Help me make a login/auth script(s)?

Mark

can someone help me? not do it for me, but tell me how to start off and stuff. know what i mean? 😃 i want it to use a database, i already have the registration form made, now i just need the script for logging in 🙂 i would be very greatful if someone could help me out 🆒

rIkLuNd

I'm not sure what to do with sessions, but I usually use cookies to make sure a user is logged in. First you should connect to MySQL and select the db. Then you have to check the data that the user have entered. This is how I do that:

$sql = "SELECT * FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'";
$result = mysql_query($sql);

$nums = mysql_num_rows($result);

if($nums != 1)
{
   echo "You have entered an invalid username or password.";
}
else
{
   setcookie("User","$_POST[username]",time()+3600);
   # This cookie will expire in an hour.
   header("Location: index.php");
}

Then you could create a file that called 'verify.php', and include this in every page (not every include!):

# It's important that this code is put at the absolute top of the page!

if(isset($_COOKIE['User']))
{
   echo "Welcome, $_COOKIE[user]";
}
else
{
   header("Location: login.php");
}

Mark

okay thanx for the help, i'll see if i can get that to work, anyone else wanna help me out? 😃

suntra

BIG SECURITY HOLE !!!!

Never set a cookie with the username and/or the password. Someone who knows you do that could log in with somesone's username very easily !!! => SESSIONS ! <=

Mark

ok...so can u help me? lol

rIkLuNd

sorry about that security hole...

Well, you could make the cookie a session cookie, which means that it will vanish when the browser is restarted. Use the following code to set it:

<?php

// Change this:

setcookie("User","$_POST[username]",time()+3600);

// into this

setcookie("User","$_POST[username]",0);

suntra

That's not what a I mean.

If someone knows you can get authenticated only by sending a cookie containing a username, he can create a cookie on his computer and getting access to what he should not... I know you're gonna tell me it's hard to create a cookie with MSIE or Netscape or any other browser, but does he really need a browser ? Couldn't he simply use sockets ?! You should NEVER send a username or a password with cookies.

Kerry_Kobashi

There's various ways to do user authentication and would fill a book if we talked about it here.

Basic authentication without HTTP authenticated support boils down to the following:

a) securing the web pages by placing a small piece of PHP code at the top to determine if the user has been validated. This is basically a session variable that has been set. If set, give him access, if not, redirect to a unauthorized page

b) testing the username/password returned from a form against a database

c) encrypting/decrypting the password in the database for further security

d) log unauthorized accesses to a file

Download the code here and study it:
http://phpuserlogin.oxyscripts.com/