|
PHP - Moved: Looking For User Authentication Script
This topic has been moved to Miscellaneous.
http://www.phpfreaks.com/forums/index.php?topic=334044.0 Similar Tutorials
User Authentication Help By Using If Elseif And Else Statement And Redirect Page On 3 Differnet Urls
I have had a problem with people attacking my site and trying to gain access to users accounts so i beefed up security, however now users are complaining they keep getting logged out. Here are the variables i use to validate the users and i dont want to strip them down any more can anyone give me any ideas for changing them so its still secure but not so strict as to keep logging the users out? 1. Username & password is encrypted into a cookie and verified on every page they visit. 2. There ip address is recorded on login and is checked against there current ip, on every page they visit via MySql. 3. When the user logs in a unix time stamp (mySql) is generated an updated of every page they visit and if it has not been updated in the last 60 mins the user is logged out. 4.I also generate a random key which is stored in the DB and is passed on every page via GET. 5.If a user tries to login and fails an email is sent to them and if 3 unsuccessful attempts user is locked out for 30mins. I'm new to this forum, and PHP in general. So, hello to everyone! I'm having a problem verifying whether or not my authentication script works. I'm not new to programming...just PHP. Here it is.. <?php //check if user is already logged in if(isset($_session['username'])) { //init database information $db_server = ""; $db_user = ""; $db_password = ""; $db_name = ""; //connect to the database $connection = mysql_connect($db_server, $db_user, $db_password); if(!$connection) { die('Failed to connect: ' . mysql_error()); } mysql_select_db($db_name, $connection); //verify login information $username = $_POST['username']; $password = $_POST['password']; $query = mysql_query("SELECT * FROM users WHERE username='$username'"); if($query) { $array = mysql_fetch_array($query); if($_POST['password'] = $array['password']) { $_session['username'] = $array['username']; $_session['email'] = $array['email']; $_session['user_level'] = $array['user_level']; $_session['ip'] = $array['ip']; $_session['date_registered'] = $array['date_registered']; echo $_session['username']; } else { echo 'Bad Login Information!'; } } else { die('Failed to login: ' . mysql_error()); } } ?> <form action="auth.php" method="post"> <input name="username" type="text" size="20" maxlength="16"> <input name="password" type="text" size="20" maxlength="20"> <input name="submit" type="submit" value="Submit"> </form> Okay, at the moment, when a user logs into my website a token is created. The token is made from a random code, their name and their email. This token is then stored next to their name in the DB. If the user chooses to be remembered, the token is stored as a cookie, otherwise it's stored as a session var. Every time a page is loaded, a comparison is made between the DB token and the session/cookie token to authenticate. HOWEVER, this does not work if the user decides to login from different locations/ip addresses. How would I go about allowing this? Could I created a table and then store the IP address and the token for that IP address? I currently have a User Authentication Script, which when the user successfully logs in generates a cookie, which is there password encrypted using MD5 which is then verified on every page they visit against there password which works great. I am thinking of adding another level of security, when the user logs in there current ip address is recorded then on every page they visit as well as there password been verified there ip is compared against the ip they had when they logged in. I know that if the user changes there IP they will be logged out, that is fine but is there any other problems which I have not foreseen? is there any reason i should not do this? Thanks for the help Below code is working fine but i need to redirect on 3 different pages and its giving me error. My table structure is as
User table
Email Password
admin@yahoo.com 123
tariq@yahoo.com 987
bilal@yahoo.com 456
if user name is like; admin@yahoo.com the page should redirect on welcome.php
if user name is like; info@aiousoft.com the page should redirect to welcome2.php
and if user doesnot exist in database then give error as ELSE "user doesnot exist"
thanks
signin.php
<html><head><title>Sign In</title></head><body> <?php include 'header.php'; ?> <?php include 'menu.php'; ?> <center> <form method="post" action="checklogin.php"> <h3>Please Signin</h3> <table width="400" border="0"> <tr><td>Email</td> <td><input name="email" type="text" id="email"></td></tr> <tr><td>Password</td> <td><input name="password" type="password" id="password"></td></tr> </table> <p><label> <input type="submit" email="submit" value="Submit"> </label><input email="reset" type="reset"> </p> </form> </center> </body> </html> checklogin.php <html><head><title>Check Login</title></head><body> <?php include 'header.php'; include 'menu.php'; $email=$_POST['email']; $password=$_POST['password']; @ $db = mysql_pconnect('localhost', 'root', ''); if (!$db) { echo 'Error: Could not connect to database. Please try again later.'; exit;} mysql_select_db('car'); $q=mysql_query("select * from user where email='".$email."' and password='".$password."' ") or die(mysql_error()); $res=mysql_fetch_row($q); if($res) { header('location:welcome.php'); } else { echo' Please signin again as your user name and password is not valid'; } ?> </body> </html> Attached Files header.php 284bytes 0 downloads menu.php 308bytes 0 downloads hey guys im after a bit of information regarding user authentication please...
