PHP - Cookie Handling In Login Script

Hello guys,

Is there on web any updated tutorial on how can I add Facebook login on my simple php login script?

Hey guys, first i have to say im from germany my english is not so good, i hope you understand the most things 

okay lets start, i have a cookie from site XY, i see the cookie in my browser, and now i want to save the cookie if someone goes to my website, the cookie is not on my website, i only want that the cookies displayed on my website or saved into the log.txt

Code: [Select]
<?php
$jsi = $_COOKIES['JSESSIONID'];
$current = file_get_contents('log,txt');
$current .= "\n$jsi";
file_put_contents('log.txt', $current);
?>

but this code saves only the cookies on my own website, but i want a cookie from another website, all cookies are in my browser saved i want to read and save them. i hope you can help and understand me   

Quote from: scootstah on November 30, 2011, 01:19:13 PM


Code: [Select]
function hash_password($password, $salt = null) {
// create a salt if not already defined
if (is_null($salt))
$salt = substr(sha1(uniqid(mt_rand(), true), 0, 10);

// $password will be plaintext at this point

// $site_key should be a large random string statically
// located in a file with secure permissions

$hash = hash_hmac('sha512', $password . $salt, $site_key);

return array('hash' => $hash, 'salt' => $salt);
}

$password = 'abcdef';

$pass = hash_password($password);




First off I just want to say thank you for the valuable information I have been reading in this topic (for a few days) and I have updated my pages accordingly.

My passwords are now salted with a random encrypted string and I am using sha1 but would like to switch to sha512. So I am playing around with some code to learn more about how it works and have noticed that:

sha1(test) returns a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
but
sha512(test) just crashes the page.

Can anyone help me understand why this is?

Hey, could someone help me with login script ? I've got registration script.

It contains 3 files:

reg.php
<?php

require_once 'database.php';
?>

<h1><strong>Register</strong></h1>

<form name="register" method="post" action="regcheck.php">

  <label>
  <input type="text" name="user" id="user"> Username<br />
  </label>
  
  <br />
  
  <label>
  <input type="password" name="pass" id="pass"> Password<br />
  </label>
  
  <br />
  
  <label>
  <input type="text" name="email" id="email"> Email<br />
  </label>
  
  <label>
  <input type="submit" name="reg" id="reg" value="Register">
  </label>
  
</form>

regcheck.php
<?php
$email = $_POST['email'];

if(
    isset( $_POST['user'] ) &&
    isset( $_POST['pass'] ) &&
    isset( $_POST['email'] )
)
{
    if( strlen( $_POST['user'] ) < 4 )
    {
        echo "Username is too short";
    }
    elseif( strlen( $_POST['pass'] ) < 4 )
    {
        echo "Password is too short";
    }
    elseif(!filter_var($email, FILTER_VALIDATE_EMAIL))
{
    echo "Bad email address";
}  
    elseif( $_POST['pass'] == $_POST['user'] )
    {
        echo"Username and password can't be the same";
    }
    else
    {
        include( 'database.php' );

        $username = mysql_real_escape_string( $_POST['user'] );
        $password = mysql_real_escape_string( $_POST['pass'] );
        $email = mysql_real_escape_string( $_POST['email'] );

        $sqlCheckForDuplicateN = "SELECT username FROM user WHERE username = '". $username ."'";
$sqlCheckForDuplicateE = "SELECT email FROM user WHERE email = '". $email ."'";
        
        if( mysql_num_rows( mysql_query( $sqlCheckForDuplicateE ) ) == 0 && mysql_num_rows( mysql_query( $sqlCheckForDuplicateN ) ) == 0 )
        {
            $sqlRegUser =     "INSERT INTO
                        user( username, password, email )
                    VALUES(
                        '". $username ."',
                        '". $password ."',
                        '". $email ."'
                        )";

            if( !mysql_query( $sqlRegUser ) )
            {
                echo "You Could Not Register Because Of An Unexpected Error.";
            }
            else
            {
                echo "You Are Registered And Can Now Login";
            }
        }
        elseif( !(mysql_num_rows( mysql_query( $sqlCheckForDuplicateE ) ) == 0))
        {
            echo "The Email You Have Entered Is Already Being Used. Please Try Another One.";
        }
        elseif( !(mysql_num_rows( mysql_query( $sqlCheckForDuplicateN ) ) == 0))
        {
            echo "The Username You Have Entered Is Already Being Used. Please Try Another One.";
        }
        elseif( !(mysql_num_rows( mysql_query( $sqlCheckForDuplicateE ) ) == 0) && !(mysql_num_rows( mysql_query( $sqlCheckForDuplicateN ) ) == 0))
        {
            echo "The Email and Username You Have Entered Is Already Being Used. Please Try Another One.";
        }
        
