User Login Question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Phillips126
Forum Newbie
Posts: 9
Joined: Thu Feb 18, 2010 2:21 pm

User Login Question

Post by Phillips126 »

Hey all,

I have a question I hope someone can answer for me.

I am building a website that allows users to login.

On the Index.php page, I have a form that asks for Username / Password.

Image

When the Submit button is clicked, it checks the database to ensure the username / password are correct.

Is there a way to send the page to a members.php page (that lists member statistics, profiles, etc...) if the Username / Password are correct?

The only way I know of "sending users to another page" using PHP is the header(Location: ...) which I don't think will work in this case.

Thanks in advance,

Phillips126
pbs
Forum Contributor
Posts: 230
Joined: Fri Nov 07, 2008 5:31 am
Location: Nashik, India
Contact:

Re: User Login Question

Post by pbs »

If you are using AJAX to check login information, then you can use window.location = 'members.php'; in javascript for successful login.
Phillips126
Forum Newbie
Posts: 9
Joined: Thu Feb 18, 2010 2:21 pm

Re: User Login Question

Post by Phillips126 »

Thanks for the quick response.

Right now the website is strickly PHP/HTML...

Here is how I am checking the login:

Code: Select all

$log_data = mysql_query("SELECT * FROM members WHERE username='$username' and password='$password'");
$log_check = mysql_num_rows($log_data);
 
if ($log_check != 1) { .......
I thought of using the JavaScript method of "redirecting" pages, however, I am concerned for those who may have JavaScript disabled.

Any work arounds?

Thanks,

Phillips126
pbs
Forum Contributor
Posts: 230
Joined: Fri Nov 07, 2008 5:31 am
Location: Nashik, India
Contact:

Re: User Login Question

Post by pbs »

According to your code header("Location: ....") should work.
Phillips126
Forum Newbie
Posts: 9
Joined: Thu Feb 18, 2010 2:21 pm

Re: User Login Question

Post by Phillips126 »

Okay, I switched it up a little bit, but now I am left with another issue....

I am using an IF ELSE statement which basically says:
If user is NOT logged in, display the login form, if user IS logged in successfully, display member page.

Here is my code:

Code: Select all

$username = $_POST['Username'];
$password = md5($_POST['Password']);
 
$log_data = mysql_query("SELECT * FROM members WHERE username='$username' and password='$password'");
$log_check = mysql_num_rows($log_data);
 
if ($log_check != 1) { 
 
$member_display = "<div id=\"member_login\">
         <h2>Please Login Below:</h2>
         <form action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" method=\"post\">
                 <label class=\"register_label\">Username:</label><input class=\"register_field\" name=\"Username\" type=\"text\" /><br /><br />
                              <label class=\"register_label\">Password:</label><input class=\"register_field\" name=\"Password\" type=\"password\" /><br /><br />
                              <label class=\"register_label\">Login:</label><input name=\"\" type=\"submit\" value=\"Submit\" />
                 </form>
         </div>";
                   
$member_display_reg = "<div id=\"register2\">
                                 <a href=\"register.php\">Need To Register? Click Here!</a>
                    </div>";
 
} else {
 
$_SESSION['username'] = "$username";
 
$member_display = "<div id=\"member_left\">
                   <div id=\"member_profile_img\"></div>
                   </div>
        
                   <div id=\"member_right\">
                   <h1>Welcome $username" . "!</h1>
                   </div>";
        
$member_display_reg = "";
 
}

Code: Select all

<div id="body_content_container">
      <div id="register">
        
        <?php echo $member_display ?>
        
      </div>
      
      <?php echo $member_display_reg ?>
      
    </div>
  </div>
Problem is that my form uses the action: "<?php echo $_SERVER['PHP_SELF']; ?>" which is giving me errors.

I am not really sure how to call this form any other way since I'm pretty new at PHP as is....

Any help would be great,

Thanks in advance.

Phillips126
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: User Login Question

Post by flying_circus »

Phillips126 wrote:

Code: Select all

 
$member_display = "<div id=\"member_login\">
         <h2>Please Login Below:</h2>
         <form action=\"{$_SERVER['PHP_SELF']}\" method=\"post\">
                 <label class=\"register_label\">Username:</label><input class=\"register_field\" name=\"Username\" type=\"text\" /><br /><br />
                              <label class=\"register_label\">Password:</label><input class=\"register_field\" name=\"Password\" type=\"password\" /><br /><br />
                              <label class=\"register_label\">Login:</label><input name=\"\" type=\"submit\" value=\"Submit\" />
                 </form>
         </div>";
You dont need to wrap $_SERVER['PHP_SELF'] in <?php ?> tags when you are already nested inside of <?php ?> tags.

Phillips126 wrote:

Code: Select all

$username = $_POST['Username'];
$password = md5($_POST['Password']);
 
$log_data = mysql_query("SELECT * FROM members WHERE username='$username' and password='$password'");
$log_check = mysql_num_rows($log_data);
Now for the REAL concerns...
  • md5 is no longer cryptographically suitable for passwords. Never use it for hasing passwords. You can use sha1, but it is speculated that it will soon suffer the fate of md5. I recommend using no less than sha256. Read the php manual on the hash() function, and choose a strong algorithm.
  • Your code is vulnerable to SQL injection. You MUST escape all data before sending it to the database. read the php manual on mysql_real_escape_string.
  • If it's available, you should use the mysqli extension, rather than the mysql extension. They both do the same thing, but mysqli offers some benefits. Mysqlnd would be best, but it will probably take time before its available on most web hosts.
  • You should check existence of foreign data before happily using it, otherwise you may throw notices. Plus, its just good practice.
  • You should use the sql LIMIT clause when you only expect a certain amount of results. For example, you should only expect 1 user to be returned by your login script, then use LIMIT 1.
  • You should also get in the habit of terminating your queries with a semi colon. Mysql doesnt support multiple queries per request, but other databases do.
  • A Mysql query will return false if there was an error. Check to make sure your query did not fail, before using it.
  • You should probably validate your data before using it as well. What is the point of running a query, if the username is blank. Does your system allow a blank username? How about a username of "ò"?

Code: Select all

$username = (isset($_POST['Username'])) ? $_POST['Username'] : "";
$password = (isset($_POST['Password'])) ? hash('sha512', $_POST['Password']) : "";
 
# Validate data here
  if(empty($username))
    # Username is blank.  Kill the script and present the user with an error message.
 
$log_data = mysql_query(sprintf("SELECT * FROM `members` WHERE `username`='%s' and `password`='%s' LIMIT 1;"),
                                mysql_real_escape_string($username),
                                mysql_real_escape_string($password));
                                
if($log_data)
  $log_check = mysql_num_rows($log_data);
else
  // Query Failed.  Handle the error.
Last edited by flying_circus on Fri Feb 19, 2010 1:17 pm, edited 1 time in total.
Phillips126
Forum Newbie
Posts: 9
Joined: Thu Feb 18, 2010 2:21 pm

Re: User Login Question

Post by Phillips126 »

flying_circus,

I want to greatly thank you for your help.

This is a learning experience for me (so far I LOVE it!).

I understand that PHP has quite a few vulnerabilities, and I was quite worried about that as I really don't know how to combat them.
Thank you for posting some methods in solving those vulnerabilities!

I will continue using this Thread if I have any other questions / concerns regarding this project of mine.

Phillips126
Post Reply