PHP - Is This Secure Login Script?

Hello:

I am using this tutorial to make a secure login system (if there is a "better" way, please let me know):

http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

I am having a problem with the login form - it keeps moving to the "a_Home.php" page (the one that is suppose to be password protected) without any login information being entered.

This is the mmLogin.php page:
Code: [Select]
<?php

include('../include/myConn.php');
include('include/myAdminCodeLib.php');

session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$username = mysql_real_escape_string($username);
$query = "SELECT password, salt
        FROM users
        WHERE username = '$username';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1)
{
    header('Location: mmLogin.php');
    die();
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password'])
{
    header('Location: mmLogin.php');
    die();
}
else
{
    validateUser();
    header('Location: a_Home.php');
}

?>

<html>

<head></head>

<body>
<form name="login" action="mmLogin.php" method="post">
    Username: <input type="text" name="username" />
    Password: <input type="password" name="password" />
    <input type="submit" value="Login" />
</form>
</body>

</html>


This is the a_Home.php page:
Code: [Select]
<?php

include('include/myAdminCodeLib.php');
include('include/myCheckLogin.php');

?>

<html>

<head></head>

<body>

<a href="mmLogin.php">Log Off</a>

</body>

</html>


This is the myCheckLogin.php page:
Code: [Select]
<?php
session_start();
if(!isLoggedIn())
{
    header('Location: mmLogin.php');
    die();
}
?>

This is the myAdminCodeLib.php page:
Code: [Select]
<?php

function validateUser()
{
    session_regenerate_id ();
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $userid;
}

function isLoggedIn()
{
    if(isset($_SESSION['valid']) && $_SESSION['valid'])
        return true;
    return false;
}

function logout()
{
    $_SESSION = array();
    session_destroy();
}

?>


Can anyone tell me why this is not working?

And, am I calling the functions properly?

Thanks.

Hey all,
    I'm in the process of developing a PHP login system for the website of a team I'm involved with. I have a MySQL database already set up to hold user data, but I lack the knowledge to create a respectably secure login system. I tend to be a tad obsessive when it comes to security, and seeing different systems being implemented on various tutorials that cover this topic makes me cynical of the integrity of any of them. So, my question is: how can I create a secure login system that isn't too complex in implementation? Are there any reliable tutorials for this? Would some sort of system that uses session variables be what I'm looking for? I don't require excessive security, but privelidges gained if this system is compromised would be no small matter.

Thanks for any help.

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=351535.0

I have a little php site that looks up data in my crm database quickly and easily on my iphone.
Right now it's wide open because I'm in and out of it all day and trying to input uid/pw into a secure login page is a pain in the rear. (we're not talking about sensitive data here and I'm the only user.)

So, I would like to design a screen with several large graphic buttons and be able to touch those buttons in a specific sequence that would functionally allow a secure login.

Similar in concept to the android screen lock. You touch a sequence of numbered buttons and voila, the screen unlocks. It does not open a text field for data entry into two separate fields.

So if my access code was 1,2,3,4 and the screen was divided into quarters with a large number on each one, I would touch the buttons in that order and it would open the main page.

How would this best be accomplished? Is there a php function to essentially build a variable through successive key presses? then with a final submit it would just check that against a "secret code" and allow access.

Thanks for any input.   

Code: [Select]
<?php
    // Maximum file size for upload
    $maxFileSize = 5242880;
    
    // If file is too large
    if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize)
        echo "File too large";
    else
    {
        if(isset($_POST['submit']))
        {
            // List of acceptable file types
            $whitelist = array(
                "application/vnd.openxmlformats-officedocument.wordprocessingml.document",    // .docx
                "application/msword",                                                        // .doc, .rtf
                "text/plain",
                "image/jpeg",
                "image/gif",
                "image/png",
                "application/pdf",
                "application/octet-stream",                                                    // .rar
                "application/x-zip"                                                            // .zip
            );
            
            // Is uploaded file type in whitelist array
            if(!in_array($_FILES['file_upload']['type'], $whitelist))
                exit("Bad Filetype");
            
            // Don't allow php files
            if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name']))
                exit("We do not allow uploading PHP files\n");
            
            // Move the file
            $uploaddir = '../uploads/';
            $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']);
            
            if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile))
                exit("File is valid, and was successfully uploaded.\n");
            else
                exit("File uploading failed.\n");
        }
    }
?>
<html>
    <head>
        <title>Upload Test</title>
    </head>
    <body>
        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST">
            <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" />
            <input type="file" name="file_upload" />
            <input type="submit" name="submit" value="upload" />
            <br />
            <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?>
        </form>
    </body>
</html>

Hi All,
I am using HTTP Session2 pear module in my project.
My logout code is

HTTP_Session2::set('user_id','');
HTTP_Session2::set('user_type','');
HTTP_Session2::regenerateId(true);
HTTP_Session2::destroy();
pageRedirect("index.php?q=registration/login");
exit;


My Check Login Script is


if(trim(HTTP_Session2::get('user_id'))=='' || trim(HTTP_Session2::get('user_type'))=='') {
        HTTP_Session2::set('user_id','');
HTTP_Session2::set('user_type','');
HTTP_Session2::regenerateId(true);
HTTP_Session2::destroy();
pageRedirect("index.php?q=registration/login");
        exit;
}



problem here is whenever I click on back button after logout then I can see the user homepage, on which I have written "Check Login Script ".