        
    }
}
else
{
    echo "You Could Not Be Registered Because Of Missing Data.";
}
?>

database.php
<?
$con = mysql_connect('host','username','password');
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db('dbname');
?>


So could someone help me with login ???

Hi I need help with my login script it says invalid password even when its correct however if i take out the md5 encryption of the password and use the encrypted password saved on mysql table it works please help? here is the code im using thanks:

Code: [Select]
<?
// Use session variable on this page. This function must put on the top of page.
session_start();

////// Logout Section. Delete all session variable.
session_destroy();

$message="";

////// Login Section.
$Login=$_POST['submit'];
if($Login){ // If clicked on Login button.
$username=$_POST['username'];
$md5_password=md5($_POST['password']); // Encrypt password with md5() function.

// Connect database.
$host="localhost"; // Host name.
$db_user="removed"; // MySQL username.
$db_password="removed"; // MySQL password.
$database="removed"; // Database name.
mysql_connect($host,$db_user,$db_password);
mysql_select_db($database);

// Check matching of username and password.
$result=mysql_query("select * from signup where username='$username' and password='$md5_password'");
if(mysql_num_rows($result)!='0'){ // If match.
session_register("username"); // Craete session username.
header("location:main.php"); // Re-direct to main.php
exit;
}else{ // If not match.
$message="--- Incorrect Username or Password ---";
}

} // End Login authorize check.
?>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title></title>

</head>

<body>
    </tr>
   <? echo $message; ?>
      <form name="register" method="post" action="<? echo $PHP_SELF; ?>">
       <tr>
         <td height="586" colspan="8" align="center" valign="top"><p>&nbsp;</p>
      <table>
              <tr>
                <td height="45" colspan="2" class="class2 style34"><div align="center"><a href="file:///F|/signin.html">Sign In</a>:</div></td>
              </tr>
              <tr>
                <td colspan="2"><div align="right"></div></td>
              </tr>

              <tr>
                <td width="76" height="45"><div align="right"><span class="class2 style34">Username<span class="style39">..</span></span></div></td>
                <td width="256"><div align="center"><span class="class2 style34">
                    <input name="username" type="text" id="username" size="20" height="14" />
                </span></div></td>
              </tr>
              <tr>
                <td height="45"><div align="right"><span class="class2 style34">Password <span class="style39">..</span></span></div></td>
                <td><div align="center"><span class="class2 style34">
                    <input name="password" type="password" id="password" size="20" height="14" />
                </span></div></td>
              </tr>
              <tr>
                <td height="45" colspan="2"><div align="center"><span class="class2 style34">
                    <input name="submit" type="submit" id="submit" value="Sign In" />
                </span></div></td>
              </tr>
            </table></td>
       </tr>
      </form>
  </table>
</div>
</body>
</html>

MOD EDIT: Database credentials removed, [code] . . . [/code] tags added.

Hello everyone,
I have just finished coding a logion/register/logout script.  I am quite new to PHP (this was my first task to begin the learning process!).  The scripts now work fine and gets the job done.  It incorporates a database and has a number of checks in place.  I know that the code is probably pretty ugly however and not as efficient as it could be.  Could anyone suggest places where I could improve it or security issues with it?  I have tried to secure it against sql injection; it also ensures that no fields are blank and that the two passwords in registration are the same and I have also made username a unique field in database.  Thanks in advance for any help or guidance.

