Page 1 of 1

Newbie - Login Screen

Posted: Fri Jul 18, 2003 10:09 am
by ripley
I'm trying to create my first php app. I'm stuck on the login screen, hee hee.

Here lies the code:

<HTML>
<HEAD>
<TITLE>My Login Form</TITLE>
</HEAD>
<?
$do = $_POST['do'];
switch ($do) {
case "authenticate":
mysql_connect("localhost","ryan","ryan") or die ("Couldn't connect to database");
mysql_select_db("ryan") or die ("Unable to select database");
$sql="SELECT username FROM users WHERE username='$username' and passwd='$password'";
$result=mysql_query($sql) or die ("Couldn't get result");
$num=mysql_numrows($result);
if ($num==1) {
echo "<P>You are a valid user!<BR>";
echo "Your username is $username<BR>";
echo "Your password is $password</P>";
}
else if ($num==0) {
unset($do);
echo "<P>You are not authorised! Please try again.</P>";
include("login_form.inc");
}
break;

default:
include("login_form.inc");
}
?>
</BODY>
</HTML>

here lies the form.inc code:


<form action="index.php?do=authenticate" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxlength="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="passwd" size="10" maxlength="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>

Can somebody pls help me. It's my first php code ever.

Ripley

Posted: Fri Jul 18, 2003 11:08 am
by pootergeist
even though your form method is post - the variable 'do' is _GET (due to being appended to the url) .

personally I'd lose the switch as well and just go straight for

if($_GET['do'] == 'authenticate')
{
// do stuff
}

Posted: Fri Jul 18, 2003 11:46 am
by werlop
slighty off topic but watch .inc file, unless your server is specifically configured, the server will send the whole of the file to the browser if the file is referenced, this includes php code, which means passwords are valnerable.

Posted: Wed Jul 23, 2003 1:16 am
by MeltedPixel
Seems like you are working on a login script.
Here is one i have:

Code: Select all

<form action="login.php" method="post">
<input type="text" name="name" value="user name"><br>
<input type="password" name="password" value="password"><br>
<input type="submit" value="submit">
</form>
You want to name that page login.html, or whatever you want really.

Code: Select all

<?php
if($name == "username" || $password == "password")
{
          print("You are logged in!");
}
else
{
         print("Wrong username or password.");
}
?>
Name that file login.php.
You can change the username/password by editing, well, the words "username" and "password".
Im not positive if this is the most secure method to login, but it works =P
Lemme know if you need any help..

Posted: Wed Jul 23, 2003 2:23 am
by m@ndio
melted pixel, what ripley is trying to do is a bit more advanced that. He is checking to see if the username and password exist in the database.

What you have done is fine for basic scripts for sites that contain non sensitive infomation, if for some reason php was to stop compiling on the server and a request was made for that script the code would be leaked to the user i.e. printing the entire script in their browser, this would of course reveal the login/password you have set in your code.

Posted: Wed Jul 23, 2003 2:37 am
by Drachlen

Code: Select all

<?php
$username = $_POST['username'];
$md = md5($HTTP_POST_VARS["password"]);
$_POST['username'] = addslashes($_POST['username']);
$_POST['password'] = addslashes($_POST['password']);
$link = mysql_connect("localhost", "-", "-") 
        or die("Could not connect"); 
    mysql_select_db("-", $link) or die("Could not select database"); 
$query = mysql_query("select username from users where username="$username" and password="$md" limit 1");

if (mysql_num_rows($query) == '1') { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
echo "You have logged in as $username";
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   echo "Incorrect username or password";
}
?>
For this to work, the registered password will have to be md5. Once you submit your regular password, it is encryped with md5, then its checked if it matches the one in the database.

Posted: Wed Jul 23, 2003 2:56 am
by m3mn0n
werlop wrote:slighty off topic but watch .inc file, unless your server is specifically configured, the server will send the whole of the file to the browser if the file is referenced, this includes php code, which means passwords are valnerable.
I agree, use whatever.inc.php instead of whatever.inc.

Or configure your server, if you have access of course, to treat .inc files as .php. :)

Posted: Wed Jul 23, 2003 3:05 am
by qartis
MeltedPixel wrote:if($name == "username" || $password == "password")
You probably want "&&" instead of "||"; You want both the username AND password to match :)

Posted: Wed Jul 23, 2003 3:21 am
by m3mn0n
Just to add on to this last point, I prefer to make sure a variable NOT set rather than set. eg..

Code: Select all

<?php
if (!$username OR !$password){
  error("YOU DIDN'T COMPLETE THE FORM!");
} else {
  // 10, 20, 50, or more lines of code
}
?>
rather than...

Code: Select all

<?php
if ($username && $password){
  // 10, 20, 50, or more lines of code
} else {
  error("YOU DIDN'T COMPLETE THE FORM!");
}
?>
As a wise PHP guru once told me, it helps with debugging and keeping good source code structure. It's not a major difference but thoses two points were enough to change my ways.