|
PHP - Help With Secure Login System
Hello:
I am using this tutorial to make a secure login system (if there is a "better" way, please let me know): http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/ I am having a problem with the login form - it keeps moving to the "a_Home.php" page (the one that is suppose to be password protected) without any login information being entered. This is the mmLogin.php page: Code: [Select] <?php include('../include/myConn.php'); include('include/myAdminCodeLib.php'); session_start(); $username = $_POST['username']; $password = $_POST['password']; $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = mysql_query($query); if(mysql_num_rows($result) < 1) { header('Location: mmLogin.php'); die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) { header('Location: mmLogin.php'); die(); } else { validateUser(); header('Location: a_Home.php'); } ?> <html> <head></head> <body> <form name="login" action="mmLogin.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form> </body> </html> This is the a_Home.php page: Code: [Select] <?php include('include/myAdminCodeLib.php'); include('include/myCheckLogin.php'); ?> <html> <head></head> <body> <a href="mmLogin.php">Log Off</a> </body> </html> This is the myCheckLogin.php page: Code: [Select] <?php session_start(); if(!isLoggedIn()) { header('Location: mmLogin.php'); die(); } ?> This is the myAdminCodeLib.php page: Code: [Select] <?php function validateUser() { session_regenerate_id (); $_SESSION['valid'] = 1; $_SESSION['userid'] = $userid; } function isLoggedIn() { if(isset($_SESSION['valid']) && $_SESSION['valid']) return true; return false; } function logout() { $_SESSION = array(); session_destroy(); } ?> Can anyone tell me why this is not working? And, am I calling the functions properly? Thanks. Similar TutorialsHey all, I'm in the process of developing a PHP login system for the website of a team I'm involved with. I have a MySQL database already set up to hold user data, but I lack the knowledge to create a respectably secure login system. I tend to be a tad obsessive when it comes to security, and seeing different systems being implemented on various tutorials that cover this topic makes me cynical of the integrity of any of them. So, my question is: how can I create a secure login system that isn't too complex in implementation? Are there any reliable tutorials for this? Would some sort of system that uses session variables be what I'm looking for? I don't require excessive security, but privelidges gained if this system is compromised would be no small matter. Thanks for any help. I tried Googling them and what not but all I could find was useless stuff that I couldn't get to work, so I thought I would give it a crack at making my own. I don't think its that secure though. Can someone have a geeza over it? I've pretty much made it up from bits and pieces I have seen and researched. Ignore the echoes they were just for testing. Well the code was working, now it just keeps redirecting me to index. So I dunno what I fucked. Heres all the code: Index.php Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <?php include 'functions.php'; Connect(); ?> <form method="post" action="login.php"> <input type="text" name="Username" /> <input type="password" name="Password" /> <input type="hidden" name="ip" value="<?php ipget(); ?>" /> <input type="submit" /> </form> </body> </html> Login.php <?php require_once 'standalone\HTMLPurifier.standalone.php'; include "functions.php"; Connect(); $purifier = new HTMLPurifier(); $result = mysql_query("SELECT Username, Password FROM login ") or die(mysql_error()); $sorted = mysql_fetch_array($result); $name = $purifier->purify(strtolower($_POST['Username'])); $pass = $purifier->purify(md5(strtolower($_POST['Password']))); $ip = md5($_POST['ip']); $stamp = date("Ymdhis"); if ( $name == $sorted['Username'] ){ Echo "Username Correct"; if ( $pass == $sorted['Password'] ) { echo "Password is correct"; session_start(); $_SESSION['ip'] = $ip; $_SESSION['Username'] = $name; $_SESSION['Password'] = $pass; setcookie('ip', $ip, time()+3600); setcookie('name', $name, time()+3600); $ipb = $_SERVER['REMOTE_ADDR']; $orderid = "$stamp-$ipb"; $orderid = str_replace(".", "", "$orderid"); $GUID = md5(orderid); setcookie('GUID', $GUID, time()+3600); mysql_query("UPDATE login SET GUID = $GUID WHERE Username = '$name'"); header("location: admin.php"); } else { echo "password is wrong"; } } else { Echo "wrong name"; } ?