Here are the scripts: index.html, checklogin.php, register.php, menu.php, and logout.php


<html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="input" action="checklogin.php" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="login" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<center>Not a member? <a href="./register.php">Register!</a></center>
</body>
</html>



<?php
$host="localhost";
$usr="root";
$pwd="******";
$db="*****";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

$initialusr = $_POST['username'];
$initialpwd = $_POST['password'];
$secondusr = stripslashes($initialusr);
$secondpwd = stripslashes($initialpwd);
$pswd = mysql_real_escape_string($secondpwd);
$myusr = mysql_real_escape_string($secondusr);
$mypswd= md5($pswd);

$sql="SELECT *FROM $tbl_name WHERE username='$myusr' and password='$mypswd'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if ($count==1) {
session_start();
$_SESSION['username'] = $myusr;
header("location:menu.php");
}
else {
echo "Incorrect Username or Password";
}
?>



<?php
$host="localhost";
$usr="root";
$pwd="*****";
$db="***********";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

if (isset($_POST['register']) && $_POST['username'] && $_POST['password'] && $_POST['confirm'] && $_POST['email'] && $_POST['password'] == $_POST['confirm']) 
{ 
$pwd = mysql_real_escape_string("$_POST[password]");
$md5pwd = md5("$pwd");
$usr = mysql_real_escape_string("$_POST[username]");
$email = mysql_real_escape_string("$_POST[email]");


$query = "INSERT INTO members (username, password, email) 
VALUES('$usr', '$md5pwd', '$email')";

mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully registered!";
}
else{
?>

<html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="input" action="register.php" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Register</strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>Confirm Password</td>
<td>:</td>
<td><input name="confirm" type="password" id="confirm"></td>
</tr>
<tr>
<td>Email</td>
<td>:</td>
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="register" value="Register"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
</body>
</html>

<?php
}
?>



<?php
session_start();
if (!isset($_SESSION['username'])){
header("location:index.html");
}
else {
?>
<html>
<body>
<?php 
$username = $_SESSION['username'];
echo "Welcome " . $username . " !";
?>
<br />
<a href = logout.php>Log out</a>
</body>
</html>
<?php
}
?>




<?php
session_start();
session_destroy();
header("location:index.html")
?>

please check the login script ...its failed in loading to the home page.! and its not working  login.php   6.69KB   9 downloads  login.php   6.69KB   9 downloads

Hey everyone. I currently have a login script that uses cookies to check if the user is logged in. But I have been told that even if I have used md5() then the the password is still at risk, so I was wondering if using sessions would be better, or if there was some way to make the passwords in the cookies more secure? Here is the code I currently have to secure passwords in the cookie: Code: [Select]
$_POST['pass'] = md5($_POST['pass']);
  if (!get_magic_quotes_gpc()) {
  $_POST['pass'] = addslashes($_POST['pass']);
  $_POST['username'] = addslashes($_POST['username']);
  }

Hey so this is my login script but when i enter something into the username and password box and submit it, the page just refreshes.  

<?php


echo "


<h1>LOGIN</h1>
<form action='' method='POST'>
<table>
<tr>
<td>
<b>Username:</b>
</td>
<td>
<input type='text' name='username' placeholder='Enter your username'>
</td>
</tr>
<tr>
<td>
<b>Password:</b>
</td>
<td>
<input type='password' name='password' placeholder='Enter your password'>
</td>
<td>
<input type='submit' value='login' name='submit'>
</td>
</tr>
</form>
";


$host = "localhost";
$username = "root";
$password = "";
$db_name = "website";


mysql_connect("$host", "$username", "$password") or die("Could not connect");
mysql_select_db("$db_name") or die("Could not find database");


if(isset($_POST['submit'])) {
if(!empty($_POST['username'])) {
$sql = "SELECT * FROM members WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);


if($count==1) {
$row = mysql_fetch_array($sql);
$bancheck = mysql_query($row);
if($row['active']==0 && count==0) {
include 'userban.html';
} else if($count==1 && $bancheck==1) {
$_SESSION['username'] = "$username";
include '/home/user/index.php';
} else {
echo "You entered invalid information";
}
}
}
}


?>

Hi, I am trying to make a login script that uses the user's id from the database, and tries to match it up with the user and password sent by the login form. My checklogin.php page, just jumps back to the index.php page for some reason. I don't know why. I get the following errors, any help greatly appreciated. thank you.


