PHP - Looking For A Basic Db-driven Username/login Template

Hello

Im making a secure php login system and ideally wanted to also md5 hash the username as well as the password. My reasons for doing this is to completey stop sql injections as i can combine the md5 hash with salt for the $_POST['username'].

Now my problem is i need to be able to de-hash (if this is a word) the username for admin purposes of the business. For password reset i will just send a new password.

Is there anyway that i can do this easily whilst keeping my username secure and stop sql injection for username?

Hi all,  I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all.

Is there a way to get current logged in username and based on that redirect to a different page?

I’m using the following secure PHP login without MySql as a login system: https://sourceforge.net/projects/phploginbyvallastech/

Now I’m looking to redirect each logged in user to their personalized page.

But I can’t figure out how to A) fetch the current logged in user and B) redirect multiple users.

This code redirects to the latter address, but the username based redirect is not working:

<?php

session_start();

if ($_SESSION["username"]==User1){

header("location: user1content.php");

exit;

} else {

header("location: generalcontent.php");

exit;

}

{ ?>

<?php } ?>

So it’s clearly not fetching the logged in user. Though <?php echo $login->username; ?> fetches the username just fine.
I know there’s something missing, but what that might be… Have been trying different things without success.

Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.   Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.   So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.   What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.   I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?  

    /**
     * Select the database
     *
     * @access    private called by the base class
     * @return    resource
     */
    function db_select()
    {
        return @mysql_select_db($this->database, $this->conn_id);
    }

  Thanks in advance.

So basically my project is one where the user can log onto my website, and the page then checks if the ID and password are in my table in my microsoft access file.

If the username and password are the same, the user continues, if it isnt, then it stays on the same page and says something like "username and/or password are incorrect" or something along the lines of that.

the problem is right now im not sure how to make it say  "ERROR username and/or password is incorrect" if the username and password dont match. Can someone help me with this? and also make sure if the username and password are correct that it goes to the next page, entitled searchpage.php

here is the code Code: [Select]
<html>
<head>
<style type="text/css">



</style>
</head>
<body style="text-align:center">

<div id='title'>

</div>

<?php

print_r ($_POST) ;

if 

if (isset($_POST['Login'])) { 


if(isset($_POST['username'])){
$username= $_POST['username'] ;
}
if(isset($_POST['password'])){
$TABLE= $_POST['password'] ;
}



$username  = null ;
$password  = null ;
 
$connection = odbc_connect('Olympics', '', '');
 
 
 if (!$connection)
{exit("Conection Failed: " . $connection);}


$username = stripslashes($username);
$password = stripslashes($password);

$sql = "select * from users where users = '$username' and passwords = '$password'";

$rs=odbc_exec($connection,$sql); 



$count=odbc_num_rows($rs);
 
if ($count == 1) {
     $_SESSION['loggedIn'] = "true";
     header("Location: searchpage.php");
} else {
     $_SESSION['loggedIn'] = "false";
    header("Location: index.php"); 
echo "Login failed" ;
}
 


}

echo "<form action='index.php' method='post'> \n" ;
echo" Please enter your username and password if you wish. <br/> \n" ;
echo "Username: <input type='text' name='username' > \n " ;
echo "Password: <input type='password' name='password' > \n" ;
echo "<input type='submit' value='Login' name='Login'> <br/> \n" ;
echo "<input type='submit' value='You may also continue you as a guest.'> \n" ;
echo "</form>" ;



?>
</body>
</html>

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=318572.0

Hi there,
        I purchased an admin template, and I've been trying to implement my existing login php script into their template. Their template is AJAX based, but with some PHP mixed in, so let me know if you feel I should re-post it under the AJAX category.

        I've attached the template file "login_template.php", as well as a page with just my regular login script on it "login_standard.php", if anyone could assist me in making the two of them work together, and explain to me what you did (for my own future reference/education), it would be greatly appreciated!

Thanks in advance,

Eric

[attachment deleted by admin]

i have downloaded a basic php site from "http://www.basiclogin.com/"
when i deploy it i get a lot of errors...
can you help me out???

I have developed a code for a login and seems to work well (No syntax error according to https://phpcodechecker.com/ but when I enter a username and a password in the login form, I get an error HTTP 500. I think that everything is ok in the code but obviously there is something that I am not thinking about. The code (excluding db connection):

$id="''"; $username = $_POST['username']; $password = md5($_POST['password']); $func = "SELECT contrasena FROM users WHERE username='$username'";

$realpassask = $conn->query($func); $realpassaskres = $realpassask->fetch_assoc(); $realpass= $realpassaskres[contrasena];

$func2 = "SELECT bloqueado FROM users WHERE username='$username'"; $blockedask = $conn->query($func2); $blockedres = $blockedask->fetch_assoc(); $bloqueado = $blockedres[bloqueado];

