check login details against database

jonahpup

I have this piece of code that I include into all my pages that I want protected by a username and password, and currently I have been using 1 username and 1 password for all users. I now however, want to have a database of users and their passwords, so each user can have a separate password, and I need the script to check the login details against the database before creating a cookie...

how do I do this??

here is my code

access.php

<?
// Import database connection
include("../connections/finale_adminusers"); // Holds database username, password, dbase name etc //

session_start();
$ADMIN_USER = "user";
$ADMIN_PASSWORD = "pass"; 

if(!$_SESSION['authenticated'])

if($_POST['loginbutton']) {
    $inputuser = $_POST['input_user'];
    $inputpassword = $_POST['input_password'];

    if(!strcmp($inputuser ,$ADMIN_USER) && !strcmp($inputpassword,$ADMIN_PASSWORD)) {
        $_SESSION['authenticated'] = 1;
        header("Location:".$_SERVER[PHP_SELF]);
    }
    else
        displayform(1);
}
else
    displayform(0);


function displayform($error) {
    echo "<html><head><title>Please login</title></head><body><style>body,td,input { font-family: verdana; font-size: 8pt; }</style>";
    if($error) echo "<p><b>Wrong credentials.</b></p>";
    echo "<form action=\"\" method=\"post\"><table width='400' border=0><tr><td width='100'>username:</td>";
    echo "<td><input type='text' name='input_user'></td></tr><tr><td>password:</td><td><input type='password' name='input_password'></td></tr>";
    echo "<tr><td colspan='2'><input type='Submit' value='Login&raquo;' name='loginbutton'></td></tr></table></form></body></html>";
    exit;
}
?>

sheephat

Create a register button, and link that to a page where your users can add themselves to the user database, although keep in mind that this is a very insecure method, and very "standard" looking. However its a start.

jonahpup

sorry... I might not have been very clear in what I was asking... I dont want users to be able to add themselves... I already have a database with user logins created... what I want to be able to do, is when a user enters their name and password, I want to check it against the database to make sure they exist... im just not sure how to do it!

sheephat

ok i havent done this in a while so i used google, and here is what iv come up with,

<?php 
// Connects to your Database 
mysql_connect("YOURDATABASELOCA.COM", "USERNAME", "PASSWORD") or die(mysql_error()); // DATABASE LOCATION, USERNAME, PASSWORD
mysql_select_db("DATABASE") or die(mysql_error());  // DATABASE NAME




//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database CHANGE TABLE TO MATCH THE NAME OF THE TABLE IN YOUR DATABASE.
$check = mysql_query("SELECT * FROM TABLE WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
}
else 
{ 

//then redirect them to this page, make sure there is secuity to ensure this page cannot be accessed directly.
header("Location: nextlink.php"); 
} 
} 
} 
else 
{ 

// if they are not logged in 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<?php 
} 

?>

sheephat

The script is a very standard script which i got off of http://php.about.com obviously i have edited it a little to match what i believe to be what you are after.

You will need to change, the database details and the table name, and the fields if nessasary,

bradgrafelman

sheephat wrote:
You will need to change, the database details and the table name, and the fields if nessasary,

...and fix the SQL injection vulnerability, and optimize the SELECT query, and work with unindented code, and use !isset($POST['key']) instead of !$POST['key'], and use the '||' operator instead of the '|' operator, and...

sheephat

Yes of corse there are problems, i simply copied and pasted, and remove all that was unnessasary, such as all the cookie parts. I left in quite a bit but its all still functional.

bpat1434

Jonahpup:
I'd suggest you pick up Chris Shifflet's PHP Security book. It's a quick read, and you'll learn plenty about securing your PHP code.

One such secure thing he talks about is logins and authentication. He also speaks of session hijacking and cookie issues. If you have the $30 and the time, I suggest you pick it up.