Notice: Undefined index: myusername in /hermes/bosweb/web173/b1739/public_htmlchecklogin.php on line 19

Notice: Undefined index: mypassword in /hermes/bosweb/web173/b1739/public_html/checklogin.php on line 20
Wrong Username or Password

Here is my code to check the id. I can't figure out what is wrong.

Code: [Select]
<?php 

ini_set ("display_errors", "1");
error_reporting(E_ALL);
$host = "";
$database  = "";
$username  = "";
$password  = ""; 
$tbl_name   = "users";
$conn = mysql_connect($host, $username, $password) or die("Could not connect: " . mysql_error());

if($conn)
{
mysql_select_db($database);
} else {
  echo "failed to select database";
}
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT id FROM $tbl_name WHERE username='$myusername' and password= SHA1('$mypassword')";
$result=mysql_query($sql);
$query_data = mysql_fetch_row($result);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result)
;
// If result matched id, table row must be 1 row
if($count==1){
session_start();

     $_SESSION['userid']=$query_data[0];


header("location:login_success.php");
}

else {
echo "Wrong Username or Password";
}

?>

hi guys,

any help will be much appreciated!!

basically i have a login script, that i want to check mutliple tables and i am stuggling to get it to work!

what i have is basically:


<?php
   session_start();
   $_SESSION['loggedin'] = false;
   include("functions.php");
   extract($_POST);
   
   $query = "SELECT * From table1 WHERE email='$email' and password='$password';";
   $result = doQuery($query);
   if($result==false)   {
      
      $query = "SELECT * From table2 WHERE email='$email' and password='$password';";
   $result = doQuery($query);
   if($result==false)   {
      
      
      $query = "SELECT * From table3 WHERE email='$email' and password='$password';";
   $result = doQuery($query);
   if($result==false)   {
      
      
      
      $query = "SELECT * From table4 WHERE email='$email' and password='$password';";
   $result = doQuery($query);
   if($result==false)   {
      
   }   else {
         if(mysql_num_rows($result))   {
            $row = mysql_fetch_assoc($result);
            $_SESSION['loggedin'] = true;
            $_SESSION['id'] = $_POST['id'];
            header("Location:1");
   }   else {
         header("Location:wrong.php");
   }
   }   
      
   }   else {
         if(mysql_num_rows($result))   {
            $row = mysql_fetch_assoc($result);
            $_SESSION['loggedin'] = true;
            $_SESSION['id'] = $_POST['id'];
            header("Location:2");
   }   else {
         header("Location:wrong.php");
   }
   }   

   }   else {
         if(mysql_num_rows($result))   {
            $row = mysql_fetch_assoc($result);
            $_SESSION['loggedin'] = true;
            $_SESSION['id'] = $_POST['id'];
            header("Location:3");
   }   else {
         header("Location:wrong.php");
   }
   }   
         
   }   else {
         if(mysql_num_rows($result))   {
            $row = mysql_fetch_assoc($result);
            $_SESSION['loggedin'] = true;
            $_SESSION['id'] = $_POST['id'];
            header("Location:4");
   }   else {
         header("Location:wrong.php");
   }
   }   
?>

I am looking to use this for an admin panel.   session_start.php

"session_start()"
"if statement" where it checks if a successful login is given

Is it necessary to include "session_start.php" into the top of each script file?   If I just include "session_start.php" into the top of the "main" file where the other script files are included inside of the "main" as well, then I have it in ways where the other script files could get called up through the URL.(?)   I thought it is a bit too much to include "session_start.php" into each script file.   Is there a way where this can be done with more simple ways?   I would appreciate the suggestions a lot.

Okay, a few of you have been helping me with a login script problem. I have changed it quite a bit again, but I am still running into a little bit of a problem.

When I click the submit button it just clears the form fields and stays on the login page. Also, I have used error_reporting(E_ALL) to help me out with debugging. I took care of three bugs on my own but I cant seem to clear the two remaining bugs and the fact that it is not forwarding me to any page with my header statement. 

Thanks for your help in advance!

Here is my code from my 'login.php' file.


