|
PHP - Php Login System With Sessions
Hi
What is the best way of handling a login system with sessions, I have read that you should never hold the password in a session, so what should you hold in the session in order to access a users data? Similar TutorialsHi guys. What I want to create is really complicated. Well I have a login system that works with post on an external website. I have my own website, but they do not give me access to the database for security reasons, therefore I have to use their login system to verify my users. What their website does is that it has a post, with username and password. The POST website is lets say "https://www.example.com/login". If login is achieved (i.e. username and password are correct), it will redirect me to "https://www.example.com/login/success" else it will redirect me to "https://www.example.com/login/retry". So I want a PHP script that will do that post, and then according to the redirected website address it will return me TRUE for success, FALSE for not successful login. Any idea?? Thanks Checking to see if I am going in the right direction, any suggestions would be appreciated! I am setting up SESSIONs for login and setting a time limit on them. I have basically 2 scenarios that I need to code for. 1. Registerd user w/good billing has all access 2. Registerd user w/expired billing & Guest user can only go to certain pages and have limited access This is my login page, will validate the login info and either sends user to one page or another or gives error that the login is incorrect <?php // http://www.daniweb.com/forums/thread124500.html session_start(); // starting session if( isset($_POST['submitLogin'])) { include('library/login.php'); login(); mysql_select_db('test'); // username and pswd from login $userID=$_POST["userID"]; $pswd=$_POST["pswd"]; // to protect from MySQL injection $userID = stripslashes($userID); $pswd = stripslashes($pswd); $userID = mysql_real_escape_string($userID); $pswd = mysql_real_escape_string($pswd); $sql="SELECT * FROM user WHERE userID='$userID' and pswd='$pswd'"; $result=mysql_query($sql); while ($r=mysql_fetch_array($result)) { $exp_date=$r["exp_date"]; $todays_date=date("Y-m-d"); } // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $userID and $pswd, table row must be 1 row if($count == 1) { session_register("userID"); session_register("pswd"); $_SESSION['userID'] = $userID; // verifies billing if ($exp_date >= $todays_date) { // billing is up to date echo "<meta http-equiv='refresh' content='0;url=session2.php'>"; } else { // billing has expired echo "<meta http-equiv='refresh' content='0;url=expBilling.php'>"; } } else { // login form for when there us an incorrect user/password echo " <div id='incorrect'>Please verify the username or password.</div> <form method='post' action='' name='login' id='login'> <div id='loginForm'> <fieldset> <span class='textbox'> <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells' value='$userID'> <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells' value='$pswd'> <br><label for='pswd'> </label>Remember Me: <input type='checkbox' name='Remember' value='21'> <br><label for='blank'> </label><a href='resetPswd.php'>Forget Your Password? </a> <br><label for='blank'> </label><input type='image' value='Login' src='img/button_login.gif' width='64' height='25' onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\"> <input type='hidden' name='submitLogin' value='true'> </span> </fieldset> </div> </form> "; } } else { // log in form echo " <form method='post' action='' name='login' id='login'> <div id='loginForm'> <fieldset> <span class='textbox'> <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells'> <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells'> <br><label for='pswd'> </label>Remember Me: <input type='checkbox' name='Remember' value='21'> <br><label for='blank'> </label><a href='resetPswd.php'>Forget Your Password?</a> <br><label for='blank'> </label><input type='image' value='Login' src='img/button_login.gif' width='65' height='25' onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\"> <input type='hidden' name='submitLogin' value='true'> </span> </fieldset> </div> </form> "; } ?> If the billing is good then user will go here <?PHP session_start(); // session timing // set timeout period in seconds $inactive = 15; // check to see if $_SESSION['timeout'] is set if(isset($_SESSION['timeout']) ) { $session_life = time() - $_SESSION['timeout']; if($session_life > $inactive) { session_destroy(); } } $_SESSION['timeout'] = time(); // END session timing if(!session_is_registered(userID)){ header("location:login.php"); } ?> <html> <body> Login Successful </body> </html> If the billing has expired user goes here <?php session_start(); // session timing // set timeout period in seconds $inactive = 15; // check to see if $_SESSION['timeout'] is set if(isset($_SESSION['timeout']) ) { $session_life = time() - $_SESSION['timeout']; if($session_life > $inactive) { session_destroy(); } } $_SESSION['timeout'] = time(); // END session timing // if the user has been timed out or not logged in if(!session_is_registered(userID)){ header("location:form.php"); } // user is logged in and their billing is good else { echo "Warning! <b>"; echo $_SESSION['userID']; echo "</b> Your billing has expired "; } // end session ?> I also created this page to test what happens when a non-subscriber trys to go to a page without logging in, it also test the billing and blocks a user whose billing is expired. <?php session_start(); // session timing // set timeout period in seconds $inactive = 15; // check to see if $_SESSION['timeout'] is set if(isset($_SESSION['timeout']) ) { $session_life = time() - $_SESSION['timeout']; if($session_life > $inactive) { session_destroy(); } } $_SESSION['timeout'] = time(); // END session timing // if the user has been timed out or not logged in if(session_is_registered(userID)){ // verify billing if user comes in directly thru this page include('library/login.php'); login(); mysql_select_db('test'); $userID = $_SESSION['userID']; $sql="SELECT * FROM user WHERE userID='$userID'"; $result=mysql_query($sql); while ($r=mysql_fetch_array($result)) { $exp_date=$r["exp_date"]; $todays_date=date("Y-m-d"); } // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $userID and $pswd, table row must be 1 row if($count == 1) { // checks dates if ($exp_date >= $todays_date) { // billing is up to date echo "Welcome: "; echo $_SESSION['userID']; } else { // billing has expired echo "<meta http-equiv='refresh' content='0;url=expBilling.php'>"; } } // END verify billing } // user is logged in and their billing is good else { echo "Welcome: "; echo "Non-user can view this stuff."; echo "<br><a href='form.php'>Click here to register</a>"; } // end session ?> These are all test pages once I get the coding right I will incorporate it into the real pages. Hello. I am coding a remember me feature. Everything is working, except i am being logged in using cookies even when i want to use a session. To login using a cookie i must select the checkbox, for sessions i must leave it blank. Here is my code, if someone could spot a mistake i would be really grateful. Login page Code: [Select] <?php ob_start(); // starting session... session_start(); // requiring connection... require("functions.php"); // assigning variables... $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $submit = mysql_real_escape_string($_POST['submit']); $rememberme = $_POST['rememberme']; // querying database... $query = mysql_query("SELECT * FROM users WHERE username = '$username'"); $numrows = mysql_num_rows($query); if ($numrows != 0) { while ($row = mysql_fetch_assoc($query)) { $db_username = $row['username']; $db_password = $row['password']; } } // verifying login details... if ($submit) { if (!empty($username) && !empty($password)) { if ($username == $db_username && $password == $db_password) { if ($rememberme = "on") { setcookie("username", $username, time() + 7200); header('Location: tablets.php'); } else { $_SESSION['username'] = $db_username; $url = $_SESSION['origin'] ? $_SESSION['origin'] : "main.php"; unset($_SESSION['origin']); header('Location: ' . $url); exit; } } else { echo "Incorrect login details"; } } else { echo "You must type in username and password"; } } ob_end_flush(); ?> Login form Code: [Select] <?php session_start(); require("connect.php"); if (isset($_SESSION['username']) || isset($_COOKIE['username'])) { header('Location: main.