PHP - Login Form - Username Encryption Help

Hi all,  I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all.

Hi guys, <----- new to this forum and coding for that matter!

I have a question. I have been asking around and reading up about how to make a forum with my current tools (dreamweaver/mysql/mysqlyog) for my website, and 90% of the time the answer i get is "if your asking the question, dont bother..... use mybb or some other premade forum" Which is fine, i dont mind! But know i have an issue. To get access to my website you are requierd to login before you can do anything, after login your able to use the whole site. But now if i use one of these ready made forums such as mybb or whatever users are required to make ANOTHER registration and login aswell! and me no likes this!

So my question is, is there a way to make it so the forum runs off the same login used for my website?

TIA
Gromit

I want to limit the number of incorrect login attempts within a specified time period (e.g. 15 minutes). I'm wondering what I should tie those attempts to.

e.g. If too many attempts from one ip address for a specific username, lock them out for 15 minutes? Or too many attempts from any ip address for a specific username? Or too many attempts for an ip address matched loosely (i.e. 255.255.255.0 matching) with a specific username?

What's the best choice? Just too many attempts for a username? Or also use the ip address?

And should I store the attempts in the session, or the DB?

Hello all;
I have a client that has a members area.  He asked me to password protect it, which I did simply by assigning one static password.  Now he wants a full username/login system where the member can set their own password, which I have never done before.  I assume I'd just set up a Table with three fields, (one for name, one for password, one for the type of access they have) then check against it for access, but experience has taught me that whenever something seems simple, it's actually very complex. 

Do any of you know of any good premade templates for this kind of thing?  Ideally it'd be session-based (obviously).  I found one system he http://frozenade.wordpress.com/2007/11/24/how-to-create-login-page-in-php-and-mysql-with-session/  but it's several years old, and the misspellings in the comments tend to scare me away a bit. 

Thanks for any help you might be able to provide.

Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.   Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.   So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.   What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.   I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?  

    /**
     * Select the database
     *
     * @access    private called by the base class
     * @return    resource
     */
    function db_select()
    {
        return @mysql_select_db($this->database, $this->conn_id);
    }

  Thanks in advance.

Is there a way to get current logged in username and based on that redirect to a different page?

I’m using the following secure PHP login without MySql as a login system: https://sourceforge.net/projects/phploginbyvallastech/

Now I’m looking to redirect each logged in user to their personalized page.

But I can’t figure out how to A) fetch the current logged in user and B) redirect multiple users.

This code redirects to the latter address, but the username based redirect is not working:

<?php

session_start();

if ($_SESSION["username"]==User1){

header("location: user1content.php");

exit;

} else {

header("location: generalcontent.php");

exit;

}

{ ?>

<?php } ?>

So it’s clearly not fetching the logged in user. Though <?php echo $login->username; ?> fetches the username just fine.
I know there’s something missing, but what that might be… Have been trying different things without success.

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=318572.0

hi

i need help an idea how can i separate members from admins
since i dont know how to create login form i used tutorial ( http://www.youtube.com/watch?v=4oSCuEtxRK8 )   (its session login form only that i made it work other tutorials wre too old or something)
how what i want to do is separate members and admins because admin need more rights to do
now i have idea but dont know will it work like that
what i want to do is create additional row in table named it flag and create 0 (inactive user) 1 (member) 2 (admin) will that work?
and how can i create different navigation bars for users and admins? do you recommend that i use different folders to create it or just script based on session and flag?

ISSUE.
A User enters information into a form.
If the 'username' is already taken, a 'message' in Red and with larger font-size will be returned, for example,
"The username $username already exists."
If the username is 'mattd' then the message should say, "The username mattd already exists."

Within my php application, I have included 'inline html'.
Here is part of the code:   ....
if (mysql_num_rows($query_run)==1) {
// it will never = more than one because only
//one user will or will not exist
?>

<html>
</body>
<h1><font color="#FF0066">The username <?php echo $username; ?>already exists.</h1>
</body>
</html>

<?php
}else{
//start the registration process
$query = "INSERT INTO `Names` VALUES
....   1. At one point I did get this: "The username mattd already exists."
2. But now I only get "The username already exists."
I am not retrieving the $username variable.
  This screenshot is found he
http://imgur.com/lIwLZ1G


thanks.

While we're on the subject, is there a way to ensure that the first letter of a name is captalized, and the rest lowercase?  Or is this best handled later on, when the name is being used and called from the DB.

PS: some of us comment are code as to WHAT we are doing because we're just not that good yet, and we need to explain it to ourselves.

how could we put this into a form?