When I developed a login system for a recent project, I created a simple library file (session.php) and put all the session authentication things in it. I had a bunch of functions, one of which was called isValidSession. That function would do three things: (1) check to see if the session "auth" key was within the last $maxAuth minutes (where $maxAuth was a set time limit in the config file), (2) Check the session ID against the one stored in the database for the user, and (3) Check the username and last touch time of the database and session. Each time a link was followed, I called isValidSession to check for validity, then touched the session (which would update the session and database with new times). WHen the logged out, I'd add a new key "logout" with a timestamp. Then in "isValidSession" I also checked to see if "logout" was in the session. If so, then I called the regenerateSession function to exit the current session destroying all info, restarting a new one, and sending them to the login page. Then, when they logged in (if successful) I touched the database and session updating the info.

It's confusing, but it's secure (for the most part). From what it sounds like, you'd need to find a way to grab their username and password and just run a simple query to see if they match. An example of that query is:

<?php
clean($_POST); // Put all $_POST vars into $clean['post']

$query = sprintf("SELECT username FROM users WHERE username='%s' AND password='%s'",
    mysql_real_escape_string($clean['post']['username']),
    mysql_real_escape_string($clean['post']['password'])
);
$result = mysql_query($query);
// ....

jonahpup

sheephat wrote:
The script is a very standard script which i got off of http://php.about.com obviously i have edited it a little to match what i believe to be what you are after.

You will need to change, the database details and the table name, and the fields if nessasary,

sheephat: how do I go about integrating your script with what I already have???

sheephat

With the power of dreamweavers user button here is what i have come up with.

I will explain from top to bottom, if you put it all together with your edit it should work for you.

I have taken your login form, and created a small database on my localmysqlserver whih contains a couple of made up users and thier passwords.

Line1:

<?php require_once('../../Connections/connMySQL.php'); ?>

As you should know is the file which contains my connection info, by the looks of your script you already link to your connection file. So change as required.

and the rest, read my comments and this should get you through.

<?php require_once('../../Connections/connMySQL.php'); ?>// Change to the location of your connection file.
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['input_user'])) {
  $loginUsername=$_POST['input_user'];
  $password=$_POST['input_password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "members.php"; // Change to where you want them to end up after they have logged in
  $MM_redirectLoginFailed = "wrong.php"; // Change to where you want them to go if they type the wrong creds. In this file i have included text like "Wrong, go back and try again" or something like that.
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_connMySQL, $connMySQL);

  //Change: FROM userlogins with your table name, mine is userlogins, change this to suit your database.

  $LoginRS__query=sprintf("SELECT username, password FROM userlogins WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

  $LoginRS = mysql_query($LoginRS__query, $connMySQL) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;	      

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

<!-- You form-->
<html><head><title>Please login</title></head><body><style>body,td,input { font-family: verdana; font-size: 8pt; }</style>

<form action=<?php echo $loginFormAction; ?> method=POST>
  <table width='400' border=0><tr><td width='100'>username:</td>
<td><input type='text' name='input_user'></td></tr><tr><td>password:</td><td><input type='password' name='input_password'></td></tr>
<tr><td colspan='2'><input type='Submit' value='Login&raquo;' name='loginbutton'></td></tr></table></form></body></html>

I also reccomend a read of the previous said book, it may help you.

jmack159

for the login script i use, i do not keep the raw password in the db, instead i keep the md5() hash of the password. then i check the md5 of the user submitted pass against the one in the db, like so: (but much simplified)

if(md5($pass) == $db_pass){
     echo "logged in successfuly!"
}else{
     echo "You are not logged in!"
}

makes it a bit more secure

bpat1434

Raw passwords really shouldn't be kept in the database. If you ever have it compromised, you've just released those passwords and user-names. And if they don't change them from site to site (which 99% of people don't) then now that's edging on identity theft (well, virtual identity).

Typically people will use the md5() to hash the password. Although there are some instances where md5() just isn't enough. I personally like to use something like:

$password = md5($clean['post']['username'].md5($clean['post']['password']));

That way you're pretty much guaranteed that there is no way to generate the same password (since all usernames must be different). Depending upon what I'm doing, I'll either use a section of the username (first 5 letters) or split it up around the hashed password (bpat[hashed password]1434) or just append the hashed password. But you're looking for uniqueness and the ability to make it non-guessable by outsiders.