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Login</title> <link rel="stylesheet" type="text/css" href="form.css" /> </head> <body> <form method="post" action="login.php"> <div class="box"> <h1>Login</h1> <label> <span>Username</span> <input type="text" class="input_text" name="username" id="name" /> </label> <label> <span>Password</span> <input type="password" class="input_text" name="password" id="password" /> </label> <input type="checkbox" name="rememberme" /> <label> <input type="submit" class="button" value="Login" name="submit" /> </label> </div> </form> </body> </html> I'm using a login form which allows me enter the pages as member only the only thing that I need to do is to include the file safe.php and the user has to login in order to see the content of this page. so far so good. if I use my subscription forms ( spread over 2 pages) the first page can be filled in properly however when I come to the second page (where I included the safe.php aswell I think I loose the session ID that I got after logging in the first time) I am redirected to the login page which I don't want. how can I avoid this? this is the content of safe.php Code: [Select] <?php // Pagina: safe.php: Includen if you want te securise your page just add it at the top of your page include("config.php"); if(isset($_SESSION['user_id'])) { // Inloggen correct, updaten laatst actief in db $sql = "UPDATE gebruikers SET lastactive=NOW() WHERE id='".$_SESSION['user_id']."'"; mysql_query($sql); }else{ if(isset($_COOKIE['user_id'])) { $sql = "SELECT wachtwoord,status FROM gebruikers WHERE id='".$_COOKIE['user_id']."'"; $query = mysql_query($sql); $rij = mysql_fetch_object($query); $dbpass = htmlspecialchars($rij->wachtwoord); $dbstatus = htmlspecialchars($rij->status); if($dbpass == $_COOKIE['user_password']) { $_SESSION['user_id'] = $_COOKIE['user_id']; $_SESSION['user_status'] = $dbstatus; }else{ setcookie("user_id", "", time() - 3600); setcookie("user_password", "", time() - 3600); echo "Cookies incorrect. Cookies verwijderd."; header("Location: inloggen.php"); } }else{ header("Location: inloggen.php"); } } ?> If you are a PHP expert, then I really your help. I have a question regarding PHP sessions and their security. So here is my story ... I created a login script (login.php) for my website. When a user goes to the login.php page, they see a login form that they must fill with their username and password to login to the members' area and view their profile, etc. On that login page, when the user enters their username and password and then clicks the "Login" button, my script filters the data, sends MySQL query and checks if the login is valid. If the login is NOT valid, then they get a "Login Failed" message. If the login is valid, I register their username and the password in sessions and redirect them to the members.php page. Here is some of my code for my login.php page after mysql confirms the login is valid <?php $query = mysql_query('SELECT * FROM `users` WHERE username='$user' AND password='$pass'"); $numRows = mysql_num_rows($query); if ( $numRows ) { // login is valid $_SESSION['username'] = $user; $_SESSION['pass'] = $pass; // redirect user to members area header('Location: /members.php'); } else { // login is invalid echo "Login failed"; } ?> My question is ... is this login script secured? I mean, I am not generating any session id or any cookie. I am just storing the username and the password in two session variables and those are the things that i will use to display the user's profile, etc. Can attackers attack this script? Is this secured or is there any other way I can make it stronger? I'm trying to build a login system and alot of the code is similar to what i used to make my news cms. basically all i wanna accomplish right now is to get the user input inserted into my database. I've already tested it out, and I get no errors, but like with the cms, the database isn't getting queryed. Here's the code: (process.php) Code: [Select] <?php $first_name=$_POST['first_name']; $last_name=$_POST['last_name']; $age=$_POST['age']; $city=$_POST['city']; $state=$_POST['state']; $country=$_POST['country']; $zip=$_POST['zip']; $birthdate=$_POST['birthdate']; $gender=$_POST['gender']; $sexuality=$_POST['sexuality']; $race=$_POST['race']; $religion=$_POST['religion']; $status=$_POST['status']; $about=$_POST['about']; $website=$_POST['website']; $user_name=$_POST['user_name']; $password=$_POST['password']; $email=$_POST['email']; mysql_connect("your hostname", "your database name", "your password") or die(mysql_error()); mysql_select_db("your database name") or die(mysql_error()); $sql = sprintf("INSERT INTO Users (first_name, last_name, age, city, state, country, zip, birthdate, gender, sexuality, race, religion, status, about, website, user_name, password, email) VALUES ('%s', '%s', '%s', '%s', '%s')", mysql_real_escape_string($first_name), mysql_real_escape_string($last_name), mysql_real_escape_string($age), mysql_real_escape_string($city), mysql_real_escape_string($state), mysql_real_escape_string($country), mysql_real_escape_string($zip), mysql_real_escape_string($birthdate), mysql_real_escape_string($gender), mysql_real_escape_string($sexuality), mysql_real_escape_string($race), mysql_real_escape_string($religion), mysql_real_escape_string($status), mysql_real_escape_string($about), mysql_real_escape_string($website), mysql_real_escape_string($user_name), mysql_real_escape_string($password), mysql_real_escape_string($email)); $result = mysql_query($sql); Print "Congratulations! You are now a registered member on yourwebsite.com!"; ?> (register/index.php) Code: [Select] <script language = "Javascript"> function Validate() { if (document.register.first_name.value == '') { alert('You have not specified your first name!'); return false; } if (document.register.last_name.value == '') { alert('You have not specified your last name!'); return false; } if (document.register.age.value == '') { alert('You have not specified your age!'); return false; } if (document.register.country.value == '') { alert('You have not entered a country!'); return false; } if (document.register.birthdate.value == '') { alert('You have not entered your date of birth!'); return false; } if (document.register.gender.value == '') { alert('You have not specified your gender!'); return false; } if (document.register.user_name.value == '') { alert('You have not entered a username!'); return false; } if (document.register.email.value == '') { alert('You have not entered an email!'); return false; } if (document.register.password.value == '') { alert('You have not entered a password!'); return false; } return true; } </script> <form name="register" method="post" action="http://www.djsmiley.net/register/process.php" onsubmit="return Validate();"> <table width="100%" border="0"> <tr> <td>First Name:</td> <td><label> <input type="text" name="first_name" id="first_name" /> </label></td> </tr> <tr> <td>Last Name:</td> <td><input type="text" name="last_name" id="last_name" /></td> </tr> <tr> <td>Age:</td> <td><input type="text" name="age" id="age" /></td> </tr> <tr> <td>City:</td> <td><input type="text" name="city" id="city" /></td> </tr> <tr> <td>State:</td> <td><input type="text" name="state" id="state" /></td> </tr> <tr> <td>Country:</td> <td><input type="text" name="country" id="country" /></td> </tr> <tr> <td>Zip:</td> <td><input type="text" name="zip" id="zip" /></td> </tr> <tr> <td>Birthdate:</td> <td><input type="text" name="birthdate" id="birthdate" /></td> </tr> <tr> <td>Gender:</td> <td><input type="text" name="gender" id="gender" /></td> </tr> <tr> <td>Sexuality:</td> <td><input type="text" name="sexuality" id="sexuality" /></td> </tr> <tr> <td>Race:</td> <td><input type="text" name="race" id="race" /></td> </tr> <tr> <td>Religion:</td> <td><input type="text" name="religion" id="religion" /></td> </tr> <tr> <td>Marital Status:</td> <td><input type="text" name="status" id="status" /></td> </tr> <tr> <td>About You:</td> <td><label> <textarea name="about" id="about" cols="45" rows="5"></textarea> </label></td> </tr> <tr> <td>Website:</td> <td><input type="text" name="website" id="website" /></td> </tr> <tr> <td width="13%">Username: </td> <td width="87%"><input type="text" name="user_name" id="user_name" /></td> </tr> <tr> <td>Email: </td> <td><input type="text" name="email" id="email" /></td> </tr> <tr> <td>Password: </td> <td><input type="password" name="password" id="password" /></td> </tr> <tr> <td> </td> <td><input name="Register Button" type="submit" class="Button1" id="Register Button" value="Register" /> <input name="Reset Button" type="reset" class="Button1" id="Reset Button" value="Clear" /></td> </tr> </table> <label></label> </form> ok i need directing to a tutorial, an easyish one that can help me do a secure login and registration system. Something that uses sessions and mysql. something with sql injection and other security. i need it very secure. hope you can help. I've abandoned my old script