PHP - Add Php Password Encryption To Login Class

hi im testing out my site and basically when users register their passwords and encrypted for security obs however when i go to test the login with the exact same password as the one used to register the system detects it as invalid when its not, I've literally copy pasted the password so that i was sure it was the same therefore the issue is within the encryption does anyone have an idea how to overcome this I've tested changed names of variables but nothing seems to help I've even got an error reporting function but no error is detected

<?php
error_reporting(E_ALL);
include_once("conninfo2.php");

if(isset($_POST['username']) && trim($_POST['username']) != ""){
	$username = strip_tags($_POST['username']);
	$password = $_POST['password'];
	$hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
	$stmt1 = $db->prepare("SELECT usersid, password FROM login WHERE username=:username AND activated='1' LIMIT 1");
	$stmt1->bindValue(':username',$username,PDO::PARAM_STR);
	try{
		$stmt1->execute();
		$count = $stmt1->rowCount();
		if($count > 0){
			while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
				$uid = $row['usersid'];
				$hash = $row['password'];
			}
			if (crypt($hmac, $hash) === $hash) {
				$db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
				$_SESSION['uid'] = $uid;
				$_SESSION['username'] = $username;
				$_SESSION['password'] = $hash;
				setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
				setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
    				setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); 
				 echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].'
				<br />'.$_COOKIE['usersid']; 
				/*header("location: index.php");*/
				exit();
			} else {
				echo 'Invalid password Press back and try again<br />';
				exit();
			}
		}
		else{
			echo "A user with that email address does not exist here";
			$db = null;
			exit();
		}
	}
	catch(PDOException $e){
		echo $e->getMessage();
		$db = null;
		exit();
	}
}
?>				

I don't know if my password encrytion has been done correctly / is actually secure. I don't have anything valuable at the moment that people would care to hack, but in the future I want to be absolutely certain I am doing it right.   This is my process, I am storing it as Varchar(255), did a cost test and 9 was my result

$hash = password_hash($passsword, PASSWORD_BCRYPT, array("cost"=>9));

I was told I don't need a salt since it is included in the password_hash function   Also I noticed most of the hashes if not all start like this, why is that?

$2y$09$

Thanks for any help
Edited by moose-en-a-gant, 08 January 2015 - 01:51 PM.

Hello

Im making a secure php login system and ideally wanted to also md5 hash the username as well as the password. My reasons for doing this is to completey stop sql injections as i can combine the md5 hash with salt for the $_POST['username'].

Now my problem is i need to be able to de-hash (if this is a word) the username for admin purposes of the business. For password reset i will just send a new password.

Is there anyway that i can do this easily whilst keeping my username secure and stop sql injection for username?

I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5.


Register Code:

Code: [Select]
<?php

error_reporting (E_ALL ^ E_NOTICE);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Register</title>
</head>
<body>
<?php


if ( $_POST['registerbtn'] ){
$getuser = $_POST['user'];
$getemail = $_POST['email'];
$getpass = $_POST['pass'];
$getretypepass = $_POST['retypepass'];

if ($getuser){
if ($getemail){
if ($getpass){
if ($getretypepass){
if ( $getpass === $getretypepass ){
if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){
require("./connect.php");

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
$numrows = mysql_num_rows($query);
if ($numrows == 0){
$query = mysql_query("SELECT * FROM users WHERE email='$getemail'");
$numrows = mysql_num_rows($query);
if ($numrows == 0){


$password = md5(md5("kjfiufj".$password."Fj56fj"));
$date = date("F d, Y");
$code = md5(rand());

mysql_query("INSERT INTO users VALUES (
'', '$getuser', '$password', '$getemail', '0', '$code', '$date'
)");

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
$numrows = mysql_num_rows($query);
if ($numrows == 1){

$site = "http://c3221281.web44.net/";
$webmaster = "Simon <admin@simon.com>";
$headers = "From: $webmaster";
$subject = "Activate Your Account";
$message = "Thanks for registering. Click the link below to activate your account.\n";
$message .= "$site/activate.php?user=$getuser&code=$code\n";
$message .= "You must activate your account to login.";

if ( mail($getemail, $subject, $message, $headers) ){
$errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>.";
$getuser = "";
$getemail = "";
}
else
$errormsg = "An error has occueed. Your activation email was not sent.";

