login scripting

ravingcommie

I need to do a simple login script, I don't really mind how, either calling up from .htusers, .htgroups and .htaccess files, or more perferably, through a database, and maybe a register script where then I have to activate the user?

I have tried to have a good bash at this myself, so any help at all would be great

Thanks alot

ravingcommie :rolleyes:

TheIceman5

i will say the usual for a milionth time, www.hotscripts.com

ravingcommie

I was planning to build my own, not search a script site...

...I've already done that with the PHP Resource Index anyways

TheIceman5

yeah, go there look at how they have done their scripts nad copy and modify for yourself. thats how i learn stuff, works perfect.

binarylime

I'm up late working and I stopped by to get some help on a simple issue when I noticed your login script question.

I started using this website about a month ago BECAUSE of this very question...

So, if you don't mind... here is my spill.

I started out with a simple login script that verified a password against a mysql database and let them proceed to other pages buried in my site. I later learned that there a tricks to bypass this security, so I basically made a login script that retained a users login name and password (md5 encrypted) and each page they went to rechecked their information and state to ensure they were indeed logged in.

I'm no PHP expert, so I can't guarantee security -- I just know that nobody has broken anything of mine yet... you know, those foolish hacker types. So, here is my example.

#0. A few notes... I did set PHP to register_globals on. This basically means variables are stored as globals and can be used all over the place.... I think.

#1. Create a database in MySQL to retain user specific information. Basically, use this script (copy and paste into a file and name it test.dbschema) to create the appropriate database for this example :

drop database if exists test;

Checks if database named test exists. If it does, delete it.

create database test;

Create a new datbase called test

grant select, insert, update, delete, file on test.* to user@localhost identified by "password";

Grant access to user namned user with password as its password

use test;

Use the database you just created

drop table if exists users;

create users table

create table users (
user_id int(10) not null, auto_increment,
username varchar(70) not null,
password varchar(70) not null,
realname varchar(70) not null,
primary_key (user_id)
) TYPE = MyISAM;

Now, what you have done is created a database and your users table. The table holds an auto-incremented user id (ie 0,1,2,3,etc), username that is 70 characters long, password that is 70 characters long, and the users real name.

#2. Now, you want to add a user. We also WANT to encrypt their password using md5sum. MD5 is a one way encryption, meaning you can't decode it. I'll explain more later...

So, from your unix prompt, type :

echo dummy | md5sum

It should output the following :

f02e326f800ee26f04df7961adbf7c0a -

f02e326f800ee26f04df7961adbf7c0a is the encrypted password for dummy.

To add a dummy user, execute the following MySQL command :

insert into users values ('','dummy','f02e326f800ee26f04df7961adbf7c0a','Dummy User');

You have just added a user called dummy with password dummy that is encrypted.

#3. Build a webpage with a basic FORM so a user can enter the username and password. Call it index.html :

<html>
<form method="POST" action="validatelogin.php">
Username : <input type="text" name="username" size=20>
Password : <input type="password" name="password" size=20>
<input type="submit" name="submit" value="Submit Login">
</form>
</html>

The above creates a simple HTML page that grabs the users input for their username and password and stores them into the variables username and password.

These variables are sent to your next file called validatelogin.php

#4. Validatelogin.php. Create this file -- it looks like this :

<?php
session_start();

// First, encrypt the password sent from index.html
$password = md5($password);
// now, your password should look like what is stored in the database

// Next, open your database connection
$dbHost = "localhost";
$dbUser = "user";
$dbPass = "password";
$dbDatabase = "test";

   $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

    mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

// You now have a connection to the database.
// Now, you'll want to scan all of your users in the user table to see if this user exists and has this password

$result = mysql_query("select * from user", $db);
// this runs the select command and stores all the user information in the result array

// run a while loop and check for the valid user.
while ($r = mysql_fetch_array($result)) {
if ($r[1] == $username) {
if ($r[2] == $password) {
echo "we have a match";
$realname = $r[3];
session_register(username);
session_register(password);
session_register(realname);
// this registers the users variables to be used on later
// pages
// now, call your next page... let's call it page1.php
include ("page1.php");
exit;
} else {
echo "Loser - you aren't who you say you are";
}
}

#5. Now, the user has been validated and is to be sent to page1.php... Here is the code for this page. Again, this page's first job is to check session variables and re-check the users username/password. If the user is indeed who they say they are, page1.php tells them their name :