and switched to this one: http://www.evolt.org/node/60384 I got it working on my site just fine (djsmiley.net/members/register - you can test it out if u want). i just want to know how i can put all of the code into the pages i created using my template. It doesn't specify how this can be done in the tutorial, which is why im confused. I've tried everything but keep getting errors. Help? Hi, im getting alot of errors like so Deprecated: Function session_is_registered() is deprecated time to update some files, can you guys pls help im rubbish with PHP guess thats why I waited so long to update. here is the code I need to change checklogin.php // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:index.php"); } index.php <? session_start(); /*if(!session_is_registered(myusername)){ header("location:main_login.php"); }*/ ?> index.php (display username stuff) <?php if(session_is_registered(myusername)){ ?> Welcome: <?= $_SESSION['myusername'] ?><?php } ?> index.php (edit content stuff) <?php $file = file_get_contents('content/menu_header_a.txt', 'r'); if(session_is_registered(myusername)){ ?><a href="javascript:open4()"><?php echo $file ?></a><?php } else { echo $file; }?> Many thanks for any and all your help with this one. if you could keep it simple please like ( replace this with this ) . thanks Hi All!
This is my first post here, so if there are some things I miss or something more I need to do please let me know.
I tried searching the forum for the answer first but could not find anything.
So here is the thing; I followed a tutorial I found about building a login system for my website. The tutorial worked perfectly, except I needed it to redirect to a user specific page instead of a static page on login. I made the necessary changes to the script, and now it redirects to the user specific page, but does not recognize that I am logged in so it will not show me the content.
In the interest of full disclosure, I am not very good at PHP and lack a fundamental understanding of it. I am enrolled in some Udemy courses to try to rectify that, but I needed the login system ASAP, so copy and paste programming was my only option. I know, I know. I am a terrible human being and should be thrown into the sun. I agree. I am in counseling to try to deal with it.
The tutorial I used can be found he http://www.wikihow.c...n-PHP-and-MySQL.
Here is the relevant code:
process_login.php:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
$page = login($email, $password, $mysqli);
if ($page == true) {
// Login success
header('Location: '. $page);
exit();
} else {
// Login failed
header('Location: ../error.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
Hi could you help me get this login page working?
I made a form which posts to login.php the "user" and "pass".
Then this is my code for login.php: <?php include("mysql_connect.inc.php"); ?> <?php $user = $_POST['user']; $pass = $_POST['pass']; session_start(); $query = mysqli_query("SELECT * FROM users WHERE username='$user'"); $results = mysqli_query($con, $query) or die(mysqli_error($con)); $resultsarray = mysql_fetch_array($userresults); if (isset($_POST['user']) && $_POST['user'] == $query && isset($_POST['pass']) && $_POST['pass'] == $query) { $_SESSION['username'] = $_POST['user']; echo "<p>Login success. You are logged in as: " . $_SESSION['username'] . "</p>Return to mainpage, click <a href='index.php'>here</a>!"; } else { echo "<p>Wrong username or password.</p>"; } mysqli_close($con); ?> First of all hello as I am new to this forum. Ok so, I am have been trying for the past few days to create a login system in PHP for a website I am creating, and I am having serious problems. I have tryed so many tutorials and they all are not working, my conclusion is they are outdated or not fully understandable. So what I want to create - Registration Forgot password Login page Email activation Member page My hosting has the latest php and mysql as far as I know so could someone please give me an up to date simple tutorial on creating this. Lastly the program I am using is Dreamweaver CS5 Thankyou. Hi Everyone, Just a quick question before I take on this project. Basically the client has a secure server set up with folders for different clients. So they can store excel files, PDFs etc, What the client use to do was send the client an email with the http address of that