@:
In your code you have this:

if(!strcmp($inputuser ,$ADMIN_USER) && !strcmp($inputpassword,$ADMIN_PASSWORD)) {
            $_SESSION['authenticated'] = 1;
            header("Location:".$_SERVER[PHP_SELF]);
        }

You'd best be served to call another function (validateUser) and have that return true or false. True means you set the cookie, false means something went wrong.

The function would look something like:

<?php
function validateUser()
{
    include_once('../connections/finale_adminusers');

$conn = @mysql_connect($dbhost, $dbuser, $dbpass);
if(!is_resource($conn)) { return false; } // No connection to mySQL available
@mysql_select_db($database);

$query = sprintf("SELECT username FROM `users` WHERE username='%s' AND password='%s'",
     mysql_real_escape_string($_POST['username']),
     mysql_real_escape_string(md5($_POST['password'])) // The hashed password
);
$rslt = @mysql_query($query);
if(!is_resource($rslt)) { return false; } // No resource, no users match
if(mysql_num_rows($rslt) < 1) { return false; } // No rows, no users ;)
else
    return true; // Had some rows, must have users

return false; // Just to make sure we have a backup.
}

So your code would turn into:

<?
// Import database connection *** NOT HERE, We will later though!! ***
// include("../connections/finale_adminusers");

session_start();
//$ADMIN_USER = "user"; // We don't need these anymore do we ;)
//$ADMIN_PASSWORD = "pass";

if(!$_SESSION['authenticated'])

if($_POST['loginbutton']) {
    $inputuser = $_POST['input_user'];
    $inputpassword = $_POST['input_password'];

    if(validateUser()) {
        $_SESSION['authenticated'] = 1;
        header("Location:".$_SERVER[PHP_SELF]);
    }
    else
        displayform(1);
}
else
    displayform(0);


function displayform($error) {
    echo "<html><head><title>Please login</title></head><body><style>body,td,input { font-family: verdana; font-size: 8pt; }</style>";
    if($error) echo "<p><b>Wrong credentials.</b></p>";
    echo "<form action=\"\" method=\"post\"><table width='400' border=0><tr><td width='100'>username:</td>";
    echo "<td><input type='text' name='input_user'></td></tr><tr><td>password:</td><td><input type='password' name='input_password'></td></tr>";
    echo "<tr><td colspan='2'><input type='Submit' value='Login&raquo;' name='loginbutton'></td></tr></table></form></body></html>";
    exit;
}

function validateUser()
{
    include_once('../connections/finale_adminusers');

$conn = @mysql_connect($dbhost, $dbuser, $dbpass);
if(!is_resource($conn)) { return false; } // No connection to mySQL available
@mysql_select_db($database);

$query = sprintf("SELECT username FROM `users` WHERE username='%s' AND password='%s'",
     mysql_real_escape_string($_POST['username']),
     mysql_real_escape_string(md5($_POST['password'])) // The hashed password
);
$rslt = @mysql_query($query);
if(!is_resource($rslt)) { return false; } // No resource, no users match
if(mysql_num_rows($rslt) < 1) { return false; } // No rows, no users ;)
else
    return true; // Had some rows, must have users

return false; // Just to make sure we have a backup.
}

?>

Hope that helps. You'll need to tweak a few things though, like password matching for the query, table name in the query, and column names in the query.

jonahpup

hey bpat1434,
thanks for that... everything seems to be working ok, except that when I put in a username and password, it keeps coming back saying "Wrong Credentials"... I cant work out why...

I did notice tho, on lines 9 and 10, we have $inputuser = $_POST['input_user']; and also $inputpassword... but $inputuser and $inputpassword dont get used anywhere?? which im thinking they probably should... although I dont know where...