> Functions.php <?php function connect(){ mysql_connect("localhost", "test", "password") or die(mysql_error()); mysql_select_db("db344475103") or die(mysql_error()); echo "Connected"; } function ipget(){ $ip = $_SERVER['REMOTE_ADDR']; echo $ip; } function check(){ session_start(); if (md5($_SERVER['REMOTE_ADDR']) == $_SESSION['ip']) { if (md5($_SERVER['REMOTE_ADDR']) == $_COOKIE['ip']) { if ($_SESSION['Username'] == $_COOKIE['name']) { if ($_COOKIE['GUID'] == mysql_query("SELECT GUID FROM login")) { } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } function clean(){ } ?> Admin.php Code: [Select] <?php include 'functions.php'; check(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> Admin Area </body> </html> Yeah its a lot of code, probably most of it useless as well knowing me. Hi, Well i have been searching the internet and can't seem to find a good tutorial for making a secure php/mySQL login script, mainly one thats is quite secure from hackers. Does anyone know of a good tutorial? Lee Hello, I want to know if my login php is secure or if it's easily hacked by anyone. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $gmtUnixTime = time(); $tUnixTime = $gmtUnixTime + 3600; $sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime); // Parse the String into a new UNIX Timestamp $tParsedTime = strtotime($sGMTMySqlString . " GMT"); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'"; mysql_query($sql) or die(mysql_error()); $_SESSION['user']="$myusername"; $_SESSION['senastlog']="$sGMTMySqlString"; header("location:index.php"); } else { header("location:failed.php"); } ob_end_flush(); ?> Hello,
i want to know if this code is ok or do i have sql-injection, session hijacking etc.
thank you very much for your help.
Rafal
<?php
INI_SET('SESSION.USE_ONLY_COOKIES', 1);
SESSION_START();
SESSION_CACHE_EXPIRE(10);
SESSION_REGENERATE_ID();
$uname = "mail@mail.com";
$upassword = "a4ca6e1f044a98a8a72e7b356a134319433f4d98adb3f463202246bddb883712459e66ea985f37cb2e7171165500c341be4effd1f6e4461246e3c61e5767741f";
if (isset($_POST["inp_name"]) && isset($_POST["inp_pwd"]))
{
if ($uname == $_POST["inp_name"] && $upassword == hash('sha512', $_POST["inp_pwd"]))
{
$_SESSION["e64X96ea"] = 1;
}
}
?>
<?php
if ($_SESSION["e64X96ea"] != 1)
{
header ( 'Location:login.php' );
exit;
}
?>
Edited by rafal, 16 November 2014 - 08:39 AM. Hi guys, It's my first post here, not looking to leech, I'm simply here to learn and develop my skills and any contributes will be greatly appreciated! Anyways I have made a simple login script, however I would like to make it more secure. However before that, can you please explain to me as to why it is not secure in the first place? A basic explanation so I can understand would be great. Then after that, could you please give help as to how I would make this login code more secure? Thank you very much Code: [Select] <?php $rowsfound=false; if (isset($_GET['frmStudentId'])) { // functions to make performQuery() work correctly require_once("dbfunctions.inc.php"); $query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".$_GET['frmStudentId']."'" . " AND dbPassword = '".$_GET['frmPassword']."'"; $result = performQuery($query); if(count($result) > 0) { $rowsfound=true; // allow login } } // code continues by generating appropriate response ... Hello, I made an login script, it works but i want to be sure if its secure to use in everyday use, here is the script: <?php session_start(); require_once('include/config.inc.php'); require_once('include/functions.php'); function clean($str, $encode_ent = false) { $str = @trim($str); if ($encode_ent) { $str = htmlentities($str); } if (version_compare(phpversion(),'4.3.0') >= 0) { if (get_magic_quotes_gpc()) { $str = stripslashes($str); } if (@mysql_ping()) { $str = mysql_real_escape_string($str); } else { $str = addslashes($str); } } else { if (!get_magic_quotes_gpc()) { $str = addslashes($str); } } return $str; } if (isset($_POST['submit'])) { if ($_POST['code'] == $_SESSION['rand_code']) { //Sanitize the POST values $username = clean($_POST['username']); $password = clean($_POST['password']); $ip = clean($_SERVER['REMOTE_ADDR']); $query="SELECT * FROM user WHERE username='$username' AND password='".md5($_POST['password'])."'"; $result=mysql_query($query); //Check whether the query was successful or not if ($result) { if (mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $user = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $user['username']; session_write_close(); $query_login_ok = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'SUCCESS', '$ip');"; $result_query_login_ok = mysql_query($query_login_ok) or die('MYSQL ERROR'); header("location: pmt.php"); exit(); } else { //Login failed $query_login_fail = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'FAILED', '$ip');"; $result_query_login_fail = mysql_query($query_login_fail) or die('MYSQL ERROR'); header("location: index.php"); exit(); } } else { die("ERROR"); } } } ?> <form id="login" name="login" method="post" action=""> <table width="300" border="0" align="center" cellpadding="2" cellspacing="0"> <tr> <td width="112"><b>Username</b></td> <td width="188"><input name="username" type="text" class="textfield" id="username" value="admin" /></td> </tr> <tr> <td><b>Password</b></td> <td><input name="password" type="password" class="textfield" id="password" value="qazwsx" /></td> </tr> <img src="include/captcha.php"/> <tr> <td><b>Code</b></td> <td><input type="text" name="code" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="submit" value="Login" /></td> </tr> </table> </form> Hi guys. What I want to create is really complicated. Well I have a login system that works with post on an external website. I have my own website, but they do not give me access to the database for security reasons, therefore I have to use their login system to verify my users. What their website does is that it has a post, with username and password. The POST website is lets say "https://www.example.com/login". If login is achieved (i.e. username and password are correct), it will redirect me to "https://www.example.com/login/success" else it will redirect me to "https://www.example.com/login/retry". So I want a PHP script that will do that post, and then according to the redirected website address it will return me TRUE for success, FALSE for not successful login. Any idea?? Thanks This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=351535.0 I have a little php site that looks up data in my crm database quickly and easily on my iphone. Right now it's wide open because I'm in and out of it all day and trying to input uid/pw into a secure login page is a pain in the rear. (we're not talking about sensitive data here and I'm the only user.) So, I would like to design a screen with several large graphic buttons and be able to touch those buttons in a specific sequence that would functionally allow a secure login. Similar in concept to the android screen lock. You touch a sequence of numbered buttons and voila, the screen unlocks. It does not open a text field for data entry into two separate fields. So if my access code was 1,2,3,4 and the screen was divided into quarters with a large number on each one, I would touch the buttons in that order and it would open the main page. How would this best be accomplished? Is there a php function to essentially build a variable through successive key presses? then with a final submit it would just check that against a "secret code" and allow access. Thanks for any input. Hi could you help me get this login page working?
I made a form which posts to login.php the "user" and "pass".
