|
PHP - Login Page Without Sql That Saves Users And Password On File
Hi! I have read like crazy to find a tutorial on a login page without My_SQL. Anyway I am working on a easy login/logged out page with sessions. Here is the login page with tree users in an array.
The things that I need some hints to solve is, when clicking on login the error message don't show. Instead the script goes to the logged in page right away. And when you write the wrong password you get loged in anyway.
I am not sure how or if it's possible to write a varible to a file this way. But I tried and recived a parse error with the txt varible.
When searching for topics I get more confused with the My_SQL varibles. I am near a breaking point at cracking the first step on PHP, but need some advice.
<?php
$page_title = 'Logged in'; //Dynamic title
include('C:/wamp/www/PHP/includes/header.html');
?>
<?php
session_start();
//A array for the sites users with passwords
$users = array(
'Dexter'=>'meow1',
'Garfield'=>'meow2',
'Miro'=>'meow3'
);
//A handle to save the varible users to file on a new line from the last entry
$handle = fopen("newusers.txt, \n\r")
$txt = $users;
fclose($handle);
if(isset($_GET['logout'])) {
$_SESSION['username'] = '';
header('Location: ' . $_SERVER['PHP_SELF']);
}
if(isset($_POST['username'])) {
if($users[$_POST['username']] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'];
}else {
echo "Something went wrong, Please try again";
}
}
?>
<?php
echo "<h3>Login</h3>";
echo "<br />";
?>
<!--A legend form to login-->
<fieldset><legend>Fill in your username and password</legend>
<form name="login" action="777log.php" method="post">
Username: <br />
<input type="text" name="username" value="" /><br />
Password: <br />
<input type="password" name="password" value="" /><br />
<br />
<input type="submit" name="submit" value="Login" />
</fieldset>
</form>
<?php //Footer include file
include('C:/wamp/www/PHP/includes/footer.html');
?>
The logged in page
<?php //Header
$page_title = 'Reading a file';
include('C:/wamp/www/PHP/includes/header.html');
?>
<?php
session_start();
//Use an array forthe sites users
$users = array(
'Dexter'=>'meow1',
'Garfield'=>'meow2',
'Miro'=>'meow3'
);
//
if(isset($_GET['logout'])) {
$_SESSION['username'] = '';
echo "You are now loged out";
//The user is loged out and returned to the login page
header('Location: ' . $_SERVER['PHP_SELF']);
}
if(isset($_POST['username'])) {
//Something goes wrong here when login without any boxes filled
if($users[$_POST['username']] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'];
}else {
echo "Something went wrong, Please try again";
$redirect = "Location: 777.php";
}
}
?>
<?php if($_SESSION['username']): ?>
<p><h2>Welcome <?=$_SESSION['username']?></h2></p>
<p align="right"><a href="777.php">Logga ut</a></p><?php endif; ?>
<p>Today Ben&Jerrys Chunky Monkey is my favorite!</p>
<?php //Footer
include('C:/wamp/www/PHP/includes/footer.html');
?>
Similar TutorialsHi, I have a restricted area for my work's company. This is an area where registered users with their own user name and password can access to download technical documents etc. I am hearing some reports that users will have to login twice to get to the area - This happens in Chrome, IE 7/8 and some Firefox's. It has only happened to me once or twice. Does anyone know why this may be? Here is the HTML code from the login form on the index page: Code: [Select] <form name="login_form" method="post" action="log.php?action=login"> <p>Login:<br /> <input type="text" name="user" /> </p> <p>Password: <br /><input type="password" name="pwd" /> </p> <p class="submit"> <input type="submit" value="Submit" name="submit" class="submit" /> </p> </form> Here is the log.php File: (personal connection details edited) Code: [Select] <?php $hostname = "IP:3306"; $username = "user"; $password = "password"; $database = "db_name"; $link = MYSQL_CONNECT($hostname,$username,$password); mysql_select_db($database); ?> <?php session_name("MyWebsiteLogin"); session_start(); if($_GET['action'] == "login") { $conn = mysql_connect("IP:3306","user","password"); $db = mysql_select_db("db_name"); //Your database name goes in this field. $name = $_POST['user']; $ip=$_SERVER['REMOTE_ADDR']; $country = file_get_contents('http://api.hostip.info/country.php?ip='.$ip); $q_user = mysql_query("SELECT * FROM customer WHERE username='$name'"); ?> <?php $insert_query = ("INSERT INTO login(username, ip, country) VALUES ('$name','$ip','$country');"); mysql_query($insert_query) or die('Error, insert query failed'); ?> <?php if(mysql_num_rows($q_user) == 1) { $query = mysql_query("SELECT * FROM customer WHERE username='$name'"); $data = mysql_fetch_array($query); if($_POST['pwd'] == $data['password']) { session_register("name"); header("Location: http://#/download/index.php?un=$name"); // This is the page that you want to open if the user successfully logs in to your website. exit; } else { header("Location: login.php?login=failed&cause=".urlencode('Wrong Password')); exit; } } else { header("Location: login.php?login=failed&cause=".urlencode('Invalid User')); exit; } } ?> Any help or ideas would be greatly appreciated. I am trying to make a login and direct for my clients. I have all the login stuff working but can't figure out how to redirect specific clients to their pages only. Any help anyone can offer would be great. Code: [Select] <?php //Start session session_start(); //Include database connection details require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); //Input Validations if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: login-form.php"); exit(); } //Create query $qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_FIRST_NAME'] = $member['firstname']; $_SESSION['SESS_LAST_NAME'] = $member['lastname']; session_write_close(); header("location: member-index.php"); exit(); }else { //Login failed header("location: login-failed.php"); exit(); } }else { die("Query failed"); } ?> Hi guys I have a script which i've been playing around with thanks to Spiderwell: http://www.phpfreaks.com/forums/index.php?action=profile;u=35078 I have sort of merged it with another 'member managment' script which is working great. Now i can't seem to correctly create a login page to pass the hashed password using (sha1). Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password. Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :| Your help would be much appreciated. Login Page PHP: Code: [Select] <form name="login" method="post" action="check_login.php3"> <p><strong>Secured Area User Log-in</strong></p> <p>Username: <input name="bioname" type="text" id="bioname"></p> <p>Password: <input name="biopass" type="password" id="biopass"></p> <p> </p> <p><input type="submit" name="Submit" value="Login"></p> </form> Check Login Processor (which is the file i that needs the sha1 added somewhere i think) Code: [Select] <?php require_once('config.php3'); // Connect to the server and select the database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db")or die("Unable to select database"); // $loginusername = false; $loginpassword = false; $err = false; // default error message is empty // The username and password sent from login.php //the isset() basically means if its there get it, otherwise dont bother if (isset($_POST['bioname'])) $loginusername=$_POST['bioname']; if (isset($_POST['biopass']))$loginpassword=$_POST['biopass']; // if either isnt filled in, tell the user, a very basic bit of validation if (!$loginusername || !$loginpassword) $err = "please complete the form"; if (!$err) //if no error continue { //The following bit of coding protects from MySQL injection attacks $loginusername = stripslashes($loginusername); $loginpassword = stripslashes($loginpassword); $loginusername = mysql_real_escape_string($loginusername); $loginpassword = mysql_real_escape_string($loginpassword); //you could add other things like check for text only blah blah $sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'"; $result=mysql_query($sql); // Count how many results were pulled from the table $count=mysql_num_rows($result); // If the result equals 1, continue if($count==1) { session_start(); $_SESSION['user'] = $loginusername; // store session data //please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user //that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is header("Location: {$loginusername}/index.php3"); } else { $err = "Wrong Username or Password"; } }// end login if statement if ($err) // show error message if there is one { echo $err; echo "<br>Please go back in your browser and try again"; } ?> The secure page: Code: [Select] <?php session_start(); $mypath = $_SERVER["REQUEST_URI"]; //echo $mypath; // for debugging //now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php //use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string. //http://php.net/manual/en/function.strrpos.php if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/ { echo "congratulations you are the right person in the right place"; } else { session_destroy(); //kill the session, naughty person trying to come here header("Location: ../login.php3"); die();// stop page executing any further } ?> <html> <body> </body> </html> Thanks and i look forward to your replies. less than 6 characters. I think it's the way my code is ordered. I've tried switching the commands around, no luck. Help please. Code: [Select] <?php //begin register script $submit = $_POST['submit']; //form data $username= strip_tags ($_POST['username']); $email= strip_tags($_POST['email']); $pwd= strip_tags($_POST['pwd']); $confirmpwd= strip_tags($_POST['confirmpwd']); $date = date("Y-m-d"); if ($submit) { //check for required form data if($username&&$pwd&&$confirmpwd&&$email) { //check length of username if (strlen($username)>25||strlen($username)<6) { echo "<p class='warning'>username must be bewteen 6 and 25 characters</p>"; } else { //check password length if (strlen($pwd)>25||strlen($pwd)<6) { echo "<p class='warning'>password must be between 6 and 25 characters</p>"; } else { //register the user echo "<p class='success'>Thanks for signing up!</p>"; } } //check if passwords match if ($pwd==$confirmpwd) { } else { echo "<p class='warning'>your passwords do not match</p>"; } //encrypt password $pwd = md5($pwd); $confirmpwd = md5($confirmpwd); //open database $connect = mysql_connect("xxxxxxxx", "xxxxxxxx", "xxxxxxxx"); mysql_select_db("digital"); //select database //register the user $queryreg = mysql_query(" INSERT INTO users VALUES ('','$username', '$email', '$pwd') "); die("<p class='success'>Thank you for signing up you have been registered"); } else { echo "<p class='warning'>please fill in all fields</p>"; } } ?> I have a user registration page that requires the user to input a Username, Password, Confirm Password, Email. If the user passes all the validation requirements for the new account, I then need to have the username, password, email fields saved to a file called 'login.dat'
Here is my code that I have so far, it runs perfectly.