clients particular folder to be able to login. What my job is to create a login system that redirects each client to their particular area on the secure system. Is this going to be difficult, What I was thinking of doing was when the administator is setting up the client details there would be an extra field saying address: they paste the address of the folder on the server. Then it will redirect them to their folder. Is this the correct way to do this. Any help or advice would be great. Hey all. I was curious what is the best practice when creating a user login system? I've seen them done in the following 2 ways. First I've seen tutorials on logins where after the post data is verified against the database a username session is created and member pages are accessed if the user session is set. Second I've seen tutorials on logins where the username session is verified against the database on every single page. What is the best practice along these lines? Cheers! I tried Googling them and what not but all I could find was useless stuff that I couldn't get to work, so I thought I would give it a crack at making my own. I don't think its that secure though. Can someone have a geeza over it? I've pretty much made it up from bits and pieces I have seen and researched. Ignore the echoes they were just for testing. Well the code was working, now it just keeps redirecting me to index. So I dunno what I fucked. Heres all the code: Index.php Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <?php include 'functions.php'; Connect(); ?> <form method="post" action="login.php"> <input type="text" name="Username" /> <input type="password" name="Password" /> <input type="hidden" name="ip" value="<?php ipget(); ?>" /> <input type="submit" /> </form> </body> </html> Login.php <?php require_once 'standalone\HTMLPurifier.standalone.php'; include "functions.php"; Connect(); $purifier = new HTMLPurifier(); $result = mysql_query("SELECT Username, Password FROM login ") or die(mysql_error()); $sorted = mysql_fetch_array($result); $name = $purifier->purify(strtolower($_POST['Username'])); $pass = $purifier->purify(md5(strtolower($_POST['Password']))); $ip = md5($_POST['ip']); $stamp = date("Ymdhis"); if ( $name == $sorted['Username'] ){ Echo "Username Correct"; if ( $pass == $sorted['Password'] ) { echo "Password is correct"; session_start(); $_SESSION['ip'] = $ip; $_SESSION['Username'] = $name; $_SESSION['Password'] = $pass; setcookie('ip', $ip, time()+3600); setcookie('name', $name, time()+3600); $ipb = $_SERVER['REMOTE_ADDR']; $orderid = "$stamp-$ipb"; $orderid = str_replace(".", "", "$orderid"); $GUID = md5(orderid); setcookie('GUID', $GUID, time()+3600); mysql_query("UPDATE login SET GUID = $GUID WHERE Username = '$name'"); header("location: admin.php"); } else { echo "password is wrong"; } } else { Echo "wrong name"; } ?> Functions.php <?php function connect(){ mysql_connect("localhost", "test", "password") or die(mysql_error()); mysql_select_db("db344475103") or die(mysql_error()); echo "Connected"; } function ipget(){ $ip = $_SERVER['REMOTE_ADDR']; echo $ip; } function check(){ session_start(); if (md5($_SERVER['REMOTE_ADDR']) == $_SESSION['ip']) { if (md5($_SERVER['REMOTE_ADDR']) == $_COOKIE['ip']) { if ($_SESSION['Username'] == $_COOKIE['name']) { if ($_COOKIE['GUID'] == mysql_query("SELECT GUID FROM login")) { } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } else { header("location: index.php"); session_destroy(); } } function clean(){ } ?> Admin.php Code: [Select] <?php include 'functions.php'; check(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> Admin Area </body> </html> Yeah its a lot of code, probably most of it useless as well knowing me. My main pages looks like this... <?php include "header.php"; CONTENT include "footer.php"; ?