Then this is my code for login.php: <?php include("mysql_connect.inc.php"); ?> <?php $user = $_POST['user']; $pass = $_POST['pass']; session_start(); $query = mysqli_query("SELECT * FROM users WHERE username='$user'"); $results = mysqli_query($con, $query) or die(mysqli_error($con)); $resultsarray = mysql_fetch_array($userresults); if (isset($_POST['user']) && $_POST['user'] == $query && isset($_POST['pass']) && $_POST['pass'] == $query) { $_SESSION['username'] = $_POST['user']; echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!"; } else { echo "<p>Wrong username or password.</p>"; } mysqli_close($con); ?> I'm trying to build a login system and alot of the code is similar to what i used to make my news cms. basically all i wanna accomplish right now is to get the user input inserted into my database. I've already tested it out, and I get no errors, but like with the cms, the database isn't getting queryed. Here's the code: (process.php) Code: [Select] <?php $first_name=$_POST['first_name']; $last_name=$_POST['last_name']; $age=$_POST['age']; $city=$_POST['city']; $state=$_POST['state']; $country=$_POST['country']; $zip=$_POST['zip']; $birthdate=$_POST['birthdate']; $gender=$_POST['gender']; $sexuality=$_POST['sexuality']; $race=$_POST['race']; $religion=$_POST['religion']; $status=$_POST['status']; $about=$_POST['about']; $website=$_POST['website']; $user_name=$_POST['user_name']; $password=$_POST['password']; $email=$_POST['email']; mysql_connect("your hostname", "your database name", "your password") or die(mysql_error()); mysql_select_db("your database name") or die(mysql_error()); $sql = sprintf("INSERT INTO Users (first_name, last_name, age, city, state, country, zip, birthdate, gender, sexuality, race, religion, status, about, website, user_name, password, email) VALUES ('%s', '%s', '%s', '%s', '%s')", mysql_real_escape_string($first_name), mysql_real_escape_string($last_name), mysql_real_escape_string($age), mysql_real_escape_string($city), mysql_real_escape_string($state), mysql_real_escape_string($country), mysql_real_escape_string($zip), mysql_real_escape_string($birthdate), mysql_real_escape_string($gender), mysql_real_escape_string($sexuality), mysql_real_escape_string($race), mysql_real_escape_string($religion), mysql_real_escape_string($status), mysql_real_escape_string($about), mysql_real_escape_string($website), mysql_real_escape_string($user_name), mysql_real_escape_string($password), mysql_real_escape_string($email)); $result = mysql_query($sql); Print "Congratulations! You are now a registered member on yourwebsite.com!"; ?> (register/index.php) Code: [Select] <script language = "Javascript"> function Validate() { if (document.register.first_name.value == '') { alert('You have not specified your first name!'); return false; } if (document.register.last_name.value == '') { alert('You have not specified your last name!'); return false; } if (document.register.age.value == '') { alert('You have not specified your age!'); return false; } if (document.register.country.value == '') { alert('You have not entered a country!'); return false; } if (document.register.birthdate.value == '') { alert('You have not entered your date of birth!'); return false; } if (document.register.gender.value == '') { alert('You have not specified your gender!'); return false; } if (document.register.user_name.value == '') { alert('You have not entered a username!'); return false; } if (document.register.email.value == '') { alert('You have not entered an email!'); return false; } if (document.register.password.value == '') { alert('You have not entered a password!'); return false; } return true; } </script> <form name="register" method="post" action="http://www.djsmiley.net/register/process.php" onsubmit="return Validate();"> <table width="100%" border="0"> <tr> <td>First Name:</td> <td><label> <input type="text" name="first_name" id="first_name" /> </label></td> </tr> <tr> <td>Last Name:</td> <td><input type="text" name="last_name" id="last_name" /></td> </tr> <tr> <td>Age:</td> <td><input type="text" name="age" id="age" /></td> </tr> <tr> <td>City:</td> <td><input type="text" name="city" id="city" /></td> </tr> <tr> <td>State:</td> <td><input type="text" name="state" id="state" /></td> </tr> <tr> <td>Country:</td> <td><input type="text" name="country" id="country" /></td> </tr> <tr> <td>Zip:</td> <td><input type="text" name="zip" id="zip" /></td> </tr> <tr> <td>Birthdate:</td> <td><input type="text" name="birthdate" id="birthdate" /></td> </tr> <tr> <td>Gender:</td> <td><input type="text" name="gender" id="gender" /></td> </tr> <tr> <td>Sexuality:</td> <td><input type="text" name="sexuality" id="sexuality" /></td> </tr> <tr> <td>Race:</td> <td><input type="text" name="race" id="race" /></td> </tr> <tr> <td>Religion:</td> <td><input type="text" name="religion" id="religion" /></td> </tr> <tr> <td>Marital Status:</td> <td><input type="text" name="status" id="status" /></td> </tr> <tr> <td>About You:</td> <td><label> <textarea name="about" id="about" cols="45" rows="5"></textarea> </label></td> </tr> <tr> <td>Website:</td> <td><input type="text" name="website" id="website" /></td> </tr> <tr> <td width="13%">Username: </td> <td width="87%"><input type="text" name="user_name" id="user_name" /></td> </tr> <tr> <td>Email: </td> <td><input type="text" name="email" id="email" /></td> </tr> <tr> <td>Password: </td> <td><input type="password" name="password" id="password" /></td> </tr> <tr> <td> </td> <td><input name="Register Button" type="submit" class="Button1" id="Register Button" value="Register" /> <input name="Reset Button" type="reset" class="Button1" id="Reset Button" value="Clear" /></td> </tr> </table> <label></label> </form> Hi Everyone, Just a quick question before I take on this project. Basically the client has a secure server set up with folders for different clients. So they can store excel files, PDFs etc, What the client use to do was send the client an email with the http address of that clients particular folder to be able to login. What my job is to create a login system that redirects each client to their particular area on the secure system. Is this going to be difficult, What I was thinking of doing was when the administator is setting up the client details there would be an extra field saying address: they paste the address of the folder on the server. Then it will redirect them to their folder. Is this the correct way to do this. Any help or advice would be great. Hi All!