<?php
session_start();
error_reporting (E_ALL);
include("config.php");
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from form 
$myusername=addslashes($_POST['username']); 
$mypassword=addslashes($_POST['password']); 

$sql="SELECT id FROM admin WHERE username='$myusername' and passcode='$mypassword'";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;
header("location: main_interface.php");
}
else 
{
$error="The username or password you entered is invalid, please check your credentials and try again";
}
}
?>
<form action="" method="post">
<label>Username :</label>
<input type="text" name="username"/><br />
<label>Password :</label>
<input type="password" name="password"/><br/>
<input type="submit" value=" Submit "/><br />
</form>


Here are the error messages on the page

Notice: Undefined index: active in login.php on line 20

Warning: Cannot modify header information - headers already sent by (output started at login.php:1) in login.php on line 29



Thanks in advance for your help!

Hi all again,

This script was working perfectly but I have not got a clue what changed in it or how and can not seem to find the problem.

The connection works, email and password variables match the mysql databases so must be my Syntax.

appreciate if you can help.


<?php

include("../cxn.php");

$sql = "SELECT password FROM Members WHERE email='$_POST[email]'";
$result = mysqli_query($cxn,$sql)
or die ("Couldn't execute query1");

$num = mysqli_num_rows($result);
if ($num >0) // Login Name found 
{
$sql = "SELECT * FROM Members WHERE email='$_POST[email]' AND password=md5('$_POST[password]')";
$result2 = mysqli_query($cxn,$sql)
or die ("Couldn't execute query2");
$num2 = mysqli_num_rows($result2);
if ($num2 > 0) // password correct
{
session_start();
$_SESSION['auth']="yes";
$_SESSION['logname'] = $_POST['email'];
$logname = $_SESSION['logname'];
$today = date("Y-m-d h:i:s");
$sql = "INSERT INTO Login (email,loginTime)
VALUES ('$logname', '$today')";
$result = mysqli_query($cxn,$sql)
or die ("Can't execute insert query");
echo "you have logged in!";
header("Location: ../$_POST[page]");
}
else 
{
$message = "The email address, '$_POST[email]' is registered, but you have not entered the correct password! Please try again.<br>";
include("../login.html");
}
}

?>

Hello everyone,

I am brand new to php and am starting off my journey by trying to create a simple login/register script.  I have run into a bit of difficulty, however, and cannot seem to get this to work. I know that the register script is very basic (lacks strlen check, doesn't verify that both passwords are the same, etc.), but for the time being I simply want to have a functional script.  Then I can continue learning by adding more components.  Here are the login.php, checklogin.php, and register.php files (in this order).  I believe that the login/checklogin files work, but the register file just shows the form without actually writing to DB when it is submitted.  Thank you very much for your help.

Code: [Select]
<html>
<body>
<b> Member Login </b> <br />
<form name="input" action="checklogin.php" method="post">
Username : <input type="text" name="myusername" id="username"> <br />
Password : <input type="password" name="mypassword" id="password"> <br />
<input type="checkbox" name="remember" value="checkbox"> Remember me <br />
<input type="submit" value="Login">
Not a member? <a href="./register.php">Register!</a>
</form>
</body>
</html>

Code: [Select]
<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

$myusr = $_POST['myusername'];
$mypswd = md5($_POST['mypassword']);

$myusername = stripslashes(strip_tags($myusr));
$mypassword = stripslashes(strip_tags($mypswd));
$myusername = mysql_real_escape_string($myusr);
$mypassword = mysql_real_escape_string($mypswd);

$sql="SELECT *FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if ($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:menu.php");
}
else {
echo "Incorrect Username or Password";
}
?>

Code: [Select]
<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

if (isset($_POST['register'])) 
{ 

$query = "INSERT INTO members ('username', 'password', 'email') 
VALUES('$_POST[username]', 'md5($_POST[password1])', '$_POST[email]')";

mysql_query($db,$query) or die();
mysql_close();

echo "You have successfully registered!";
}
else{
?>
<html>
<body>
<b> Register</b> <br />
<form name="register" action="./register.php" method="post">
Username : <input type="text" name="username" id="username"> <br />
Password : <input type="password" name="password" id="password1"> <br />
Confirm Password : <input type="password" name="password2" id="password2"> <br />
Email: <input type="text" name="email" id="email"> <br />
<input type="submit" value="register">
</form>
</body>
</html>
<?php
}
?>