Newbie - Login Screen
Moderator: General Moderators
Newbie - Login Screen
I'm trying to create my first php app. I'm stuck on the login screen, hee hee.
Here lies the code:
<HTML>
<HEAD>
<TITLE>My Login Form</TITLE>
</HEAD>
<?
$do = $_POST['do'];
switch ($do) {
case "authenticate":
mysql_connect("localhost","ryan","ryan") or die ("Couldn't connect to database");
mysql_select_db("ryan") or die ("Unable to select database");
$sql="SELECT username FROM users WHERE username='$username' and passwd='$password'";
$result=mysql_query($sql) or die ("Couldn't get result");
$num=mysql_numrows($result);
if ($num==1) {
echo "<P>You are a valid user!<BR>";
echo "Your username is $username<BR>";
echo "Your password is $password</P>";
}
else if ($num==0) {
unset($do);
echo "<P>You are not authorised! Please try again.</P>";
include("login_form.inc");
}
break;
default:
include("login_form.inc");
}
?>
</BODY>
</HTML>
here lies the form.inc code:
<form action="index.php?do=authenticate" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxlength="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="passwd" size="10" maxlength="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>
Can somebody pls help me. It's my first php code ever.
Ripley
Here lies the code:
<HTML>
<HEAD>
<TITLE>My Login Form</TITLE>
</HEAD>
<?
$do = $_POST['do'];
switch ($do) {
case "authenticate":
mysql_connect("localhost","ryan","ryan") or die ("Couldn't connect to database");
mysql_select_db("ryan") or die ("Unable to select database");
$sql="SELECT username FROM users WHERE username='$username' and passwd='$password'";
$result=mysql_query($sql) or die ("Couldn't get result");
$num=mysql_numrows($result);
if ($num==1) {
echo "<P>You are a valid user!<BR>";
echo "Your username is $username<BR>";
echo "Your password is $password</P>";
}
else if ($num==0) {
unset($do);
echo "<P>You are not authorised! Please try again.</P>";
include("login_form.inc");
}
break;
default:
include("login_form.inc");
}
?>
</BODY>
</HTML>
here lies the form.inc code:
<form action="index.php?do=authenticate" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxlength="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="passwd" size="10" maxlength="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>
Can somebody pls help me. It's my first php code ever.
Ripley
-
pootergeist
- Forum Contributor
- Posts: 273
- Joined: Thu Feb 27, 2003 7:22 am
- Location: UK
-
MeltedPixel
- Forum Newbie
- Posts: 8
- Joined: Sun Jun 29, 2003 12:22 am
Seems like you are working on a login script.
Here is one i have:
You want to name that page login.html, or whatever you want really.
Name that file login.php.
You can change the username/password by editing, well, the words "username" and "password".
Im not positive if this is the most secure method to login, but it works =P
Lemme know if you need any help..
Here is one i have:
Code: Select all
<form action="login.php" method="post">
<input type="text" name="name" value="user name"><br>
<input type="password" name="password" value="password"><br>
<input type="submit" value="submit">
</form>Code: Select all
<?php
if($name == "username" || $password == "password")
{
print("You are logged in!");
}
else
{
print("Wrong username or password.");
}
?>You can change the username/password by editing, well, the words "username" and "password".
Im not positive if this is the most secure method to login, but it works =P
Lemme know if you need any help..
melted pixel, what ripley is trying to do is a bit more advanced that. He is checking to see if the username and password exist in the database.
What you have done is fine for basic scripts for sites that contain non sensitive infomation, if for some reason php was to stop compiling on the server and a request was made for that script the code would be leaked to the user i.e. printing the entire script in their browser, this would of course reveal the login/password you have set in your code.
What you have done is fine for basic scripts for sites that contain non sensitive infomation, if for some reason php was to stop compiling on the server and a request was made for that script the code would be leaked to the user i.e. printing the entire script in their browser, this would of course reveal the login/password you have set in your code.
Code: Select all
<?php
$username = $_POST['username'];
$md = md5($HTTP_POST_VARS["password"]);
$_POST['username'] = addslashes($_POST['username']);
$_POST['password'] = addslashes($_POST['password']);
$link = mysql_connect("localhost", "-", "-")
or die("Could not connect");
mysql_select_db("-", $link) or die("Could not select database");
$query = mysql_query("select username from users where username="$username" and password="$md" limit 1");
if (mysql_num_rows($query) == '1') {
$_SESSION['auth'] = true;
$_SESSION['username'] = $_POST['username'];
echo "You have logged in as $username";
} else {
$_SESSION['auth'] = false;
$_SESSION['username'] = '';
echo "Incorrect username or password";
}
?>I agree, use whatever.inc.php instead of whatever.inc.werlop wrote:slighty off topic but watch .inc file, unless your server is specifically configured, the server will send the whole of the file to the browser if the file is referenced, this includes php code, which means passwords are valnerable.
Or configure your server, if you have access of course, to treat .inc files as .php.
Just to add on to this last point, I prefer to make sure a variable NOT set rather than set. eg..
rather than...
As a wise PHP guru once told me, it helps with debugging and keeping good source code structure. It's not a major difference but thoses two points were enough to change my ways.
Code: Select all
<?php
if (!$username OR !$password){
error("YOU DIDN'T COMPLETE THE FORM!");
} else {
// 10, 20, 50, or more lines of code
}
?>Code: Select all
<?php
if ($username && $password){
// 10, 20, 50, or more lines of code
} else {
error("YOU DIDN'T COMPLETE THE FORM!");
}
?>