> On the header will be my login script so on every page the script will be there so they can log in from anywhere on the site. Also, I want it all done on one page instead of being directed somewhere else. This is the code below. <?php session_start(); $message = ""; //error message needs to be blank $loginstatus = ""; //error message needs to be blank //if $_POST "username" and "password" exist, check for consistency. if (isset($_POST['username'])&&($_POST['password'])) { include 'connect.php'; //connect $username = mysql_real_escape_string($_POST['username']); //set variables from session $password = mysql_real_escape_string($_POST['password']); //set variables from session //remove slashes and HTML $username = stripslashes($username); $password = stripslashes($password); $username = strip_tags($username); $password = strip_tags($password); $password = md5($password); //md5 encryption $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together. $num = mysql_num_rows($query); //number of rows. if not equal to one login will fail. if($num==1) { $_SESSION['username'] = $username; //store session data $message = "$username, you are logged in!"; } else { $message = "<font color='red'>Wrong Username or Password. Please try again.</font>"; } } //if $_SESSION "username" and "password" exist, check for consistency. if (isset($_SESSION['username'])) { $username = $_SESSION['username']; $loginstatus = " <table cellspacing='0' cellpadding='0'> <tr> <td align='right'><b>$message</b> <a href='logout.php'>[logout]</a></td> </tr> </table> "; } else { $loginstatus = " <b>$message</b> <table cellspacing='0' cellpadding='0'> <form action='CURRENTPAGE.php' method='post'> <tr> <td><b>Username: </td> <td><input type='text' name='username' class='inputbox'></td> <td> <b>Password: </td> <td><input type='password' name='password' class='inputbox'></td> <td> <input type='submit' value='Log In' class='submitbutton'></td> </tr> </table> </form> "; } echo $loginstatus; ?> I have two questions... #1 How can I direct my page when entering the password to the current page the user is on? (look at CURRENTPAGE.php in the code for reference) #2 Security is obviously an issue at all times. How does my security look? What can I do to make this login script more secure? Thanks so much for all of those who help out. I'll be watching this forum all day everyday. This is my one page log in system. Using this on the header so guests can log in on ANY page. Let me know what you think needs improving for security. I'm also wondering if putting the include "disconnect.php"; where I have is correct. Thanks! Code: [Select] <?php session_start(); $message = ""; //error message needs to be blank $loginstatus = ""; //error message needs to be blank //if $_POST "username" and "password" exist, check for consistency. if (isset($_POST['username'])&&($_POST['password'])) { include 'connect.php'; //connect $username = mysql_real_escape_string($_POST['username']); //set variables from session $password = mysql_real_escape_string($_POST['password']); //set variables from session //remove slashes and HTML $username = stripslashes($username); $password = stripslashes($password); $username = strip_tags($username); $password = strip_tags($password); $password = md5($password); //md5 encryption $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together. $num = mysql_num_rows($query); //number of rows. if not equal to one login will fail. if($num==1) { $_SESSION['username'] = $username; //store session data $message = "$username, you are logged in!"; include "disconnect.php"; } else { $message = "<font color='red'>Wrong Username or Password. Please try again.</font>"; } } //if $_SESSION "username" and "password" exist, check for consistency. if (isset($_SESSION['username'])) { $username = $_SESSION['username']; $loginstatus = " <table cellspacing='0' cellpadding='0'> <tr> <td align='right'><b>$message</b> <a href='logout.php'>[logout]</a></td> </tr> </table> "; } else { $loginstatus = " <b>$message</b> <table cellspacing='0' cellpadding='0'> <form action='index.php' method='post'> <tr> <td><b>Username: </td> <td><input type='text' name='username' class='inputbox'></td> <td> <b>Password: </td> <td><input type='password' name='password' class='inputbox'></td> <td> <input type='submit' value='Log In' class='submitbutton'></td> </tr> </table> </form> "; } echo $loginstatus; ?> Hello everyone, I'd like to make a small object oriented login system. The problem is that I'm not very good at oop and i have only written these scripts the procedural way. So please, correct me if I'm wrong: class database - connect() class user - login() My problem is when i make a database connection in connect(), I can't use it in login(). class Database{ public function connect(){ $mysqli = new mysqli('localhost','root','','login'); } } class User{ public function login(){ // how do i use connect() from above and make a query to log the user in? } |
|||||||