SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Thread: PHP Login

  1. #1
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Login

    I'm trying to find the best way to control login. I'm not concerned with user registration. I currently do my login like this:

    When a user logs in a "logged in" bit on the database changes to 1 and their IP address is recorded. When they logout the bit is reset to 0 and the IP address is cleared. If they try to access a page without logging in the page redirects to the login. If they try to access a page from another system they are forced to login.

    This keeps them only logged in at one machine and prevents someone from accessed pages even when the user is logged in.

    It seems like this is insecure and ripe for hacking. I know there is a better way to do login. I have been searching but it I've found 1000 ways to do it.

    Any suggestions on a simple secure user login script? Any push in the right direction would be great!

    Thanks!

  2. #2
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,077
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Any login system that uses IP address will fail as some ISPs issue their users a new IP address for nearly every page request. You'd be better of using sessions and cookies
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  3. #3
    SitePoint Enthusiast rashedirshad's Avatar
    Join Date
    Sep 2009
    Location
    Rawalpindi, Pakistan
    Posts
    57
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile

    If you want to do login using PHP, here is the way

    [login.php]

    PHP Code:
    <?php
    include("../includes/config.php");
    $msg='';
    if(
    count($_POST)>0){

        
    $user_id=$_POST['user_id'];
        
    $password=$_POST['password'];
        
        
    $sql="select * from admins where user_id='$user_id' and password='$password'";
        
    $r=mysql_query($sql) or die(mysql_error());    
        if(
    $q=mysql_fetch_array($r)){
                
    session_start();
                
    $_SESSION['auth']=1;
                
    header("Location:index.php");exit();                
        }
        else 
    $msg="User ID or password is incorrect.";
    }
    ?>

    <form action="login.php" method="post" name="form1" id="form1">
            <table width="100%" border="0">
              <tr>
                <td width="33%"><strong>Login</strong></td>
                <td width="4%">&nbsp;</td>
                <td width="63%">&nbsp;</td>
              </tr>
              <tr>
                <td align="right">&nbsp;</td>
                <td align="center">&nbsp;</td>
                <td><?php if($msg!='')echo '<font color=red size=4><b>'.$msg.'</b></font>';?>&nbsp;</td>
              </tr>
              <tr>
                <td align="right"><strong>User ID</strong></td>
                <td align="center">*</td>
                <td><input type="text" name="user_id" value="" size='50' id="user_id"/>
                &nbsp;</td>
              </tr>
              <tr>
                <td align="right"><strong>Password</strong></td>
                <td>&nbsp;</td>
                <td><input type="password" name="password" value="" size='50' id="password"/></td>
              </tr>
              <tr>
                <td align="right">&nbsp;</td>
                <td>&nbsp;</td>
                <td><input type="submit" value="Login" style="font-size:24px"/>&nbsp;</td>
              </tr>
            </table>
            </form>
    To redirect user to login page if not logged in, use the following code

    PHP Code:
    <?php 
    session_start
    ();
    if(!isset(
    $_SESSION['auth'])){header("Location:login.php");exit();}
    ?>
    Hope this will help you.

    Thanks.

    Khan.

  4. #4
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rashedirshad View Post
    If you want to do login using PHP, here is the way
    Slight correction - it is a way
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  5. #5
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,077
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    User submitted data needs to be validated and escaped, especially when it's for a login system
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  6. #6
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    as arkinstall said "it's a way" so would you guys agree that rashedirshad is the best way for what I want to do?

    Basically when i do a website I create forms for the client to update their sites using a database. They updated the database and the site pulls the content from a database. I create their use name and passwords so I'm not worried about registration. I may in the future but not a concern right now.

    All I'm looking to do is allow a person to logon, update some info using some php forms, then log off.

  7. #7
    SitePoint Enthusiast rashedirshad's Avatar
    Join Date
    Sep 2009
    Location
    Rawalpindi, Pakistan
    Posts
    57
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes. You are right. Escaping is a must to avoid sql injection. We can use mysql_escape_string($var) php old version or mysql_real_escape_string($var); php new version

    Also, use mysql_num_rows() instead of using mysql_fetch_array() but I have encountered a problem using mysql_num_rows()

    This is not the best way as a coder but it is a simplest way. You can always optimize the code. The best way is to use PHP Classes. You may have a class Login inheriting DB class.

    So the modified code for the above post is

    PHP Code:
    <?php

    include("../includes/config.php");

    $msg='';

    if(
    count($_POST)>0){



        
    $user_id=mysql_real_escape_string($_POST['user_id']);

        
    $password=mysql_real_escape_string($_POST['password']);

        

        
    $sql="select * from admins where user_id='$user_id' and password='$password'";

        
    $r=mysql_query($sql) or die(mysql_error());    

        if(
    mysql_num_rows($r)){

                
    session_start();

                
    $_SESSION['auth']=1;

                
    header("Location:index.php");exit();                

        }

        else 
    $msg="User ID or password is incorrect.";

    }

    ?>
    Thanks.
    Khan
    _______________________
    http://www.peoplesourceinternational.com/

  8. #8
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so for logging out i would do this: $_SESSION['auth']=0; ?

  9. #9
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rashedirshad View Post
    The best way is to use PHP Classes. You may have a class Login inheriting DB class.
    Ummm why would a "Login" object inherit from a "Database" object? They are two completely different ideas and task. Now the "Login" object could take a "Storage" object as a parameter, which may or may not be a database.

    Also why would using "PHP Classes" be the best way? Could I not do it without?

    @dcp3450, forget about using IP addresses or locking the user to a single computer. It doesn't help security in the slightest only makes the system more complex and a lot easier to fault.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  10. #10
    SitePoint Zealot seoindiauk's Avatar
    Join Date
    Aug 2009
    Location
    New Delhi, India
    Posts
    124
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have good idea about security system, not php security.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •