorial
that includes the html form code as well as the Php side and a live sample?
This is not about lazyness I assure you I've spent 8 hours going through
five sites trying to glean this out.

Quite possibly the reason this question comes up so often is there are no
easy to find sites that guide you through a simple, start-to-finish with
examples php login form. Google PhP login yields 503 million hits with no
help for a newbie anywhere in site.

Create one and you'll cash in =) I would glady pay at this point
considering the time wasted chucking through the internet.

Thanks in advance for any links

=B

>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 30 '07 #5

Jerry Stuckle

Ben wrote:

[snip]

>Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

Here's a specific question: Can you recomend a site that has a good tutorial
that includes the html form code as well as the Php side and a live sample?
This is not about lazyness I assure you I've spent 8 hours going through
five sites trying to glean this out.

Quite possibly the reason this question comes up so often is there are no
easy to find sites that guide you through a simple, start-to-finish with
examples php login form. Google PhP login yields 503 million hits with no
help for a newbie anywhere in site.

Create one and you'll cash in =) I would glady pay at this point
considering the time wasted chucking through the internet.

Thanks in advance for any links

=B

Sorry, I don't have any specific site for just this end.

But before you get into doing a specific job, you really need an
overview of the language itself. PHP and most languages are much
different from VFP. If that's the extent of your programming
experience, you have a lot to learn.

Nothing against you or VFP - but it really is not the same as coding in
a language - be it PHP, Java or whatever.

And then you'll have to understand the client/server transactional
relationship between the browser and the server. That's even more
different.

You've got a little studying to do. I'd recommend starting at the
library (or bookstore) for a good PHP book, preferably with MySQL also.
It will be worth your time.

What you're asking is not hard for an experienced programmer - but very
difficult for someone who's trying to get their feet wet.

I wish I could be of more help. But what you're asking is not simple
for a beginner.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 30 '07 #6

Geoff Berrow

Message-ID: <46**********************@roadrunner.comfrom Ben contained
the following:

>First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.

>
Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

On success a session variable is set. Each protected page needs code
which will check for the presence of the session variable. Additionally
or alternatively an expiring cookie may be set. Another way is to set a
timestamp in the db and check that has not expired each time.

>
Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

It's not usually decrypted, the hashes uses are usually one way.
Ideally the username and password are sent via an encrypted connection.
The reason for encrypting the passwords in the database is simple so
that the db admin does not know what they are. Passwords are encrypted
using a hash function before insertion into the db. When the user tries
to log in the hash function is used again and then the hashed version is
compared with the one in the db.

As others have pointed out, even supplying sample code will require a
lot of hand holding and it may be a better idea to establish and off
list relationship with someone here.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Mar 30 '07 #7

shimmyshack

On 30 Mar, 08:55, Geoff Berrow <blthe...@ckdog.co.ukwrote:

Message-ID: <46**********************@roadrunner.comfrom Ben contained
the following:

First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.

Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.

On success a session variable is set. Each protected page needs code
which will check for the presence of the session variable. Additionally
or alternatively an expiring cookie may be set. Another way is to set a
timestamp in the db and check that has not expired each time.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.

It's not usually decrypted, the hashes uses are usually one way.
Ideally the username and password are sent via an encrypted connection.
The reason for encrypting the passwords in the database is simple so
that the db admin does not know what they are. Passwords are encrypted
using a hash function before insertion into the db. When the user tries
to log in the hash function is used again and then the hashed version is
compared with the one in the db.

As others have pointed out, even supplying sample code will require a
lot of hand holding and it may be a better idea to establish and off
list relationship with someone here.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDshttp://www.ckdog.co.uk/rfdmaker/

It is usually called "auth" as in implementing an auth login, here's a
link from the Zend website, it uses php5 techniwues together with the
Zend Framework, which would make a good starting point if you like
Java, and will mean you code will likely to have less insecurities in
it.
http://devzone.zend.com/node/view/id/1665
PHP suffers from a bad rep in that because it can be picked up and
copied and pasted by anyone (myself included) very bad and insecure
code often results. Using a framework helps, but as has been said, if
you make even one little mistake then your code is as wide open as if
you were a rookie, it is not really a 5 minute job as you have to
ensure that there is end to end security, in both directions, which
doesnt just mean "use SSL" and that there are no SQL/XSS injection
flaws, encoding/charset flaws, and a whole load of other
vulnerabilities, not just in the logic, but in the database
implementation (as has been said) eg. making sure you don't use the
same crendentials table for one app as you do another unless you have
looked at the consequences thoroughly.
Once you hace authenticated your user, your entire site must be
tighter than, or people can still leverage the slighest hole to get
access to other's info... it's all fun, no one here wants to make you
think you can just be given a walk through / code which will be
secure.

Mar 30 '07 #8

Rafe Culpin

In article <u0********************************@4ax.com>,
bl******@ckdog.co.uk (Geoff Berrow) wrote:

The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.

*IMPORTANT*
Before doing this and putting it on a public site, google "SQL injection
attack" (with quotes) and make sure you understand the implications and
have guarded against them. If you do not do this an attacker can run
arbitrary SQL commands on your database.
--
To reply email rafe, at the address cix co uk

Mar 30 '07 #9

Geoff Berrow

Message-ID: <me***********************@rafecupl.merula.co.ukfr om Rafe
Culpin contained the following:

>The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.

*IMPORTANT*
Before doing this and putting it on a public site, google "SQL injection
attack" (with quotes) and make sure you understand the implications and
have guarded against them. If you do not do this an attacker can run
arbitrary SQL commands on your database.

Quite, I only intended to give an overview. No user input should be
trusted. The use of mysql_real_escape_string is now second nature to me
and I forgot to mention it.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Mar 30 '07 #10