<?php
include 'helpfulfunctions.inc';
include 'productsdata.inc';
$user_login_file = 'login.dat';
//var_dump($_POST);
// product data for photo, name, and price.
$alluserinfo = load_users_info($user_login_file);
//validate users info
$errors = array();
if (array_key_exists('register_submit', $_POST)) {
//check to see if username is taken
$username_entered = $_POST['username'];
//check to see if username already exists
if (array_key_exists($username_entered, $alluserinfo)) {
$errors['username']['username_exists'] = "Username already exists.";
}
//validate username is 4-11 characters long using only a-z A-Z 0-9
if(preg_match("/^[0-9a-zA-z]{4,11}$/",$_POST['username']) ===0){
$errors['username']['invalid_username']= "Invalid username. Username must be 4-11 characters long and use only letters and numbers.";
}
//validate password "." means any character
//.* allows numbers 0-9 to be inserted anywhere
//?= positive lookahead: next text must be like this and follow these rules
// must be at least 6 characters, contain 0-9, a-z, A-Z
$pw_entered=$_POST['password'];
if(preg_match("/^.*(?=.{6,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $_POST["password"]) === 0){
$errors['password']['invalid_password']="Password must be at least 6 characters and must contain at least one lower case letter, one upper case letter and one digit.";
}
//validate that "confirm password" matches password above
$pw_repeat=$_POST['confirmpassword'];
if($pw_repeat != $pw_entered){
$errors['confirmpassword']['pw_no_match']="Passwords do not match. Try again.";
}
//validate email format
$email_entered=($_POST['email']);
if(!filter_var($email_entered, FILTER_VALIDATE_EMAIL)){
$errors['email']['invalid_email']="Not a valid email. Please try again.";
}
//no validation errors=>print invoice
if (empty($errors)) {
include 'invoice.inc';
exit;
}
}
//reprint if invalid entry. if no errors print invoice
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<h3>Please register to continue.</h3>
<table>
<tr>
<td>
*Username:
</td>
<td>
<input type="text" name="username"/>
<?php
if (isset($errors['username'])) {
print implode('<br>', $errors['username']);
}
?>
</td>
</tr>
<tr>
<td>
*Password:
</td>
<td>
<input type="password" name="password"/>
<?php
if (isset($errors['password'])) {
print implode('<br>', $errors['password']);
}
?>
</td>
</tr>
<tr>
<td>
*Confirm Password:
</td>
<td>
<input type="password" name="confirmpassword"/>
<?php
if (isset($errors['confirmpassword'])) {
print implode('<br>', $errors['confirmpassword']);
}
?>
</td>
</tr>
<tr>
<td>
*Email:
</td>
<td>
<input type="text" name="email"/>
<?php
if (isset($errors['email'])) {
print implode('<br>', $errors['email']);
}
?>
</td>
</tr>
<tr>
<td>
* required info <br>
<input type="submit" value="Register" name="register_submit">
<?php
//print out hiddens with quantities
save_hidden_qty($_POST['quantity']);
?>
</form>
</td>
</tr>
</table>
In case it's needed, this is the 'helpfulfunctions.inc' file and the included functions:
<?php
if (!function_exists('load_users_info')) {
function load_users_info($users_data_file) {
$fp = fopen($users_data_file, 'r');
//read all lines of login.dat file and create user info arrays
while (!feof($fp)) {
$users_info_line = fgets($fp);
$user_info_parts = explode(',', $users_info_line);
$user_info_array = array('username' => $user_info_parts[0], 'password' => $user_info_parts[1], 'email' => $user_info_parts[2]);
$complete_user_info_array[$user_info_array['username']] = $user_info_array;
}
fclose($fp);
return $complete_user_info_array;
}
}
// function to display products
if (!function_exists('display_products')) {
function display_products($products_to_display, $quantities = array()) {
global $errors;
?>
<table border="1">
<tbody>
<tr>
<td style="text-align: center;"><b><big>Product</big></b></td>
<td style="text-align: center;"><b><big>Brand</big></b></td>
<td style="text-align: center;"><b><big>Price(each)</big></b></td>
<td style="text-align: center;"><b><big>Quantity Desired</big></b></td>
</tr>
<?php
// quantities are 0 unless already inputted, if quantities previously were inputted, return the values.