<?php

session_start();

if(!$_SESSION['authenticated'])

if($_POST['loginbutton'])
	{
	$inputuser = $_POST['input_user'];
	$inputpassword = $_POST['input_password'];

	if(validateUser())
		{
		$_SESSION['authenticated'] = 1;
		header("Location:".$_SERVER['PHP_SELF']);
		}
	else
		displayform(1);
	}
else
	displayform(0);

function displayform($error)
	{
	echo "<html><head><title>Please login</title></head><body><style>body,td,input { font-family: verdana; font-size: 8pt; }</style>";
    if($error) echo "<p><b>Wrong credentials.</b></p>";
    echo "<form action=\"\" method=\"post\"><table width='400' border=0><tr><td width='100'>username:</td>";
    echo "<td><input type='text' name='input_user'></td></tr><tr><td>password:</td><td><input type='password' name='input_password'></td></tr>";
    echo "<tr><td colspan='2'><input type='Submit' value='Login&raquo;' name='loginbutton'></td></tr></table></form></body></html>";
    exit;
	}

function validateUser()
	{
	include_once("../connections/finale_bookingsdb.php");

if(!is_resource($con)) { return false; }
@mysql_select_db($dbname);

$query = sprintf("SELECT username FROM 'users' WHERE username='%s' AND password='%s'",
	mysql_real_escape_string($_POST['username']),
	mysql_real_escape_string(md5($_POST['password']))
);

$rslt = @mysql_query($query);

if(!is_resource($rslt)) { return false; }
if(mysql_num_rows($rslt) < 1) { return false; }
else
	return true;
return false;
}

?>

I have tried a username that I know has been encrypted using md5, so that shouldnt be the problem... and I have also taken out md5 from the mysql_real_escape_string, and tried it with a non encrypted password... and that doesnt work either... ??

bradgrafelman

Try replacing this:

        mysql_real_escape_string($_POST['username']), 
        mysql_real_escape_string(md5($_POST['password']))

with this:

        mysql_real_escape_string($inputuser), 
        mysql_real_escape_string(md5($inputpassword))

jonahpup

ok... so I have changed those 2 values... but its still coming back with "Wrong Credentials" ... I cant see any reason why it would be doing that...

laserlight

Actually, it would be better to pass the username and password as arguments to validateUser(), e.g.,

function validateUser($inputuser, $inputpassword)
    {
    include_once("../connections/finale_bookingsdb.php");

if(!is_resource($con)) { return false; }
@mysql_select_db($dbname);

$query = sprintf("SELECT username FROM 'users' WHERE username='%s' AND password='%s'",
    mysql_real_escape_string($inputuser),
    md5($inputpassword)
);

$rslt = @mysql_query($query);

if(!is_resource($rslt)) { return false; }
if(mysql_num_rows($rslt) < 1) { return false; }
else
    return true;
return false;
}

I have removed the mysql_real_escape_string() from the password line because md5() returns a value that does not need escaping. Of course, you would add a 'salt' before hashing so as to avoid the use of rainbow tables, perhaps by some of the creative ways suggested by bpat1434. To use the function, you would then write something like:

if(isset($_POST['loginbutton'], $_POST['input_user'], $_POST['input_password']))
    {
    if(validateUser($_POST['input_user'], $_POST['input_password']))
        {
        $_SESSION['authenticated'] = 1;
        header("Location:".$_SERVER['PHP_SELF']);
        }
    else
        displayform(1);
    }
else
    displayform(0);

Notice that I have checked that the incoming variables exist using isset before using them.

Incidentally, while we are on the topic of hashes, I think that one might as well use SHA-1 with [man]sha1/man or some other cryptographic hash function supported by [man]mhash/man or [man]hash/man, such as SHA-256. The tools available to crack MD5 hashed passwords (especially those without a salt) are too readily available.

bradgrafelman

If you still can't login, have it echo out the query it's running, and visually inspect it. If you look at the DB (e.g. in phpMyAdmin), can you see a row with the same username as in the query? If so, what does the password column look like compared to what's in the query?

Double check that the DB password field contains the MD5 hash of the password (update the column using phpMyAdmin to make sure - make sure you select MD5 in the "Function" drop down).

If the password column in the DB is a VARCHAR type, make sure it's got a length of at least 32 (if it's shorter than 32, then this is your problem - MD5 hashes are 32 characters in length).

EDIT: P.S. I concur with laserlight - moving to SHA-1 isn't a bad idea.