<?php
session_start();

// Again, open your database connection
$dbHost = "localhost";
$dbUser = "user";
$dbPass = "password";
$dbDatabase = "test";

   $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

    mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

// You now have a connection to the database.
// Now, you'll want to scan all of your users in the user table to see if this user exists and has this password

$result = mysql_query("select * from user", $db);
// this runs the select command and stores all the user information in the result array

// run a while loop and check for the valid user.
while ($r = mysql_fetch_array($result)) {
if ($r[1] == $username) {
if ($r[2] == $password) {
echo "we have a match";
$realname = $r[3];
// this registers the users variables to be used on later
// pages
// Tell the user they are logged in.
echo "You are $realname <br>";
exit;
} else {
echo "Loser - you aren't who you say you are";
}
}

-- Well, its a lame tutorial, but it is 3 in the morning... I just thought my jibberish might help....

Feel free to respond and I'll see what I can help with.

-- Toodles.

ravingcommie

Thank you, thaks alot that really helped, but I do get a few problems with it...

on both the php scripts, validatelogin.php and php1.php i get the following lines:

Parse error: parse error, unexpected $ in testlogin\validatelogin.php on line 41

Parse error: parse error, unexpected $ in testlogin\php1.php on line 35

These are refering to the last lines in both the scripts, which dont contain anything. The script seems fine otherwise, I just dont understand why it isnt working.

Thanks alot

ravingcommie

Weedpacket

There are approximately fifteen million threads in these forums about how to write login scripts, and things that can go wrong with them. There are also a number of threads that cover the "Unexpected $" parse error on the last line of a script (which in both cases is because of a missing '}' - presumably at the end.) As binarylime warned, it's a lame tutorial written by someone who's up at three o'clock in the morning - you expect perfection?

There are a couple of other things about it that suggest opportunities for improvement. E.g., picking up from the $result= line...

$sql = "select realname from user where username='$username' and password='$password'";
$result = mysql_query($sql,$db);
if(mysql_num_rows($result)!=0)
{	// we have a match
	$_SESSION['realname'] = mysql_result($result,0,'realname');
	$_SESSION['password'] = $password;
	$_SESSION['username'] = $username;
	include ("page1.php");
	exit;
}
echo "Loser - you aren't who you say you are";

ravingcommie

i dont expect perfection at all lol, i generally code at tht time in the morning thou 😕

but thanks alot, ill hav a bash at that. i should make a proper attempt to learn php instead at plodding my way through code, armed with the php.net manual and dabbling...

thanks again

ravingcommie

mystrymaster

plodding your way through with the manual and a website is the best way to learn how to script php.

planetsim

Weedpacket you were one of its 15million and one

planetsim

binarylime your asking to be hacked with Register Globals on

Its suggested not just by PHP.net and hundreds of PHP Sites to have it turned of

Simple things like your

$page

can be

index.php?page=my/evilscript.php

Change a few things. And your in trouble.

ravingcommie

i've tried weebpackets' verison but get an error with(mysql_num_rows($result)!=0)

ill hack away and see what happens...

ravingcommie :rolleyes:

binarylime

Thanks to weedpacket and everyone else for the feedback. As I warned, I'm no security expert and the register_globals=on configuration is dangerous, I know, but I'm a beginner.

Another thing I would like to add that I did not cover is putting the mysql configuration into the actual .php files. Its a BIG no-no because if anyone gains access to your system, they could potentially read your .php files and find the root user and password to MySQL.

Essentially, my suggestion (which will probably be shot down) is to create a flat text file that contains information about how to connect to your database BUT change the permissions of the file so that it is only read/writeable by the PHP/APACHE user.

In all of your PHP files that have to access a MySQL database, throw the following lines of code in to parse your custom made database configuration file and then open a connection to your database.

#1. Your custom made database configuration file that will be parsed later for accessing your database. Call it db.config and change the permissions of the file so it is read/writeable only by the PHP/APACHE user :

hostname=localhost
database=test
username=user
password=password

#2. Now, use this snippet of code to open this file and parse it in each .PHP file you have that needs to access the database :

    // load database information from db.config
    $handle = fopen("db.config", "r");
            while (!feof ($handle)) {
                    $line = fgets($handle, 1024);
                    $config = explode("=", $line);
                    if ($config[0] == "hostname") {
                            $dbHost = trim($config[1]);
                    }
                    if ($config[0] == "database") {
                            $dbDatabase = trim($config[1]);
                    }
                    if ($config[0] == "username") {
                            $dbUser = trim($config[1]);
                    }
                    if ($config[0] == "password") {
                            $dbPass = trim($config[1]);
                    }
    }


    fclose ($handle);

    // Connect to the MySQL database
    $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to datab

ase.");

    mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

As another side note, you could put the above lines of code inside its OWN php file, called dbconnection.php, and just use the include(dbconnection.php) within each .PHP file you have that may need database access. This will keep you from having to type the above lines of code inside each PHP file you have.