Code: [Select]
$username = "@yahoo.com";
$password = "pass";


 
  // do login to facebook
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_URL, "https://login.facebook.com/login.php?m&next=http://m.facebook.com/home.php");
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($curl, CURLOPT_POST, 1);
  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($curl, CURLOPT_POSTFIELDS, "email=" . $username . "&pass=" . $password . "&login=Log In");
  curl_setopt($curl, CURLOPT_ENCODING, "");
  curl_setopt($curl, CURLOPT_COOKIEJAR, getcwd() . '/cookies_facebook.cookie');
  $curlData = curl_exec($curl);
  curl_close($curl);
 
  // do get post url
  $urlPost = substr($curlData, strpos($curlData, "action=\"/a/home") + 8);
  $urlPost = substr($urlPost, 0, strpos($urlPost, "\""));
  $urlPost = "http://m.facebook.com" . $urlPost;
 
  // do get some parameters for updating the status
  $fbDtsg = substr($curlData, strpos($curlData, "name=\"fb_dtsg\""));
  $fbDtsg = substr($fbDtsg, strpos($fbDtsg, "value=") + 7);
  $fbDtsg = substr($fbDtsg, 0, strpos($fbDtsg, "\""));
 
  $postFormId = substr($curlData, strpos($curlData, "name=\"post_form_id\""));
  $postFormId = substr($postFormId, strpos($postFormId, "value=") + 7);
  $postFormId = substr($postFormId, 0, strpos($postFormId, "\""));
 
  // do update facebook status
  $statusMessage = "Status updated :-)";
 
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_URL, $urlPost);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($curl, CURLOPT_POST, 1);
  curl_setopt($curl, CURLOPT_POSTFIELDS, "fb_dtsg=" . $fbDtsg . "&post_form_id=" . $postFormId . "&status=" . $statusMessage . "&update=Update Status");
  curl_setopt($curl, CURLOPT_ENCODING, "");
  curl_setopt($curl, CURLOPT_COOKIEFILE, getcwd() . '/cookies_facebook.cookie');
  curl_setopt($curl, CURLOPT_COOKIEJAR, getcwd() . '/cookies_facebook.cookie');
  $curlData = curl_exec($curl);
  curl_close($curl);
 
  echo "Your Facebook status already updated with '" . $statusMessage . "'";

I'm not sure why, but once I added a search form in my nav menu, it made my other forms on the website such as login and signup form take them to where the search button would take them. any ideas???

Hello,
I am working with a SMTP class to send an email. It's all working perfectly fine, but when the email is received (sent from the online form), and I open my email and click reply, there are two email addresses. The correct one (which I entered when I sent the email), and my ftp username for the site??

I've got three files that could effect this, but I was unable to locate any problems:
mailer.php ( smtp send mail class)
mail.php ( submission data: title, subject, etc. )
contact_form.php ( form for submission )

I am only including the file which I think is applicable (mail.php), but let me know if you would also like to see the mailer.php class.

Current output:

reply-to   ftpusername@domainname.com,
correct_from_email@fromemail.com

mail.php:

<?php
  set_time_limit(120);
  
  function sendHTMLmail($from, $to, $subject, $message)
  {
      $message = wordwrap($message, 70);
      
      // To send HTML mail, the Content-type header must be set
      $headers = 'MIME-Version: 1.0' . "\r\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
      
      // Additional headers
      $headers .= "From: $from\r\n";
      
      // Mail it
      mail($to, $subject, $message, $headers);
  }
  
  function sendHTMLmail2($fromid, $to, $subject, $message)
  {
      echo $fromid;
      echo $to;
      echo $subject;
      echo $message;
      include_once("mailer.php");
      $mail = new PHPMailer();
      $mail->IsMail();
      // SMTP servers
      $mail->Host = "localhost";
      $mail->From = $fromid;
      $mail->FromName = $fromid;
      $mail->IsHTML(true);
      $mail->AddAddress($to, $to);
      $mail->Subject = $subject;
      $mail->Body = $message;
      $mail->AltBody = "Please enable HTML to read this";
      $mail->Send();
      exit;
  }
  function isValidEmail($email)
  {
      return eregi("^[_.0-9a-z-]+@([0-9a-z][0-9a-z-]+.)+[a-z]{2,3}$", $email);
  }
  