now I have previously save a users session id in my database after they have logged in so when leaving and coming back to the site im able to compare session id's to get username etc...is this still the way or am I now a little old fashioned?
a few more things...do I save information such as username, access level as a session or cookie?...and what is the best way to encrypt passwords please?
thank you
I am having a bit of a problem with my log on scrip sense i moved to a different host. Users are able to log in but most of there info isn't passed. The way I have it set up right now if your logged in the home page says "You are signed in as: 'user'". But all its showing is "You are signed in as:". The only thing I can tell that is getting passed is there user rank. There are other areas where the email is not showing up ether. Here is what i have. This is on every page unless your logged in Code: [Select] <form name="form1" method="post" action="checklogin.php"> <span class="rulesub">Username:</span><input name="myusername" type="text" id="myusername" /> <span class="rulesub">Password:</span><input name="mypassword" type="password" id="mypassword" /> <input type="submit" name="Submit" value="Login" /> <div align="center">Not a member? <a class="nav" href="new_user.php">Sign up.</a> </form> This is my check log in script Code: [Select] <?php ob_start(); include"scripts/connect.php" ; mysql_connect('localhost',$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $encrypted_password=md5($mypassword); $sql="SELECT * FROM user WHERE username='$myusername' and password='$encrypted_password' and active=1"; $result=mysql_query($sql); $count=mysql_num_rows($result); $row = mysql_fetch_assoc($result); $rank = $row['rank']; $loggedinusername = $row['username']; $loggedinuseremail = $row['email']; if($count==1){ session_start(); $_SESSION['login'] = "1"; $_SESSION['rank'] = $rank; $_SESSION['loggedinusername'] = $loggedinusername; $_SESSION['loggedinuseremail'] = $loggedinuseremail; header ("Location:index.php"); } else { $errorMessage = "Invalid Login"; session_start(); $_SESSION['login'] = ''; header ("Location:login.php"); } ?> This is what i have for the session part on every page Code: [Select] <?php session_start(); $_SESSION['login']; $_SESSION['rank']; $_SESSION['loggedinusername'] = $loggedinusername; $_SESSION['loggedinuseremail'] = $loggedinuseremail; $rank=$_SESSION['rank']; $loggedinusername=$_SESSION['loggedinusername']; $loggedinuseremail=$_SESSION['loggedinuseremail']; ?> And this is what I am using to show the user name. Code: [Select] <?php if($rank>=1){ ?> <p class="rulesub"> You are signed in as: <?php echo $loggedinusername; ?> <br /><a class="nav" href="logout.php" title="Log out" target="_self">Log Out</a> </p> <?php }?> Thanks in advance This topic has been moved to PHP Freelancing. http://www.phpfreaks.com/forums/index.php?topic=330064.0 This topic has been moved to PHP Applications. http://www.phpfreaks.com/forums/index.php?topic=349084.0 I am trying to make a database application. I encounterd a problem that. suppose multiple users tryto access data it may cause problem. to clearly understand please see the attachment. How can I resolve it?