}
else
$errormsg = "An error has occured. Your account was not created.";

}
else
$errormsg = "There is already a user with that email.";
}
else
$errormsg = "There is already a user with that username.";

mysql_close();
}
else
$errormsg = "You must enter a valid email address to register.";
}
else
$errormsg = "Your passwords did not match.";
}
else
$errormsg = "You must retype your password to register.";
}
else
$errormsg = "You must enter your password to register.";
}
else
$errrosmg = "You must enter your email to register.";
}
else
$errormsg = "You must enter your username to register.";
}


$form = "<form action='./register.php' method='post'>
<table>
<tr>
<td></td>
<td><font color='red'>$errormsg</font></td>
</tr>
<tr>
<td>Username:</td>
<td><input type='text' name='user' value='$getuser' /></td>
</tr>
<tr>
<td>Email:</td>
<td><input type='text' name='email' value='$getemail' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='pass' value='' /></td>
</tr>
<tr>
<td>Retype:</td>
<td><input type='password' name='retypepass' value='' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='registerbtn' value='Register' /></td>
</tr>
</table>
</form>";

echo $form;

?>
</body>
</html>





Login Code:

Code: [Select]

<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['userid'];
$username = $_SESSION['username'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Login</title>
</head>
<body>
<?php

if ($username && $userid){
echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page.";
}
else{
$form = "<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login' /></td>
</tr>
<tr>
<td><a href='./register.php'>Register</a></td>
<td><a href='./forgotpass.php'>Forgot your password?</a></td>
</tr>
</table>
</form>";

if ($_POST['loginbtn']){
$user = $_POST['user'];
$password = $_POST['password'];

if ($user){
if ($password){
require("connect.php");

$password = md5(md5("kjfiufj".$password."Fj56fj"));


// make sure login info correct
$query = mysql_query("SELECT * FROM users WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows == 1){
$row = mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['username'];
$dbpass = $row['password'];
$dbactive = $row['active'];

if ($password == $dbpass){
if ($dbactive == 1){
// set session info
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;

echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page.";

}
else
echo "You must activate your account to login. $form";
}
else
echo "You did not enter the correct password. $form";
}
else
echo "The username you entered was not found. $form";

mysql_close();
}
else
echo "You must enter your password. $form";
}
else
echo "You must enter your username. $form";
}
else
echo $form;
}
?>
</body>
</html>





Many thanks for your time and help,

Hi all,  I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all.

Hi.

I have made a login script, but I would wan't to encrypt the password.
I followed a tutorial and got this:
login.php
<?php
$password = "secret";

echo $password;
/* displays secret */

$password = sha1($password);

echo $password; 
/* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */
?>
<form action="validate.php" method="post">
  <label for="username">Username</label>
  <input type="text" name="username" id="username" />
  <br />
  <label for="password">Password</label>
  <input type="password" name="password" id="password" />
  <br />
  <input type="submit" name="submit" value="Submit" />
</form>
<?php
?>

validate.php

<?php
include "setup.php";

/* get the incoming ID and password hash */
$username=$_POST['username'];
$password=$_POST['password']; 
$password=md5($password); // Encrypted Password

/* establish a connection with the database */
$server = mysql_connect("$db_host", "$db_username","$db_password");
if (!$server) die(mysql_error());
mysql_select_db("$database");

  
/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $username!";
else
  echo "Access Denied: Invalid Credentials.";

mysql_close($server);  
?>

Its the line $password=md5($password); // Encrypted Password
that messes everything up.
If I delete it and login, everything is fine, if I add it it says Code: [Select]
Access Denied: Invalid Credentials
I need help with this one!
And if someone have time, give me some ideas how to make PHP scripts safer!

Regards
Worqy

Hi guys I have a script which i've been playing around with thanks to Spiderwell: http://www.phpfreaks.com/forums/index.php?action=profile;u=35078

I have sort of merged it with another 'member managment' script which is working great.

Now i can't seem to correctly create a login page to pass the hashed password using (sha1).

Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password.

Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :|

Your help would be much appreciated.