  
  class smtp_mail
  {
      var $host;
      var $port = 25;
      var $user;
      var $pass;
      var $debug = false;
      var $conn;
      var $result_str;
      var $charset = "utf-8";
      var $in;
      var $from_r;
      //mail format 0=normal 1=html
      var $mailformat = 0;
      function smtp_mail($host, $port, $user, $pass, $debug = false)
      {
          $this->host = $host;
          $this->port = $port;
          $this->user = base64_encode($user);
          $this->pass = base64_encode($pass);
          $this->debug = $debug;
          $this->socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
          if ($this->socket) {
              $this->result_str = "Create socket:" . socket_strerror(socket_last_error());
              $this->debug_show($this->result_str);
          } else {
              exit("Initialize Faild,Check your internet seting,please");
          }
          $this->conn = socket_connect($this->socket, $this->host, $this->port);
          if ($this->conn) {
              $this->result_str = "Create SOCKET Connect:" . socket_strerror(socket_last_error());
              $this->debug_show($this->result_str);
          } else {
              exit("Initialize Faild,Check your internet seting,please");
          }
          $this->result_str = "Server answer:<font color=#cc0000>" . socket_read($this->socket, 1024) . "</font>";
          $this->debug_show($this->result_str);
      }
      
      function debug_show($str)
      {
          if ($this->debug) {
              echo $str . "<p>\r\n";
          }
      }
      
      function send($from, $to, $subject, $body)
      {
          if ($from == "" || $to == "") {
              exit("type mail address please");
          }
          if ($subject == "")
              $sebject = "none title";
          if ($body == "")
              $body = "none content";
          
          $All = "From:$from;\r\n";
          $All .= "To:$to;\r\n";
          $All .= "Subject:$subject;\r\n";
          if ($this->mailformat == 1) {
              $All .= "Content-Type:text/html;\r\n";
          } else {
              $All .= "Content-Type:text/plain;\r\n";
          }
          $All .= "Charset:" . $this->charset . ";\r\n\r\n";
          $All .= " " . $body;
          
          $this->in = "EHLO HELO\r\n";
          $this->docommand();
          
          $this->in = "AUTH LOGIN\r\n";
          $this->docommand();
          
          $this->in = $this->user . "\r\n";
          $this->docommand();
          
          $this->in = $this->pass . "\r\n";
          $this->docommand();
          
          if (!eregi("235", $this->result_str)) {
              $this->result_str = "smtp auth faild";
              $this->debug_show($this->result_str);
              return 0;
          }
          
          $this->in = "MAIL FROM: $from\r\n";
          $this->docommand();
          
          $this->in = "RCPT TO: $to\r\n";
          $this->docommand();
          
          $this->in = "DATA\r\n";
          $this->docommand();
          
          $this->in = $All . "\r\n.\r\n";
          $this->docommand();
          
          
          if (!eregi("250", $this->result_str)) {
              $this->result_str = "Send mail faild!";
              $this->debug_show($this->result_str);
              return 0;
          }
          
          $this->in = "QUIT\r\n";
          $this->docommand();
          socket_close($this->socket);
          return 1;
      }
      
      function docommand()
      {
          socket_write($this->socket, $this->in, strlen($this->in));
          $this->debug_show("Client command:" . $this->in);
          $this->result_str = "server answer:<font color=#cc0000>" . socket_read($this->socket, 1024) . "</font>";
          $this->debug_show($this->result_str);
      }
  }
?>

Hi, I need to insert some code into my current form code which will check to see if a username exist and if so will display an echo message. If it does not exist will post the form (assuming everything else is filled in correctly). I have tried some code in a few places but it doesn't work correctly as I get the username message exist no matter what. I think I am inserting the code into the wrong area, so need assistance as to how to incorporate the username check code.

$sql="select * from Profile where username = '$username';
$result = mysql_query( $sql, $conn )
      or die( "ERR: SQL 1" );
if(mysql_num_rows($result)!=0)
{
process form
}
else
{
echo "That username already exist!";
}


the current code of the form


<?PHP
//session_start();
require_once "formvalidator.php";
$show_form=true;

if (!isset($_POST['Submit'])) {



$human_number1 = rand(1, 12);



$human_number2 = rand(1, 38);



$human_answer = $human_number1 + $human_number2;



$_SESSION['check_answer'] = $human_answer;
}

if(isset($_POST['Submit']))
{





if (!isset($_SESSION['check_answer'])) {
echo "<p>Error: Answer session not set</p>";
}


if($_POST['math'] != $_SESSION['check_answer']) {
echo "<p>You did not pass the human check.</p>";
exit();
}


   $validator = new FormValidator();
    $validator->addValidation("FirstName","req","Please fill in FirstName");