I can't find out whats the problem here, would appreciate some input in how to think building my "if".
The problem is that I don't seem to catch if an email exists, nor if user exists and neither can I create a new user :/.
Appreciate your help alot!
<?php
// Start the session in case of errors to display within the page of user creation
session_start();
$err_msg = array();
$errflag = false;
// Check if the submit button was pressed
if ($_SERVER['REQUEST_METHOD'] === 'POST'
&& $_POST['submit'] === 'Skapa')
{
// Crypt password
$options = ['cost' => 10];
$username = strip_tags($_POST['uname']);
$password = strip_tags(password_hash($_POST['pword'], PASSWORD_DEFAULT, $options));
$email = strip_tags($_POST['uname'], '@');
// Check so all the fields are filled
if ($_POST['uname'] == '' || $_POST['pword'] == '' || $_POST['pwordcheck'] == '')
{
$err_msg[] = 'Please enter all fields<br>';
$errflag = true;
}
// See if passwords and confirm matches
if ($_POST['pword'] !== $_POST['pwordcheck'])
{
$err_msg[] = 'Passwords doesn\'t match!<br>';
$errflag = true;
}
// Check password length, atleast 8 characters
if (strlen($_POST['pword']) < 7)
{
$err_msg[] = 'Password must be atleast 8 characters long';
$errflag = true;
}
// Check if email exists
include_once('../includes/db.inc.php');
$db = new PDO(DB_INFO, DB_USER, DB_PASS);
$sql = "SELECT COUNT(*) AS count FROM movies WHERE email = :emailadress";
$stmt = $db->prepare($sql);
$stmt->bindParam(':emailadress', $email);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row > 0)
{
$err_msg[] = 'Email already taken!';
$errflag = true;
$db = NULL;
}
// Check if user exists
include_once('../includes/db.inc.php');
$db = new PDO(DB_INFO, DB_USER, DB_PASS);
$sql = "SELECT uname FROM users WHERE uname = :username";
$stmt = $db->prepare($sql);
$stmt->bindParam(':username', $username);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row > 0)
{
$err_msg[] = 'User already exists';
$errflag = true;
$db = NULL;
}
if ($errflag = false)
{
// Everything passed, create the user!
include_once('../includes/db.inc.php');
$db = new PDO(DB_INFO, DB_USER, DB_PASS);
$sql = "INSERT INTO users (uname, pword, email) VALUES (:username, :password, :emailadress)";
$stmt = $db->prepare($sql);
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->bindParam(':emailadress');
$stmt->execute();
$_SESSION['uname'] = $username;
header('Location: ../template/header.php');
exit;
}
// If any error, send the user back and display messages
if ($errflag == true)
{
$_SESSION['err_msg'] = $err_msg;
session_write_close();
header('Location: ../user/create.php');
exit;
}
}
else
{
$_SESSION['err_msg'] = $err_msg;
session_write_close();
header('Location: ../user/create.php');
exit;
}
?>
So say I have a script, it calls for a text file in the script. Instead of putting the name of the text file is there a way I can run the script then type the name of the file in the CLI? This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=357163.0 This topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=313049.0 I would like to create a script to check wether a user has made a payment to access a members only area of my site, much like a check-login script that checks if the user has logged in, i need it do do a similar check only its not looking to see if the user is logged in but if they have ever paid and if not; send them to the payments page before the access is granted... What section(s) if any, do i need to modify from this check-login script to change it to check for their payments? Code: [Select] <?php ob_start(); // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?> please is there anyone who can help me with a working login script(code) for different user level(e.g admin and user). This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=349834.0 This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=347193.0 This topic has been moved to Other. http://www.phpfreaks.com/forums/index.php?topic=318815.0 |
|||||||