Is there a good solution available ?

Hi guys, sorry for such a newbish question.  Any help would be greatly appreciated.

HTML FORM:
Code: [Select]
<form action="form.php" method="post" onsubmit="return validateForm()" name="form">
<b>First Name:*</b>
<input type="text" name="first_name" size="50" />
<b>Last Name:*</b>
<input type="text" name="last_name" size="50" />
<b>Phone:*</b>
<input type="text" name="phone" size="50" />
<b>Email:*</b>
<input type="text" name="email" size="50" />
<p><b>What is your favorite color?*</b></p>
<p align="left">
<select name="se">
<option value="W">White</option>
<option value="G">Green</option>
<option value="Y">Yellow</option>
</select>
<input type="submit" value="Submit"/>
</form>


FORM.PHP script
Code: [Select]
<?php
$se = $_POST['se'];
$seURL = '';
switch ($se) {
  case 'W':
    $seURL = "http://url1.com";
    break;
  case 'G':
    $seURL = "http://url2.com";
    break;
  case 'O':
    $seURL = "http://url3.com";
    break;
  default:
    $seURL = "";
}
if ($seURL != "") {
/* Redirect browser */
/* make sure nothing is output to the page before this statement */
header("Location: " . $seURL);
}

// get posted data into local variables
$EmailFrom = "noreply@domain.com";                           
$EmailTo = "email@domain.com";                       
$Subject = "Form";                                         
$first_name = Trim(stripslashes($_POST['first_name'])); 
$last_name = Trim(stripslashes($_POST['last_name'])); 
$phone = Trim(stripslashes($_POST['phone'])); 
$email = Trim(stripslashes($_POST['email'])); 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "first_name: ";
$Body .= $first_name;
$Body .= "\n";
$Body .= "last_name: ";
$Body .= $last_name;
$Body .= "\n";
$Body .= "phone: ";
$Body .= $phone;
$Body .= "\n";
$Body .= "email: ";
$Body .= $email;
$Body .= "\n";
$Body .= "color: ";
$Body .= $se;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// send email to user
if ($se=="W")
$EmailFrom = "noreply@domain.com";
$to = $email;
$subject = "form email";
$body = "thank you for filling out our form";
if (mail($to, $subject, $body, "From: <$EmailFrom>")) {
  echo("<p>Message successfully sent!</p>");
} else {
  echo("<p>Message delivery failed...</p>");
}

?>
[code]


MOD EDIT: [nobbc][code] . . . [/code][/nobbc] tags added . . .

Hello guys,

Is there on web any updated tutorial on how can I add Facebook login on my simple php login script?

Hello everyone,
I have just finished coding a logion/register/logout script.  I am quite new to PHP (this was my first task to begin the learning process!).  The scripts now work fine and gets the job done.  It incorporates a database and has a number of checks in place.  I know that the code is probably pretty ugly however and not as efficient as it could be.  Could anyone suggest places where I could improve it or security issues with it?  I have tried to secure it against sql injection; it also ensures that no fields are blank and that the two passwords in registration are the same and I have also made username a unique field in database.  Thanks in advance for any help or guidance.

Here are the scripts: index.html, checklogin.php, register.php, menu.php, and logout.php


<html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="input" action="checklogin.php" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="login" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<center>Not a member? <a href="./register.php">Register!</a></center>
</body>
</html>



<?php
$host="localhost";
$usr="root";
$pwd="******";
$db="*****";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

$initialusr = $_POST['username'];
$initialpwd = $_POST['password'];
$secondusr = stripslashes($initialusr);
$secondpwd = stripslashes($initialpwd);
$pswd = mysql_real_escape_string($secondpwd);
$myusr = mysql_real_escape_string($secondusr);
$mypswd= md5($pswd);

$sql="SELECT *FROM $tbl_name WHERE username='$myusr' and password='$mypswd'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if ($count==1) {
session_start();
$_SESSION['username'] = $myusr;
header("location:menu.php");
}
else {
echo "Incorrect Username or Password";
}
?>