//Login if(!empty($username)) { // Check the email with database
$userexists = $pdo->prepare("SELECT COUNT(username) FROM users WHERE username= '$username' LIMIT 1"); $userexists->bindParam(':username', $username); $userexists->execute(); // Get the result $userexistsres = $userexists->fetchColumn(); // Check if result is greater than 0 - user exist if( $userexistsres == 1) { if ($bloqueado == NO) { if ($password != $realpass) { die("contrasena incorrecta"); } Else{ $_SESSION['loguin']="OK"; $_SESSION['username']="$username"; header("Location: ./index.php"); } } Else{ die("Tu usuario ha sido bloqueado o todavía no ha sido aceptado por un administrador. } Else{ die("No hay ninguna cuenta con este nombre de usuario"); } } else { echo 'El campo usuario esta vacio'; } ?>

This topic has been moved to Third Party PHP Scripts.

http://www.phpfreaks.com/forums/index.php?topic=349834.0

Hi, I don't know why it outputs" You are now registered BUT the user name and password don't show up in the database! I want to encrypt the passwords so maybe that is problem, I don't know, please read scripts below.

here is register.php:
==============
Code: [Select]
<html>
<head></head>
<body>
<form method="post" action="" >
<p>Create a username
<input type="text" name="newUsername"/>
</p>
<p>Create a password
<input type="password" name= "newPassword" />
</p>
<p>
<input type="submit" value="Make account now" name="makeAccountSubmit" />
</p>
</form>

<?php

if(array_key_exists("makeAccountSubmit",$_POST) && !empty($_POST["newUsername"]) && !empty($_POST["newPassword"]) ) {

//IF username doesn't exist, then store new user login info to db dummydpevx
mysql_connect("localhost","root");
mysql_select_db("someDB");
$newUserName=$_POST["newUsername"];
$newPassword=crypt($_POST["newPassword"]);

$usernameQuery=mysql_query("SELECT userName FROM users WHERE userName='$newUserName'");
if(mysql_num_rows($usernameQuery)==0) {
$makeNewAccountQuery=mysql_query("INSERT INTO users userName,userPassword VALUES('$newUserName','$newPassword')");
print "You are now registered, <a href='login.php'>proceed to login</a>";
}
if(mysql_num_rows($usernameQuery)==1)
print "Username taken. Please make another one. <br />";
}

here is login.php:
============
Code: [Select]
<html>
<head></head>
<body>
<form method="post" action="">
<label>Username:</label>
<input type="text" name="username" />
<br />
<label>Password:</label>
<input type="password" name="password" />
<p>
<input type="submit" value="Login" name="Login" />
<input type="reset" value="Reset" name="Reset" />
</p>

</form>
<?php
if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) {
$attemptedUsername=$_POST["username"];
$attemptedPassword=$_POST["password"];

mysql_connect("localhost","root");
mysql_select_db("someDB");

$getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName=$attemptedUsername AND userPassword=$attemptedPassword");
$getLoginInfo=mysql_fetch_assoc($getLoginInfoQuery);
$getUsername=$getLoginInfo["userName"];
$getPassword=crypt($getLoginInfo["userPassword"]);

if(crypt($attemptedPassword,$getPassword)==$getPassword) {
session_start();//NB: Start session BEFORE doing any session stuff!
$_SESSION["isAuthenticated"]="userAuthenticated";
header("Location: xmlShredderIndex.php");
exit;
}
else
print "Please register!";
}

Also, if any has time, please see my other post, it is straightforward instructions to see if you get same error as me, thanks.
http://www.phpfreaks.com/forums/index.php?topic=347639.msg1640652#msg1640652

Any help much appreciated!

Basically, I'm still trying to wrap my head around OOP. What I'm trying to do here is a simple OOP user login script.  But when I submit the form, all that happens is that the text fields reset them selves and nothing that I feel should be happening, happens.

ie: I submit login data, and either it displays an error or reirects to index page. Neither happen, the form merely resets.  Where am I going wrong?

Code: [Select]
<form name="loginform" id="loginform" action="<?php $_SERVER['PHP_SELF']; ?>" method="post">
<p>
<label>Username<br>
  <input name="user" id="user_login" class="input" size="20" tabindex="10" type="text" />
</label>
</p>
<p>
<label>Password<br>
<input name="pass" id="user_pass" class="input" value="" size="20" tabindex="20" type="password"></label>
</p>
<p class="forgetmenot"><label><input name="rememberme" id="rememberme" value="forever" tabindex="90" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="login" id="submit" class="button-primary" value="Log In" tabindex="100" type="submit">
<input name="redirect_to" value="/users.php" type="hidden">
</p>
</form>

Code: [Select]
<?php
if(isset($_POST['login']))
{
$username = $_POST['user'];
$password = $_POST['pass'];

include("./classes/class.users.php");
USERS::login($username, $password);

}
?>

Code: [Select]
<?php
// Yes, my DATABAASE::DoIT(1) // (0) is working as intended (from a different include file)
class USERS
{
var $user;
var $pass;
var $email;

//////////////////////////////////////////////////////////////////////////////////////////////
function login($user, $pass) {

include("/var/www/config.php");
DATABASE::DoIt('1');