// input boxes
for ($i = 0; $i < count($products_to_display); $i++) {
if (empty($quantities)) {
$qty = isset($_POST['quantity'][$i]) ? $_POST['quantity'][$i] : 0;
$qty_str = "<input type=text size=3 maxlength=3 name='quantity[$i]' value='$qty'>";
if (isset($errors['quantity'][$i])) {
$qty_str .= "<span style='font-style:italic;font-size:8px;color:red;'>{$errors['quantity'][$i]}</span>";
}
} else {
$qty_str = $quantities[$i];
}
// loop to print out table of photo of board, name of the brand, price, and quantity selected
printf('
<tr>
<td><img alt="Small" id="lightboxImage"
style="width: 119px; height: 88px; bgcolor="#cccccc;"
src="http://imgur.com/%s"
height="300" width="300"></td>
<td style="text-align: center;">%s</td>
<td style="text-align: center;">$%.2f</td>
<td style="text-align: center;">' . $qty_str . '</td>
</tr>
', $products_to_display[$i]['item'], $products_to_display[$i]['board'], $products_to_display[$i]['price']);
}
?>
<tr><td colspan="4" style="text-align: right; border: none">
<input type="submit" value="Purchase"></td></tr>
</tbody>
</table>
<?php
}
}
if (!function_exists('save_hidden_qty')) {
function save_hidden_qty($the_quantities){
foreach ($the_quantities as $key=>$value){
print "<input type='hidden' name='quantity[$key]' value='$value'>\n";
}
}
}
?>
Can anyone help me out?
I'm using this type of code below. how can my site may have access to my e-mail ? and how can I send e-mails containing passwords to users.?? please help. //code is like this// if($_POST['submit']=='Register') { // If the Register form has been submitted $err = array(); if(strlen($_POST['username'])<4 || strlen($_POST['username'])>32) { $err[]='Your username must be between 3 and 32 characters!'; } if(preg_match('/[^a-z0-9\-\_\.]+/i',$_POST['username'])) { $err[]='Your username contains invalid characters!'; } if(!checkEmail($_POST['email'])) { $err[]='Your email is not valid!'; } if(!count($err)) { // If there are no errors $pass = substr(md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)),0,6); // Generate a random password $_POST['email'] = mysql_real_escape_string($_POST['email']); $_POST['username'] = mysql_real_escape_string($_POST['username']); // Escape the input data mysql_query(" INSERT INTO tz_members(usr,pass,email,regIP,dt) VALUES( '".$_POST['username']."', '".md5($pass)."', '".$_POST['email']."', '".$_SERVER['REMOTE_ADDR']."', NOW() )"); if(mysql_affected_rows($link)==1) { send_mail( 'myemail@xx.net', $_POST['email'], 'sitename - Your New Password', 'Your password is: '.$pass); $_SESSION['msg']['reg-success']='We sent you an email with your new password!'; } else $err[]='This username is already taken!'; } if(count($err)) { $_SESSION['msg']['reg-err'] = implode('<br />',$err); } header("Location: demo.php"); exit; } //but while running it on local server it shows the message "failure" as I have mentioned in the index.php. please provite a template codeing to solve the problem// Can someone tell me why my php code isn't inserting users into the database. My database is made and table is made. I created a register form so my visitors can register but im getting a blank page. I has something to do with the following code
$statement = $connection->prepare('INSERT INTO users (username, email, password) VALUES (:usernamebox, :emailbox, :passwordbox)');
if ($result) {
Why is there the " : " before the usernamebox
Heres how my form looks like
<form action="register-clicked.php" method="POST"> Hi guys I am new to PHP and need som help. I have set up a site that allows a user to log in through a simple form where the data is then send to checklogin.php. Here the data is checked up against my sql database and if the login is correct the user is transfered to the "secret" members only site. All this works fine. My question is then, how do I get the members site to greet the member with "Hello 'username'"; of course where the username changes depending on the login. This is the part where the username and password is checked: <?php $host="mydbb10.surftown.dk"; // Host name $username="****"; // Mysql username $password="****"; // Mysql password $db_name="****"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "korrekt.php" session_register("myusername"); session_register("mypassword"); echo "Tak fordi du loggede ind<br>Redirecter..."; header("location: ../forhandlerservice.php"); } else { echo "Forkert brugernavn eller password"; header("location: ../loginfejl.html"); } ?> and this is the first line of code on the members site: <? session_start(); if(!session_is_registered(myusername)){ header("location:login.html"); } ?