Login Page PHP:

Code: [Select]
<form name="login" method="post" action="check_login.php3">
<p><strong>Secured Area User Log-in</strong></p>
<p>Username: <input name="bioname" type="text" id="bioname"></p>
<p>Password: <input name="biopass" type="password" id="biopass"></p>
<p> </p>
<p><input type="submit" name="Submit" value="Login"></p>
</form>

Check Login Processor (which is the file i that needs the sha1 added somewhere i think)

Code: [Select]
<?php
require_once('config.php3');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");


//
$loginusername = false;
$loginpassword = false;


$err = false; // default error message is empty

// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother

if (isset($_POST['bioname'])) $loginusername=$_POST['bioname'];
if (isset($_POST['biopass']))$loginpassword=$_POST['biopass'];

// if either isnt filled in, tell the user, a very basic bit of validation

if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue

{
//The following bit of coding protects from MySQL injection attacks

$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

//you could add other things like check for text only blah blah

$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";

$result=mysql_query($sql);
// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1)
{
session_start();
$_SESSION['user'] = $loginusername; // store session data
//please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user
//that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is
header("Location: {$loginusername}/index.php3");

}
else 
{
$err = "Wrong Username or Password";
}
}// end login if statement

if ($err) // show error message if there is one
{
echo $err;
echo "<br>Please go back in your browser and try again";
}
?>


The secure page:

Code: [Select]
<?php
session_start(); 

$mypath = $_SERVER["REQUEST_URI"];
//echo $mypath; // for debugging
//now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php 
//use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string.
//http://php.net/manual/en/function.strrpos.php

if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/
{
echo "congratulations you are the right person in the right place";
}
else
{
 session_destroy(); //kill the session, naughty person trying to come here
 header("Location: ../login.php3");
 die();// stop page executing any further
}

?>

<html>
<body>


</body>
</html>

Thanks and i look forward to your replies.

Hello:

I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure."
I was told I should use MD5 / SALTING / HASHING to do this.

I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it>

This is my database table storing the myAdmins data (when I initially insert it into the database):
Code: [Select]
CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO myAdmins VALUES("1","abc","123");

This is the login form I use:
Code: [Select]
<?php

include('../include/myConn.php');
include('include/myAdminNav.php');

session_start();
session_destroy();

$message="";

$Login=$_POST['Login'];
if($Login){
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'");
if(mysql_num_rows($result)!='0'){
session_register("myUserName");
header("location:a_Home.php");
exit;
}else{
$message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>";
}

}
?>

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<? echo $message; ?>

Username: <input name="myUserName" type="text" id="myUserName" size="40" />
Password: <input name="myPassword" type="password" id="myPassword" size="40" />

<input name="Login" type="submit" id="Login" value="Login" />

</form>



This is the code on top of each page I password protect:
Code: [Select]
<?
session_start();
if(!session_is_registered(myUserName)){
header("location:Login.php");
}
?>

Works well, but can it be "better"??

And, if I am allowing the admin to update his/her username or password, I do it this way:
Code: [Select]
<?php

include('../include/myConn.php');
include('include/myCheckLogin.php');

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$myUserName = mysql_real_escape_string($_POST['myUserName']);
$myPassword = mysql_real_escape_string($_POST['myPassword']);

$sql = "

UPDATE myAdmins
   SET
      myUserName = '$myUserName',
      myPassword = '$myPassword'
  ";
mysql_query($sql) && mysql_affected_rows()

?>

<?php
}

$query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error());

while($result=mysql_fetch_array($query))

{
  $myUserName=$result['myUserName'];
  $myPassword=$result['myPassword'];
}

?>


<form method="post" action="<?php echo $PHP_SELF;?>">
<input type="hidden" name="POSTBACK" value="EDIT">

Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>">
Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>">

<input type="submit" value="Submit" />
         
</form>


Should it be "better" .. ??

I don't seem to understand how to "encrypt" all of this to make it "stronger" ..

Ideas? Improvements?

Hello everyone:

I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct.

I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..?

I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems.

In ASP I would do a protected page like this:
a_login_check.asp
Code: [Select]
<%
if session("admin_user_name") = "" then
session.abandon
response.redirect "login.asp"
end if
%>

Protected-Page.asp
Code: [Select]
<!-- #include file="include/a_check_login.asp" -->
<html>
...
CONTENT

...
</html>

And of course there is the login page itself ...
(I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??)

Anyway, can someone point-out to me how to do this.

I would appreciate it!

Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.   Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.   So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.   What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.   I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?  

    /**
     * Select the database
     *
     * @access    private called by the base class
     * @return    resource
     */
    function db_select()
    {
        return @mysql_select_db($this->database, $this->conn_id);
    }

  Thanks in advance.

Hi! I have read like crazy to find a tutorial on a login page without My_SQL. Anyway I am working on a easy login/logged out page with sessions. Here is the login page with tree users in an array. The things that I need some hints to solve is, when clicking on login the error message don't show. Instead the script goes to the logged in page right away. And when you write the wrong password you get loged in anyway.   I am not sure how or if it's possible to write a varible to a file this way. But I tried and recived a parse error with the txt varible.   When searching for topics I get more confused with the My_SQL varibles. I am near a breaking point at cracking the first step on PHP, but need some advice.

<?php 
$page_title = 'Logged in'; //Dynamic title 
include('C:/wamp/www/PHP/includes/header.html');
?> 
<?php
session_start();
//A array for the sites users with passwords
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );

//A handle to save the varible users to file on a new line from the last entry				
$handle = fopen("newusers.txt, \n\r")
$txt = $users;
fclose($handle);


if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if(isset($_POST['username'])) {
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
    }
}
?>

<?php 
echo "<h3>Login</h3>";
echo "<br />";
?>
<!--A legend form to login-->
		<fieldset><legend>Fill in your username and password</legend>
        <form name="login" action="777log.php" method="post">
            Username: <br /> 
			<input type="text" name="username" value="" /><br />
            Password: <br /> 
			<input type="password" name="password" value="" /><br />
			<br />
            <input type="submit" name="submit" value="Login" />
	</fieldset>
	</form> 

<?php //Footer include file 
include('C:/wamp/www/PHP/includes/footer.html');
?>

The logged in page

<?php //Header
$page_title = 'Reading a file'; 
include('C:/wamp/www/PHP/includes/header.html');
?> 

<?php 
	session_start();
	//Use an array forthe sites users  
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );
//
if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
	echo "You are now loged out";
	//The user is loged out and returned to the login page
    header('Location:  ' . $_SERVER['PHP_SELF']); 
}

if(isset($_POST['username'])) {
	//Something goes wrong here when login without any boxes filled
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
		$redirect = "Location: 777.php";
    }
}
?>
        <?php if($_SESSION['username']): ?>
            <p><h2>Welcome <?=$_SESSION['username']?></h2></p> 
			<p align="right"><a href="777.php">Logga ut</a></p><?php endif; ?>
			<p>Today Ben&Jerrys Chunky Monkey is my favorite!</p>	

<?php //Footer
include('C:/wamp/www/PHP/includes/footer.html');
?>

Hello Everyone,

I recent made a simple membership website. Every page I created works exactly how I envisioned it...
All members data from my registration form goes into my database along with their md5 Encrypted passwords with a time-stamp.
Subsequent pages have a start_session included.

I am very please with it except ONE THING. Logging in is now a problem... username is recognized but NOT the password.

Now the strange thing is that when I go into the database and copy the encrypted password and paste
it into the password field in my login page, I miraculously get into my website with NO problem.

" How do I get the registered members Encrypted Passwords to be recognized by the database when
the  registered members decide to logging in with the password that they create? "

Is there a easy fix for this?

I appreciate ALL your help...


thanks
mrjap1

Hello,

I'm doing something that looks like framework. It's my first serious "project". And now, I have a few questions: what basic functions are needed in MVC model class? Just tell me some functions, that could use, so I could try to code them. And the next question is... I'm going to create a login system for users. In my website there will be pages, that are visible for all visitors, and only for members. For example main website page should be visible for all visitors, but the page, where member can change his password, should be visible only for member. I know only one way to do this: allways and everywhere check if user is logged in. But isn't there smarter and simpler way?

I hope you understood what I need. Sorry for bad english

I have created this login class (In all honesty this is the most commented and well structured class I have ever written, I usualy just use random functions in a functions.php file, which works but this felt good when I finished it )

I just wanted some advice to how safe and whether the way I have done this is 'good practise', or if there is anything I should add to future proof it.

This is the class:
Code: [Select]
<?php
/* 
Author: Craig Dennis
File: user_session.class.php
Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out.

NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE

Include this file at the top of each page you wish to protect
 include("inc/user_session.class.php"); //(This could be put at the top of a global include file)
 
Use the following code to check the user is logged in:
 $user_session = new user_session; //(This could be put at the top of a global include file)
 $user_session->validate_user(); //(This should only be left on the pages you wish to check for user validation)
 
You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this:
 $user_session->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page)
*/
class user_session{
// Change these variables below if the table and fields in your database do not match
public $t_name = "admins";
public $t_user = "username";
public $t_pass = "password";
public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database

//Change $login_page and $landing_page if your page names are different to this one
public $login_page = "login.php";
public $landing_page = "logged_in.php";

//Change $log_in_error_msg if you wish to change the general error message when the user is unable to log in
public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist";

//Do not touch anything below unless you know what your doing

/*
 * logged_in_user()
 * Returns value of the current logged in username
 */
public function logged_in_user(){
return $_SESSION['user_username'];
}

/*
 * log_in()
 * Takes 2 parameters ($username, $password)
 * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing
 */
public function log_in($username, $password){
$username = stripslashes(mysql_real_escape_string($username));
$password = stripslashes(mysql_real_escape_string($password));

$query_login = mysql_query("SELECT * FROM ".$this->t_name."
  WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'");;

$login_accepted = mysql_num_rows($query_login);

if($login_accepted == 1){
if($t_lastlogin != NULL){
$query_update_last_login = mysql_query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."'
WHERE ".$this->t_user."='$username'");
}
$_SESSION['user_username'] = $username;
$_SESSION['user_password'] = $password;
return true;
}else{
return false;
}
}

/*
 * check_user()
 * Returns true if the current session credentials can be found in the database, otherwise returns false
 */
public function check_user(){
$query_login = mysql_query("SELECT * FROM ".$this->t_name."
  WHERE ".$this->t_user."='".$_SESSION['user_username']."' 
AND ".$this->t_pass."='".$_SESSION['user_password']."'");

$login_accepted = mysql_num_rows($query_login);

if($login_accepted == 1){
return true;
}else{
return false;
}
}

/*
 * validate_user()
 * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false
 */
public function validate_user(){
$login_accepted = $this->check_user();

if($login_accepted == 1){
return true;
}else{
$this->log_out();
return false;
}
}

/*
 * redirect_if_logged_in()
 * Redirects the user to the specified landing page if the user is logged in
 */
public function redirect_if_logged_in(){
if($this->check_user()){
header("Location: ".$this->landing_page);
}
}

/*
 * log_out()
 * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page
 */
public function log_out(){
$_SESSION['user_username'] = "";
$_SESSION['user_password'] = "";
header("Location: ".$this->login_page);
}
}
?>

Any comments or advice are appreciated.

I have developed a code for a login and seems to work well (No syntax error according to https://phpcodechecker.com/ but when I enter a username and a password in the login form, I get an error HTTP 500. I think that everything is ok in the code but obviously there is something that I am not thinking about. The code (excluding db connection):

$id="''"; $username = $_POST['username']; $password = md5($_POST['password']); $func = "SELECT contrasena FROM users WHERE username='$username'";

$realpassask = $conn->query($func); $realpassaskres = $realpassask->fetch_assoc(); $realpass= $realpassaskres[contrasena];

$func2 = "SELECT bloqueado FROM users WHERE username='$username'"; $blockedask = $conn->query($func2); $blockedres = $blockedask->fetch_assoc(); $bloqueado = $blockedres[bloqueado];

//Login if(!empty($username)) { // Check the email with database
$userexists = $pdo->prepare("SELECT COUNT(username) FROM users WHERE username= '$username' LIMIT 1"); $userexists->bindParam(':username', $username); $userexists->execute(); // Get the result $userexistsres = $userexists->fetchColumn(); // Check if result is greater than 0 - user exist if( $userexistsres == 1) { if ($bloqueado == NO) { if ($password != $realpass) { die("contrasena incorrecta"); } Else{ $_SESSION['loguin']="OK"; $_SESSION['username']="$username"; header("Location: ./index.php"); } } Else{ die("Tu usuario ha sido bloqueado o todavía no ha sido aceptado por un administrador. } Else{ die("No hay ninguna cuenta con este nombre de usuario"); } } else { echo 'El campo usuario esta vacio'; } ?>