$validator->addValidation("LastName","req","Please fill in LastName");
$validator->addValidation("UserName","req","Please fill in UserName");
$validator->addValidation("Password","req","Please fill in a Password");
$validator->addValidation("Password2","req","Please re-enter your password");
$validator->addValidation("Password2","eqelmnt=Password","Your passwords do not match!");
$validator->addValidation("email","email","The input for Email should be a valid email value");
$validator->addValidation("email","req","Please fill in Email");
$validator->addValidation("Zip","req","Please fill in your Zip Code");
$validator->addValidation("Security","req","Please fill in your Security Question");
$validator->addValidation("Security2","req","Please fill in your Security Answer");
    if($validator->ValidateForm())
    {
        $con = mysql_connect("localhost","uname","pw") or die('Could not connect: ' . mysql_error());
        mysql_select_db("beatthis_beatthis") or die(mysql_error());
$FirstName=mysql_real_escape_string($_POST['FirstName']); //This value has to be the same as in the HTML form file
$LastName=mysql_real_escape_string($_POST['LastName']); //This value has to be the same as in the HTML form file
$UserName=mysql_real_escape_string($_POST['UserName']); //This value has to be the same as in the HTML form file
$Password= md5($_POST['Password']); //This value has to be the same as in the HTML form file
$Password2= md5($_POST['Password2']); //This value has to be the same as in the HTML form file
$email=mysql_real_escape_string($_POST['email']); //This value has to be the same as in the HTML form file
$Zip=mysql_real_escape_string($_POST['Zip']); //This value has to be the same as in the HTML form file
$Birthday=mysql_real_escape_string($_POST['Birthday']); //This value has to be the same as in the HTML form file
$Security=mysql_real_escape_string($_POST['Security']); //This value has to be the same as in the HTML form file
$Security2=mysql_real_escape_string($_POST['Security2']); //This value has to be the same as in the HTML form file



$sql="INSERT INTO Profile (`FirstName`,`LastName`,`Username`,`Password`,`Password2`,`email`,`Zip`,`Birthday`,`Security`,`Security2`) VALUES ('$FirstName','$LastName','$UserName','$Password','$Password2','$email','$Zip','$Birthday','$Security','$Security2')"; 
//echo $sql;
if (!mysql_query($sql,$con)) {

 die('Error: ' . mysql_error());

} else{



mail('email@gmail.com','A profile has been submitted!',$FirstName.' has submitted their profile',$body);

echo "<h3>Your profile information has been submitted successfully.</h3>";
}

mysql_close($con);
        $show_form=false;
    }
    else
    {
        echo "<h3 class='ErrorTitle'>Validation Errors:</h3>";

        $error_hash = $validator->GetErrors();
        foreach($error_hash as $inpname => $inp_err)
        {
            echo "<p class='errors'>$inpname : $inp_err</p>\n";
        }        
    }
}

if(true == $show_form)
{
?>

Hi guys,

I'm currently in the process of creating a login form. I'm using PHP to check a simple text file called 'users.txt' for the username and password which has been entered in the form.

If the username and password are NOT in the 'users.txt' file, it will create them on a new line.
Like so:

Users.txt
Code: [Select]
ExampleUser,ExamplePass\n
Marc,password
Craig,password
John,password

Once I try to log into an account which is NOT there, it will create an account underneath. So if I try to log in with username as "Matthew" and password as "password" it will show like so:

Code: [Select]
ExampleUser,ExamplePass\n
Marc,password
Craig,password
John,password
Matthew,password

Hoping this makes sense so far, all of the above works.
However when I click back, to go back onto the login form, I try to log in with one of the usernames/passwords in the 'users.txt' file, and it will create the exact same user on a new line, so I have 2 of the same usernames/passwords.

What I want it to do it, if the username is in the 'users.txt' file, for it to display a message saying "Congratulations you're logged in".

Here is the code for the PHP login page.

P4 LoginScriptFile.php
Code: [Select]
<?php
//This checks for required fields from the form.
if ((!$_POST[username]) || (!$_POST[password]))
{
header("Location: P4 LoginForm.php");
exit;
}

//This reads values from the form.
$form_user = $_POST[username];
$form_password = $_POST[password];

$flag = FALSE;
$filename = "users.txt";
$fp = fopen( $filename, "r" ) or die ("Couldn't open $filename");
while ( ! feof( $fp ) ) {
$line = fgets( $fp);
$user = strtok($line, ","); //Username
$password = strtok(","); //Password
if (($form_user == $user) && ($form_password == $password)) 
{
$flag = TRUE;
}
}

if ($flag)
{
echo "<br>Congratulations, you're logged in";
}

else{
$filename = "users.txt";
$updateuser = $_POST ['username'];
$updatepass = $_POST ['password'];

$fp = fopen( $filename, "a" ) or die("Couldn't open $filename");
fwrite( $fp, "$updateuser,$updatepass\n") or die ("Couldn't write values to your file!");
fclose( $fp );
echo "<br>An account has been created for you!";
}
?>

I think what I need is to read the file once the new user has been created. Any help would be greatly appreciated.
Thanks in advance for any help.
gixxx