This is my first post here, so if there are some things I miss or something more I need to do please let me know.
I tried searching the forum for the answer first but could not find anything.
So here is the thing; I followed a tutorial I found about building a login system for my website. The tutorial worked perfectly, except I needed it to redirect to a user specific page instead of a static page on login. I made the necessary changes to the script, and now it redirects to the user specific page, but does not recognize that I am logged in so it will not show me the content.
In the interest of full disclosure, I am not very good at PHP and lack a fundamental understanding of it. I am enrolled in some Udemy courses to try to rectify that, but I needed the login system ASAP, so copy and paste programming was my only option. I know, I know. I am a terrible human being and should be thrown into the sun. I agree. I am in counseling to try to deal with it.
The tutorial I used can be found he http://www.wikihow.c...n-PHP-and-MySQL.
Here is the relevant code:
process_login.php:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
$page = login($email, $password, $mysqli);
if ($page == true) {
// Login success
header('Location: '. $page);
exit();
} else {
// Login failed
header('Location: ../error.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
I've abandoned my old script and switched to this one: http://www.evolt.org/node/60384 I got it working on my site just fine (djsmiley.net/members/register - you can test it out if u want). i just want to know how i can put all of the code into the pages i created using my template. It doesn't specify how this can be done in the tutorial, which is why im confused. I've tried everything but keep getting errors. Help? First of all hello as I am new to this forum. Ok so, I am have been trying for the past few days to create a login system in PHP for a website I am creating, and I am having serious problems. I have tryed so many tutorials and they all are not working, my conclusion is they are outdated or not fully understandable. So what I want to create - Registration Forgot password Login page Email activation Member page My hosting has the latest php and mysql as far as I know so could someone please give me an up to date simple tutorial on creating this. Lastly the program I am using is Dreamweaver CS5 Thankyou. ok i need directing to a tutorial, an easyish one that can help me do a secure login and registration system. Something that uses sessions and mysql. something with sql injection and other security. i need it very secure. hope you can help. Hi, im getting alot of errors like so Deprecated: Function session_is_registered() is deprecated time to update some files, can you guys pls help im rubbish with PHP guess thats why I waited so long to update. here is the code I need to change checklogin.php // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:index.php"); } index.php <? session_start(); /*if(!session_is_registered(myusername)){ header("location:main_login.php"); }*/ ?> index.php (display username stuff) <?php if(session_is_registered(myusername)){ ?> Welcome: <?= $_SESSION['myusername'] ?><?php } ?> index.php (edit content stuff) <?php $file = file_get_contents('content/menu_header_a.txt', 'r'); if(session_is_registered(myusername)){ ?><a href="javascript:open4()"><?php echo $file ?></a><?php } else { echo $file; }?> Many thanks for any and all your help with this one. if you could keep it simple please like ( replace this with this ) . thanks Hello everyone, I'd like to make a small object oriented login system. The problem is that I'm not very good at oop and i have only written these scripts the procedural way. So please, correct me if I'm wrong: class database - connect() class user - login() My problem is when i make a database connection in connect(), I can't use it in login(). class Database{ public function connect(){ $mysqli = new mysqli('localhost','root','','login'); } } class User{ public function login(){ // how do i use connect() from above and make a query to log the user in? } |
|||||||