<?php
$host="localhost";
$usr="root";
$pwd="*****";
$db="***********";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

if (isset($_POST['register']) && $_POST['username'] && $_POST['password'] && $_POST['confirm'] && $_POST['email'] && $_POST['password'] == $_POST['confirm']) 
{ 
$pwd = mysql_real_escape_string("$_POST[password]");
$md5pwd = md5("$pwd");
$usr = mysql_real_escape_string("$_POST[username]");
$email = mysql_real_escape_string("$_POST[email]");


$query = "INSERT INTO members (username, password, email) 
VALUES('$usr', '$md5pwd', '$email')";

mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully registered!";
}
else{
?>

<html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="input" action="register.php" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Register</strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>Confirm Password</td>
<td>:</td>
<td><input name="confirm" type="password" id="confirm"></td>
</tr>
<tr>
<td>Email</td>
<td>:</td>
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="register" value="Register"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
</body>
</html>

<?php
}
?>



<?php
session_start();
if (!isset($_SESSION['username'])){
header("location:index.html");
}
else {
?>
<html>
<body>
<?php 
$username = $_SESSION['username'];
echo "Welcome " . $username . " !";
?>
<br />
<a href = logout.php>Log out</a>
</body>
</html>
<?php
}
?>




<?php
session_start();
session_destroy();
header("location:index.html")
?>

Hi all again,

This script was working perfectly but I have not got a clue what changed in it or how and can not seem to find the problem.

The connection works, email and password variables match the mysql databases so must be my Syntax.

appreciate if you can help.


<?php

include("../cxn.php");

$sql = "SELECT password FROM Members WHERE email='$_POST[email]'";
$result = mysqli_query($cxn,$sql)
or die ("Couldn't execute query1");

$num = mysqli_num_rows($result);
if ($num >0) // Login Name found 
{
$sql = "SELECT * FROM Members WHERE email='$_POST[email]' AND password=md5('$_POST[password]')";
$result2 = mysqli_query($cxn,$sql)
or die ("Couldn't execute query2");
$num2 = mysqli_num_rows($result2);
if ($num2 > 0) // password correct
{
session_start();
$_SESSION['auth']="yes";
$_SESSION['logname'] = $_POST['email'];
$logname = $_SESSION['logname'];
$today = date("Y-m-d h:i:s");
$sql = "INSERT INTO Login (email,loginTime)
VALUES ('$logname', '$today')";
$result = mysqli_query($cxn,$sql)
or die ("Can't execute insert query");
echo "you have logged in!";
header("Location: ../$_POST[page]");
}
else 
{
$message = "The email address, '$_POST[email]' is registered, but you have not entered the correct password! Please try again.<br>";
include("../login.html");
}
}

?>

Hi I need help with my login script it says invalid password even when its correct however if i take out the md5 encryption of the password and use the encrypted password saved on mysql table it works please help? here is the code im using thanks:

Code: [Select]
<?
// Use session variable on this page. This function must put on the top of page.
session_start();

////// Logout Section. Delete all session variable.
session_destroy();

$message="";

////// Login Section.
$Login=$_POST['submit'];
if($Login){ // If clicked on Login button.
$username=$_POST['username'];
$md5_password=md5($_POST['password']); // Encrypt password with md5() function.

// Connect database.
$host="localhost"; // Host name.
$db_user="removed"; // MySQL username.
$db_password="removed"; // MySQL password.
$database="removed"; // Database name.
mysql_connect($host,$db_user,$db_password);
mysql_select_db($database);

// Check matching of username and password.
$result=mysql_query("select * from signup where username='$username' and password='$md5_password'");
if(mysql_num_rows($result)!='0'){ // If match.
session_register("username"); // Craete session username.
header("location:main.php"); // Re-direct to main.php
exit;
}else{ // If not match.
$message="--- Incorrect Username or Password ---";
}

} // End Login authorize check.
?>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title></title>

</head>

<body>
    </tr>
   <? echo $message; ?>
      <form name="register" method="post" action="<? echo $PHP_SELF; ?>">
       <tr>
         <td height="586" colspan="8" align="center" valign="top"><p>&nbsp;</p>
      <table>
              <tr>
                <td height="45" colspan="2" class="class2 style34"><div align="center"><a href="file:///F|/signin.html">Sign In</a>:</div></td>
              </tr>
              <tr>
                <td colspan="2"><div align="right"></div></td>
              </tr>

              <tr>
                <td width="76" height="45"><div align="right"><span class="class2 style34">Username<span class="style39">..</span></span></div></td>
                <td width="256"><div align="center"><span class="class2 style34">
                    <input name="username" type="text" id="username" size="20" height="14" />
                </span></div></td>
              </tr>
              <tr>
                <td height="45"><div align="right"><span class="class2 style34">Password <span class="style39">..</span></span></div></td>
                <td><div align="center"><span class="class2 style34">
                    <input name="password" type="password" id="password" size="20" height="14" />
                </span></div></td>
              </tr>
              <tr>
                <td height="45" colspan="2"><div align="center"><span class="class2 style34">
                    <input name="submit" type="submit" id="submit" value="Sign In" />
                </span></div></td>
              </tr>
            </table></td>
       </tr>
      </form>
  </table>
</div>
</body>
</html>

MOD EDIT: Database credentials removed, [code] . . . [/code] tags added.

Hey ppl

I have a login script that I found in a PHP MySQL book. And yesterday I realized that it is easy to hack this script as it use session variables and it can use cookies.

DOes anyone have login script for me that is secure and easy to implement?

It would really help!

Thanks

Hello everyone,

I am brand new to php and am starting off my journey by trying to create a simple login/register script.  I have run into a bit of difficulty, however, and cannot seem to get this to work. I know that the register script is very basic (lacks strlen check, doesn't verify that both passwords are the same, etc.), but for the time being I simply want to have a functional script.  Then I can continue learning by adding more components.  Here are the login.php, checklogin.php, and register.php files (in this order).  I believe that the login/checklogin files work, but the register file just shows the form without actually writing to DB when it is submitted.  Thank you very much for your help.

Code: [Select]
<html>
<body>
<b> Member Login </b> <br />
<form name="input" action="checklogin.php" method="post">
Username : <input type="text" name="myusername" id="username"> <br />
Password : <input type="password" name="mypassword" id="password"> <br />
<input type="checkbox" name="remember" value="checkbox"> Remember me <br />
<input type="submit" value="Login">
Not a member? <a href="./register.php">Register!</a>
</form>
</body>
</html>

Code: [Select]
<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

$myusr = $_POST['myusername'];
$mypswd = md5($_POST['mypassword']);

$myusername = stripslashes(strip_tags($myusr));
$mypassword = stripslashes(strip_tags($mypswd));
$myusername = mysql_real_escape_string($myusr);
$mypassword = mysql_real_escape_string($mypswd);

$sql="SELECT *FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if ($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:menu.php");
}
else {
echo "Incorrect Username or Password";
}
?>

Code: [Select]
<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

if (isset($_POST['register'])) 
{ 

$query = "INSERT INTO members ('username', 'password', 'email') 
VALUES('$_POST[username]', 'md5($_POST[password1])', '$_POST[email]')";

mysql_query($db,$query) or die();
mysql_close();

echo "You have successfully registered!";
}
else{
?>
<html>
<body>
<b> Register</b> <br />
<form name="register" action="./register.php" method="post">
Username : <input type="text" name="username" id="username"> <br />
Password : <input type="password" name="password" id="password1"> <br />
Confirm Password : <input type="password" name="password2" id="password2"> <br />
Email: <input type="text" name="email" id="email"> <br />
<input type="submit" value="register">
</form>
</body>
</html>
<?php
}
?>

I have a login script that isn't rejecting non-users. For whatever reason, it's passing them on to the welcome page where an actual user sees user specific information. I'm newer to php, but can't for the life of me understand why the script doesn't seem to ever utilize the 'else' portion of the 'if' statement. So in short it works as expected for actual users, but non-users are not getting rejected. Below is my code. Any help is appreciated.

Code: [Select]
$sqla = "SELECT count(*) FROM authorize WHERE username='$_POST[username]' and password='$_POST[password]'";
$result = mysql_query($sqla) or die ("Error: ". mysql_error(). " with query ". $query);
$count = mysql_num_rows($result);

if($count==1) {
//start session for user

session_start();

//get company id and user first and last name
$query = mysql_query("SELECT comp_id FROM authorize WHERE username='$_POST[username]'") or die ("Error: ". mysql_error(). " with query ". $query);
$query2 = mysql_query("SELECT firstname, lastname FROM authorize WHERE username='$_POST[username]'") or die ("Error: ". mysql_error(). " with query ". $query);


$resultb = mysql_fetch_assoc($query);
$resultc = mysql_fetch_array($query2);


$_SESSION['coid'] = $resultb['comp_id'];
$_SESSION['firstn'] = $resultc['firstname'];
$_SESSION['lastn'] = $resultc['lastname'];


//get company name
$query3 = mysql_query("SELECT comp_name FROM companies WHERE comp_id='$resultb[comp_id]'") or die ("Error: ". mysql_error(). " with query ". $query);
$resultd = mysql_fetch_assoc($query3);

$_SESSION['conm'] = $resultd['comp_name'];

header("location: overview.php");

} Else {

echo "That user does not exist.";
header("location: login.html");
}