Newbie - Login Screen

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ripley
Forum Newbie
Posts: 1
Joined: Fri Jul 18, 2003 10:09 am
Location: South Africa

Newbie - Login Screen

Post by ripley »

I'm trying to create my first php app. I'm stuck on the login screen, hee hee.

Here lies the code:

<HTML>
<HEAD>
<TITLE>My Login Form</TITLE>
</HEAD>
<?
$do = $_POST['do'];
switch ($do) {
case "authenticate":
mysql_connect("localhost","ryan","ryan") or die ("Couldn't connect to database");
mysql_select_db("ryan") or die ("Unable to select database");
$sql="SELECT username FROM users WHERE username='$username' and passwd='$password'";
$result=mysql_query($sql) or die ("Couldn't get result");
$num=mysql_numrows($result);
if ($num==1) {
echo "<P>You are a valid user!<BR>";
echo "Your username is $username<BR>";
echo "Your password is $password</P>";
}
else if ($num==0) {
unset($do);
echo "<P>You are not authorised! Please try again.</P>";
include("login_form.inc");
}
break;

default:
include("login_form.inc");
}
?>
</BODY>
</HTML>

here lies the form.inc code:


<form action="index.php?do=authenticate" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxlength="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="passwd" size="10" maxlength="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>

Can somebody pls help me. It's my first php code ever.

Ripley
pootergeist
Forum Contributor
Posts: 273
Joined: Thu Feb 27, 2003 7:22 am
Location: UK

Post by pootergeist »

even though your form method is post - the variable 'do' is _GET (due to being appended to the url) .

personally I'd lose the switch as well and just go straight for

if($_GET['do'] == 'authenticate')
{
// do stuff
}
User avatar
werlop
Forum Commoner
Posts: 68
Joined: Sat Mar 22, 2003 2:50 am
Location: /dev/null

Post by werlop »

slighty off topic but watch .inc file, unless your server is specifically configured, the server will send the whole of the file to the browser if the file is referenced, this includes php code, which means passwords are valnerable.
MeltedPixel
Forum Newbie
Posts: 8
Joined: Sun Jun 29, 2003 12:22 am

Post by MeltedPixel »

Seems like you are working on a login script.
Here is one i have:

Code: Select all

<form action="login.php" method="post">
<input type="text" name="name" value="user name"><br>
<input type="password" name="password" value="password"><br>
<input type="submit" value="submit">
</form>
You want to name that page login.html, or whatever you want really.

Code: Select all

<?php
if($name == "username" || $password == "password")
{
          print("You are logged in!");
}
else
{
         print("Wrong username or password.");
}
?>
Name that file login.php.
You can change the username/password by editing, well, the words "username" and "password".
Im not positive if this is the most secure method to login, but it works =P
Lemme know if you need any help..
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

melted pixel, what ripley is trying to do is a bit more advanced that. He is checking to see if the username and password exist in the database.

What you have done is fine for basic scripts for sites that contain non sensitive infomation, if for some reason php was to stop compiling on the server and a request was made for that script the code would be leaked to the user i.e. printing the entire script in their browser, this would of course reveal the login/password you have set in your code.
Drachlen
Forum Contributor
Posts: 153
Joined: Fri Apr 25, 2003 1:16 am

Post by Drachlen »

Code: Select all

<?php
$username = $_POST['username'];
$md = md5($HTTP_POST_VARS["password"]);
$_POST['username'] = addslashes($_POST['username']);
$_POST['password'] = addslashes($_POST['password']);
$link = mysql_connect("localhost", "-", "-") 
        or die("Could not connect"); 
    mysql_select_db("-", $link) or die("Could not select database"); 
$query = mysql_query("select username from users where username="$username" and password="$md" limit 1");

if (mysql_num_rows($query) == '1') { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
echo "You have logged in as $username";
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   echo "Incorrect username or password";
}
?>
For this to work, the registered password will have to be md5. Once you submit your regular password, it is encryped with md5, then its checked if it matches the one in the database.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

werlop wrote:slighty off topic but watch .inc file, unless your server is specifically configured, the server will send the whole of the file to the browser if the file is referenced, this includes php code, which means passwords are valnerable.
I agree, use whatever.inc.php instead of whatever.inc.

Or configure your server, if you have access of course, to treat .inc files as .php. :)
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

MeltedPixel wrote:if($name == "username" || $password == "password")
You probably want "&&" instead of "||"; You want both the username AND password to match :)
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Just to add on to this last point, I prefer to make sure a variable NOT set rather than set. eg..

Code: Select all

<?php
if (!$username OR !$password){
  error("YOU DIDN'T COMPLETE THE FORM!");
} else {
  // 10, 20, 50, or more lines of code
}
?>
rather than...

Code: Select all

<?php
if ($username && $password){
  // 10, 20, 50, or more lines of code
} else {
  error("YOU DIDN'T COMPLETE THE FORM!");
}
?>
As a wise PHP guru once told me, it helps with debugging and keeping good source code structure. It's not a major difference but thoses two points were enough to change my ways.
Post Reply