$hashword = sha1($CONFIG['salt1']."$pass".$CONFIG['salt2']);
$sql      = "SElECT * FROM users WHERE username='$user' AND hashword='$hashword'";
$result   = mysql_query($sql);
$count    = mysql_num_rows($result);

if($count==1) {
while ($row = mysql_fetch_assoc($result)) {
define('USERS_AUTHENTICATED', true);
$_SESSION['USERS_username'] = $row['username'];
$_SESSION['USERS_userid'] = $row['userid'];
DATABASE::DoIt('0');
header("Location: index.php");
}

} else {

$_SESSION['loginError'] = true;
DATABASE::DoIt('0');
return $_SESSION['loginError'];
}

DATABASE::DoIt('0');
}
}
?>

I have created a login page, but i want the users to be directed to another page only if the login details are correct. How would i do this?any help is appreciate. Coding for the PHP is below: thank you.

Code: [Select]

<?php

$username = $_POST["username"];
$password = $_POST["password"];
//This if statement asks if the $username variable is set. If it is it executes the php script. Otherwise it echoes the login form.
if(isset($username)){

if (!($username == " " && $password == " "))

{

$connect = mysql_connect("","","") or die("Couldn't connect!");
mysql_select_db("") or die("Couldn't find db");

$query = mysql_query("SELECT * FROM users WHERE username='$username'");

$row = mysql_fetch_array($query);

$numrows = mysql_num_rows($query);

   $dbusername = $row['username']; 
   $dbpassword = $row['password'];
}
else {
echo ('<div id="username">
   <form action="" method="post"/>
<font color="red"> Please enter a username and password </font>
      <table><tr><td>
      <img src="imgs/Log In/username.png" alt=""/>
      </td><td>
      <input type="text" size="30" name="username" style="background-color:transparent;" />
      </td></tr></table>

      <table><tr><td>
      <img src="imgs/Log In/password.png" alt=""/>
      </td><td>
      <input type="password" name="password" size="30" />
      </td></tr></table>

      <form id="submitb" action="">
      <input type="submit" value="Log in" />
      </form>

      <p class="register">Not yet a member? <a href="Form.html">Register Here</a>, its Free!</p>
</div>');
}
//check to see if they match
if ($username == $dbusername && $password == $dbpassword) {
echo "You Are Now Logged In, Welcome To AdobeTuts!";
}
else
   echo ('<div id="username">
   <form action="" method="post"/>
<div id="new">
<font color="red"> Wrong Username Or Password, Please Try Again </font> </div> 
      <table><tr><td>
      <img src="imgs/Log In/username.png" alt=""/>
      </td><td>
      <input type="text" size="30" name="username" style="background-color:transparent;" />
      </td></tr></table>

      <table><tr><td>
      <img src="imgs/Log In/password.png" alt=""/>
      </td><td>
      <input type="password" name="password" size="30" />
      </td></tr></table>

      <form id="submitb" action="">
      <input type="submit" value="Log in" />
      </form>

      <p class="register">Not yet a member? <a href="Form.html">Register Here</a>, its Free!</p>
</div>');

}

//This next bit echoes the login form unless the $username variable is set.
else {
echo ('<div id="username">
   <form action="" method="post"/>
    
      <table><tr><td>
      <img src="imgs/Log In/username.png" alt=""/>
      </td><td>
      <input type="text" size="30" name="username" style="background-color:transparent;" />
      </td></tr></table>
      
      <table><tr><td>
      <img src="imgs/Log In/password.png" alt=""/>
      </td><td>
      <input type="password" name="password" size="30" />
      </td></tr></table>
      
      <form id="submitb" action="">
      <input type="submit" value="Log in" />
      </form>
      
      <p class="register">Not yet a member? <a href="imgs/Homepage tuts/Form.php">Register Here</a>, its Free!</p>
</div>');
}

?>

ISSUE.
A User enters information into a form.
If the 'username' is already taken, a 'message' in Red and with larger font-size will be returned, for example,
"The username $username already exists."
If the username is 'mattd' then the message should say, "The username mattd already exists."

Within my php application, I have included 'inline html'.
Here is part of the code:   ....
if (mysql_num_rows($query_run)==1) {
// it will never = more than one because only
//one user will or will not exist
?>

<html>
</body>
<h1><font color="#FF0066">The username <?php echo $username; ?>already exists.</h1>
</body>
</html>

<?php
}else{
//start the registration process
$query = "INSERT INTO `Names` VALUES
....   1. At one point I did get this: "The username mattd already exists."
2. But now I only get "The username already exists."
I am not retrieving the $username variable.
  This screenshot is found he
http://imgur.com/lIwLZ1G


thanks.

While we're on the subject, is there a way to ensure that the first letter of a name is captalized, and the rest lowercase?  Or is this best handled later on, when the name is being used and called from the DB.

PS: some of us comment are code as to WHAT we are doing because we're just not that good yet, and we need to explain it to ourselves.