Well, let the gauntlet of insults begin!

ravingcommie

you're churning out code constantly, and you're telling us you're just a beginnier 🙂 lol

binarylime

hehehe thanks. low self esteem issues.

actually, i've only been writing PHP for a few months - thats what I like about it - with a few examples, its easy to pick up and more powerful than I ever expected.

i throw in disclaimers with my code because from previous programming experience, i know there is always a better or more secure way to do something. with PHP, each day i find myself slapping my head because someone did what i did in like 5 lines (instead of my 50) 🙂

how did the login script turn out? did you ever get any of it to work?

alas, the night has come and i must return to my coding cave... best of luck!

ravingcommie

lol alright

sadly, the script hasn't worked yet, as theres errors, i will post them again here when I get round to testing it all again

thanks anyways

ravingcomme :rolleyes:

ravingcommie

Ok well my current code is, for validatelogin.php

<?php
session_start();
$password = md5($password);
$dbHost = "";
$dbUser = "";
$dbPass = "";
$dbDatabase = "";
$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); 

mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); 

// You now have a connection to the database. 
// Now, you'll want to scan all of your users in the user table to see if this user exists and has this password 

$result = mysql_query("select * from user", $db); 
// this runs the select command and stores all the user information in the result array 

// run a while loop and check for the valid user. 
while 

$r = mysql_fetch_array($result) { 
if ($r[1] == $username) { 
if ($r[2] == $password) 
{ 
echo "we have a match"; 
$realname = $r[3]; 
session_register(username); 
session_register(password); 
session_register(realname); 
// this registers the users variables to be used on later 
// pages 
// now, call your next page... let's call it page1.php 
include ("page1.php"); 
exit; 
} 
echo "Loser - you aren't who you say you are";
}}
?>

and that has a parse error:

Parse error: parse error, unexpected T_VARIABLE, expecting '('
which is on line 21, which is this line:

$r = mysql_fetch_array($result) {

In the page1.php file, my current code is:

<?php

session_start();

// Again, open your database connection
$dbHost = "";
$dbUser = "";
$dbPass = "";
$dbDatabase = "";

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

// You now have a connection to the database.
// Now, you'll want to scan all of your users in the user table to see if this user exists and has this password

$result = mysql_query("select * from user", $db);
// this runs the select command and stores all the user information in the result array

// run a while loop and check for the valid user.
while ($r = mysql_fetch_array($result)) {
    if ($r[1] == $username) {
        if ($r[2] == $password) {
            echo "we have a match";
            $realname = $r[3];
            // this registers the users variables to be used on later
            // pages
            // Tell the user they are logged in.
            echo "You are $realname <br>";
            exit;
        } else {
            echo "Loser - you aren't who you say you are" ;
        }
    }
?>

and that bring in parse errors on line 37, which doesnt exist, unexpected '$' I'll try and find the fix for that.

I will move my mysql details from the scripts soon, I just need to fix them... so any ideas?

thanks alot

ravingcommie :p

laraby

Thanks for your log in script I'm going to try it out but first I have a specific issue that I need solved regarding log in scripts that I seem to be missing.

We need to have people log in and go to a specific page only for them and although I can vaguely imaging doing this by manually creating a site for each user, I think I'm missing something.

Is there a script available where a user creates a username and password and the code generates a directory we can drop a pdf into that they can access later?

All help about this issue would be greatly appreciated.

Cheers and happy new years.

🆒

yousaf931

Dear laraby,

Yes you can do it. There is a function in php

mkdir ( string pathname [, int mode])

mkdir : will make a dir for you
Parameters

string pathname : here you will tell the path where u want to make a dir

int mode : this the permission for other users Read, Write , Execute. ( see chmod() for more details)

Than use copy() to copy put the specific files to the user folder you just created.

Cheers,
yousaf FAYYAZ.