> Sorry if I provided to much code, just want to make sure that I don't forget anything. Any help is appreciated. Thank you hi... I have a site that allows user to download some files. at present if i type http://www.abc.com/files/xyz.zip it allows all the users to access and download files. I want only the login users can access these files....... pls help how to do this. thanks in advance I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5. Register Code: Code: [Select] <?php error_reporting (E_ALL ^ E_NOTICE); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Register</title> </head> <body> <?php if ( $_POST['registerbtn'] ){ $getuser = $_POST['user']; $getemail = $_POST['email']; $getpass = $_POST['pass']; $getretypepass = $_POST['retypepass']; if ($getuser){ if ($getemail){ if ($getpass){ if ($getretypepass){ if ( $getpass === $getretypepass ){ if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){ require("./connect.php"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $query = mysql_query("SELECT * FROM users WHERE email='$getemail'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $password = md5(md5("kjfiufj".$password."Fj56fj")); $date = date("F d, Y"); $code = md5(rand()); mysql_query("INSERT INTO users VALUES ( '', '$getuser', '$password', '$getemail', '0', '$code', '$date' )"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $site = "http://c3221281.web44.net/"; $webmaster = "Simon <admin@simon.com>"; $headers = "From: $webmaster"; $subject = "Activate Your Account"; $message = "Thanks for registering. Click the link below to activate your account.\n"; $message .= "$site/activate.php?user=$getuser&code=$code\n"; $message .= "You must activate your account to login."; if ( mail($getemail, $subject, $message, $headers) ){ $errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>."; $getuser = ""; $getemail = ""; } else $errormsg = "An error has occueed. Your activation email was not sent."; } else $errormsg = "An error has occured. Your account was not created."; } else $errormsg = "There is already a user with that email."; } else $errormsg = "There is already a user with that username."; mysql_close(); } else $errormsg = "You must enter a valid email address to register."; } else $errormsg = "Your passwords did not match."; } else $errormsg = "You must retype your password to register."; } else $errormsg = "You must enter your password to register."; } else $errrosmg = "You must enter your email to register."; } else $errormsg = "You must enter your username to register."; } $form = "<form action='./register.php' method='post'> <table> <tr> <td></td> <td><font color='red'>$errormsg</font></td> </tr> <tr> <td>Username:</td> <td><input type='text' name='user' value='$getuser' /></td> </tr> <tr> <td>Email:</td> <td><input type='text' name='email' value='$getemail' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='pass' value='' /></td> </tr> <tr> <td>Retype:</td> <td><input type='password' name='retypepass' value='' /></td> </tr> <tr> <td></td> <td><input type='submit' name='registerbtn' value='Register' /></td> </tr> </table> </form>"; echo $form; ?> </body> </html> Login Code: Code: [Select] <?php error_reporting (E_ALL ^ E_NOTICE); session_start(); $userid = $_SESSION['userid']; $username = $_SESSION['username']; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Login</title> </head> <body> <?php if ($username && $userid){ echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else{ $form = "<form action='./login.php' method='post'> <table> <tr> <td>Username:</td> <td><input type='text' name='user' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='password' /></td> </tr> <tr> <td></td> <td><input type='submit' name='loginbtn' value='Login' /></td> </tr> <tr> <td><a href='./register.php'>Register</a></td> <td><a href='./forgotpass.php'>Forgot your password?</a></td> </tr> </table> </form>"; if ($_POST['loginbtn']){ $user = $_POST['user']; $password = $_POST['password']; if ($user){ if ($password){ require("connect.php"); $password = md5(md5("kjfiufj".$password."Fj56fj")); // make sure login info correct $query = mysql_query("SELECT * FROM users WHERE username='$user'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; if ($password == $dbpass){ if ($dbactive == 1){ // set session info $_SESSION['userid'] = $dbid; $_SESSION['username'] = $dbuser; echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else echo "You must activate your account to login. $form"; } else echo "You did not enter the correct password. $form"; } else echo "The username you entered was not found. $form"; mysql_close(); } else echo "You must enter your password. $form"; } else echo "You must enter your username. $form"; } else echo $form; } ?> </body> </html> Many thanks for your time and help, (Main Objective) I need this login class to encrypt the password before it sends it to the database for login verification. (Alternative Solution) Force a login with just the username and captcha no password.. This is the original working script.. <? session_start(); include "config.php"; global $c; include "data.php"; global $config; require('funciones.php'); if ($_POST['username']) { session_start(); if($_POST['code']!=$_SESSION['string']){ header("Location: login.php?error=1"); } //Comprobacion del envio del nombre de usuario y password $username=uc($_POST['username']); $password=uc($_POST['password']); if ($password==NULL) { header("Location: login.php?error=2"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); if(mysql_num_rows($query) == 0) { header("Location: login.php?error=3"); } else { $data = mysql_fetch_array($query); if($data['password'] != $password) { header("Location: login.php?error=4"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $nicke=$row['username']; $passe=$row['password']; //90 day cookie setcookie("usNick",$nicke,time()+7776000); setcookie("usPass",$passe,time()+7776000); $lastlogdate=time(); $lastip = getRealIP(); $querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'"; mysql_query($querybt) or die(mysql_error()); header("Location: members.php"); // echo "Has sido logueado correctamente ".$_SESSION['s_username']." y puedes acceder al index.php."; // echo "<script>location.href='index.php';</script>"; ?> <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=members.php"> <? } } } } ?> <div class="heading">Login</div><br /> <? if($_GET['error'] == 1) { print "<b>Error</b> - Wrong Captcha Code<br /><br/>"; } if($_GET['error'] == 2) { print "<b>Error</b> - Please supply a password<br /><br/>"; } if($_GET['error'] == 3) { print "<b>Error</b> - Invalid Username<br><br>"; } if($_GET['error'] == 4) { print "<b>Error</b> - Invalid Password<br /><br />"; } ?> <form action="login.php" method="post"> <table> <tr> <td class="midtext">Username:</td> <td> <input type="text" name="username" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext">Password:</td> <td> <input type="password" name="password" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext" valign="top">Security Code:</td> <td class="midtext"> <img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();">(Click to reload)<br /> <input type="text" name="code" size="17" maxlength="17" autocomplete="off" class="form"></td> </tr> <tr> <td></td> <td align="right"> <input type="submit" value="Login" name="loginsubmit" class="form"></td> </tr> </table> </form> Let me know if you need any files... Hi. I have made a login script, but I would wan't to encrypt the password. I followed a tutorial and got this: login.php <?php $password = "secret"; echo $password; /* displays secret */ $password = sha1($password); echo $password; /* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */ ?> <form action="validate.php" method="post"> <label for="username">Username</label> <input type="text" name="username" id="username" /> <br /> <label for="password">Password</label> <input type="password" name="password" id="password" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> <?php ?> validate.php <?php include "setup.php"; /* get the incoming ID and password hash */ $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); // Encrypted Password /* establish a connection with the database */ $server = mysql_connect("$db_host", "$db_username","$db_password"); if (!$server) die(mysql_error()); mysql_select_db("$database"); /* SQL statement to query the database */ $query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'"; /* query the database */ $result = mysql_query($query); /* Allow access if a matching record was found, else deny access. */ if (mysql_fetch_row($result)) echo "Access Granted: Welcome, $username!"; else echo "Access Denied: Invalid Credentials."; mysql_close($server); ?> Its the line $password=md5($password); // Encrypted Password that messes everything up. If I delete it and login, everything is fine, if I add it it says Code: [Select] Access Denied: Invalid Credentials I need help with this one! And if someone have time, give me some ideas how to make PHP scripts safer! Regards Worqy Hi all,
I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login.
Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat?
Thanks all.
I have dynamic images that have the "Like" button, it's basically like a wishlist. The way I want it to work is that when a user is not logged in, the 'Like' button will navigate them to a login popup (which I already made). Hello: I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure." I was told I should use MD5 / SALTING / HASHING to do this. I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it> This is my database table storing the myAdmins data (when I initially insert it into the database): Code: [Select] CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; INSERT INTO myAdmins VALUES("1","abc","123"); This is the login form I use: Code: [Select] <?php include('../include/myConn.php'); include('include/myAdminNav.php'); session_start(); session_destroy(); $message=""; $Login=$_POST['Login']; if($Login){ $myUserName=$_POST['myUserName']; $myPassword=$_POST['myPassword']; $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'"); if(mysql_num_rows($result)!='0'){ session_register("myUserName"); header("location:a_Home.php"); exit; }else{ $message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>"; } } ?> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <? echo $message; ?> Username: <input name="myUserName" type="text" id="myUserName" size="40" /> Password: <input name="myPassword" type="password" id="myPassword" size="40" /> <input name="Login" type="submit" id="Login" value="Login" /> </form> This is the code on top of each page I password protect: Code: [Select] <? session_start(); if(!session_is_registered(myUserName)){ header("location:Login.php"); } ?> Works well, but can it be "better"?? And, if I am allowing the admin to update his/her username or password, I do it this way: Code: [Select] <?php include('../include/myConn.php'); include('include/myCheckLogin.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myUserName = mysql_real_escape_string($_POST['myUserName']); $myPassword = mysql_real_escape_string($_POST['myPassword']); $sql = " UPDATE myAdmins SET myUserName = '$myUserName', myPassword = '$myPassword' "; mysql_query($sql) && mysql_affected_rows() ?> <?php } $query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error()); while($result=mysql_fetch_array($query)) { $myUserName=$result['myUserName']; $myPassword=$result['myPassword']; } ?> <form method="post" action="<?php echo $PHP_SELF;?>"> <input type="hidden" name="POSTBACK" value="EDIT"> Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>"> Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>"> <input type="submit" value="Submit" /> </form> Should it be "better" .. ?? I don't seem to understand how to "encrypt" all of this to make it "stronger" .. Ideas? Improvements? Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.
Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.
So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.
What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.
I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?
/**
* Select the database
*
* @access private called by the base class
* @return resource
*/
function db_select()
{
return @mysql_select_db($this->database, $this->conn_id);
}
Thanks in advance.
Hello everyone: I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct. I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..? I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems. In ASP I would do a protected page like this: a_login_check.asp Code: [Select] <% if session("admin_user_name") = "" then session.abandon response.redirect "login.asp" end if %> Protected-Page.asp Code: [Select] <!-- #include file="include/a_check_login.asp" --> <html> ... CONTENT ... </html> And of course there is the login page itself ... (I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??) Anyway, can someone point-out to me how to do this. I would appreciate it! Hello Everyone, I recent made a simple membership website. Every page I created works exactly how I envisioned it... All members data from my registration form goes into my database along with their md5 Encrypted passwords with a time-stamp. Subsequent pages have a start_session included. I am very please with it except ONE THING. Logging in is now a problem... username is recognized but NOT the password. Now the strange thing is that when I go into the database and copy the encrypted password and paste it into the password field in my login page, I miraculously get into my website with NO problem. " How do I get the registered members Encrypted Passwords to be recognized by the database when the registered members decide to logging in with the password that they create? " Is there a easy fix for this? I appreciate ALL your help... thanks mrjap1 hi i need help an idea how can i separate members from admins since i dont know how to create login form i used tutorial ( http://www.youtube.com/watch?v=4oSCuEtxRK8 ) (its session login form only that i made it work other tutorials wre too old or something) how what i want to do is separate members and admins because admin need more rights to do now i have idea but dont know will it work like that what i want to do is create additional row in table named it flag and create 0 (inactive user) 1 (member) 2 (admin) will that work? and how can i create different navigation bars for users and admins? do you recommend that i use different folders to create it or just script based on session and flag? |
|||||||