SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Evangelist
    Join Date
    Sep 2006
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP MySql Login Script

    Hello all, I've been in web development for some time now but have just gotten my first client which requires a secure login portion of the site. I've been doing some google searching the last couple of days and the results are overwhelming....

    I was wondering if some of you could give opinions or suggestions as to which way to proceed.

    There will only be a few users (5-20). There will be no public registration. Users will be added by the 'admin' in the control panel (which will be login protected). So the first user will need to be manually entered into the database.

    The script will need to send an email to the newly added members with their login info. The site will be using phpMailer (thanks to the advice here at Sitepoint! )

    The script will also need a 'forgot password or username' capability for users to request their passwords.

    So I guess what I'm looking for is something that's not overly complicated or 'heavy' but that will be somewhat secure. I'm not looking for fort knox but it does need to be relatively safe.

    Here's one of the many that caught my eye. This uses the md5() function to encrypt the password and sets a session variable on correct login.
    http://www.phpsimple.net/tutorials/login_logout/

    Although the session var seems like it would be ok, would there be any benefit of setting a cookie also? Kinda like a double security...? Then I could have a function that could be placed on pages secure data that would check the session var and the cookie. If they were both ok everything would proceed. If not the user would be of course sent to the login page.

    I'll be using php5 for the build.

    I'm open to any suggestions or advice that you may be able to give. I'm also open to any links or tuts that you think may be valuable for this.

    Thanks in advance for any assistance or guidance.

  2. #2
    Web Professional
    Join Date
    Oct 2008
    Location
    London
    Posts
    862
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look for another script. This one is poorly written (style-wise) and very unsafe (no input sanitisation).

  3. #3
    SitePoint Evangelist
    Join Date
    Sep 2006
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was just using that script as an example. I plan on writing the script myself I just need something to model it after.

    But thanks for letting me know that one is junk.

    I guess my main problem is that I don't even know what to look for in a good login script. So maybe I should be asking... "What does a good login script need?" instead of what I'm asking....?

  4. #4
    SitePoint Evangelist
    Join Date
    Sep 2006
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    by no input sanitation... I assume you mean no stripslashes or mysql_real_escape_string? I would definitely include that in the final script.

  5. #5
    Web Professional
    Join Date
    Oct 2008
    Location
    London
    Posts
    862
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I meant escaping the variables before inserting into MySQL query.

    You need to decide for yourself what you need in the authentication script--it depends on the project you're working on. Start planning out, think of what you might need, develop a user database schema and then start programming.

    Two pieces of information you will need:

    * unique id (e-mail or username)
    * password (hash)

    Simple process:

    1. Is session variable set? Go to 5.
    2. Login form.
    3. Compare username and password hash with database.
    4. Row found? Set a session variable with username. Not found? Go to 1.
    5. Logged in.

  6. #6
    SitePoint Evangelist
    Join Date
    Sep 2006
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. Is session variable set? Go to 5.
    2. Login form.
    3. Compare username and password hash with database.
    4. Row found? Set a session variable with username. Not found? Go to 1.
    5. Logged in.
    Allright, I think that sets me on my way.

    Would there be any benefit to set a cookie as well a session? And check both? Or would that even be beneficial?

  7. #7
    SitePoint Addict Latox's Avatar
    Join Date
    Dec 2008
    Location
    Australia
    Posts
    389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is how I code most of my login scripts:

    User posts their username and password from a form:

    PHP Code:
    $username clean($_POST[username]);
    $password md5($_POST[password]); 
    The script then checks the password entered matches the username entered, if not - output an error:

    PHP Code:
    $query mysql_query("SELECT password FROM usertable WHERE user='$username'") or die(mysql_error());
    $data mysql_fetch_array($query);
    if(
    $data[password] != $password) {
    // the password was not the user's password!
    echo "Bad Password!";
    }else{
    // the password was right!
    $getinfo mysql_query("SELECT id,password FROM usertable WHERE user='".$username."'") or die(mysql_error());
    $user mysql_fetch_array($getinfo); 
    This will get the users ID and password from the table.

    You then get their user id, password, ip and the time, and combine them into a secure MD5 hash. This works securely because if somebody found out the MD5 hash and cracked it, they'd get a scambled result, the time, an id, the password and the ip combined, so if someone did manage to crack the hash, it'd be useless.

    You then create the login hash, which will be used globally throughout your site:

    PHP Code:
    $IP $_SERVER['REMOTE_ADDR']; // users IP
    $IPlong ip2long($IP); // users IP (doesn't return a value for 255.255.255.255 - helps security) 
    //now we create the hash
    $log_hash md5($user[id].time().$user[password].$IPlong);
    mysql_query("UPDATE usertable SET log_hash='".$log_hash."', lastIP='".$IPlong."', lastactive='".time()."' WHERE id='".$user[id]."'") or die(mysql_error()); 
    You can then continue to create the users cookie (users id, and login hash-we just created):

    PHP Code:
    setcookie("id"$user[id],time()+(60*60*24*5), "/""");
    setcookie("loginhash"$log_hash,time()+(60*60*24*5), "/"""); 
    You can then proceed by adding a query to your pages to make sure the logged in user is infact, the user that just logged in by using a simple query:

    PHP Code:
    $logged MYSQL_QUERY("SELECT * from usertable WHERE log_hash='".clean($_COOKIE[loginhash])."' AND id='".clean($_COOKIE[id])."' LIMIT 1"); 
    Hope some of this helped, have a fun journey on creating your client system.

    That will be $50, my paypal is sergey@google.com (joking).

    Good luck

    --
    I also just read that you want it to send an e-mail to the newly registered user, you could do that with a few lines of code within the register page, if you need help with this just drop me a PM.
    :-)

  8. #8
    SitePoint Evangelist
    Join Date
    Sep 2006
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's so freakin awesome! Thanks for the code sergey! I like integrating the ip in!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •