Login users

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
decpariem
Forum Newbie
Posts: 4
Joined: Sun Mar 14, 2010 8:03 am

Login users

Post by decpariem »

hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()

$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
guosheng1987
Forum Newbie
Posts: 24
Joined: Thu Oct 15, 2009 3:03 am

Re: Login users

Post by guosheng1987 »

decpariem wrote:hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()

$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
you can add a column named role.
if role =1 then is admin.
decpariem
Forum Newbie
Posts: 4
Joined: Sun Mar 14, 2010 8:03 am

Re: Login users

Post by decpariem »

yes i know that but i can't get it work with the code.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Login users

Post by flying_circus »

  • Do not pass user credentials through the URL querystring ($_GET). The only suitable method for passing credentials is a HTTP POST. Reference RFC2616.
  • Verify that the data exists before you access it. You will throw a NOTICE if you dont.
  • MD5 is no longer cryptographically suitable for hashing passwords. Use atleast sha256.
  • Validate your data. There is no reason to run a query if the username is blank, is there? The best solution is to use a regex to only allow appropriate characters.
  • Be specific in your query. Only return the rows you need to access. This will help with performance on large resultsets.
  • Always escape data that you are going to put into a query!!! This helps prevent SQL Injection.
  • Use a LIMIT clause whenever you can. When you are working with login credentials, there is no reason to expect more than 1 row. Limit the query to 1 row, so if you are susceptible to SQL Injection, the damage is, hopefully, limited.
  • Never supress errors. Handle them. There is a reason it is erroring. Find out why and fix it.
  • Do not output mysql_error() in a production environment. Don't output any errors other than your defined, generic error messages.

Code: Select all

<?php
  # Includes
    include_once("settings.inc.php");
    include_once("functions.inc.php");
    
  # Fetch POST Data
    $username = (isset($_POST['userName'])) ? $_POST['userName'] : '';
    $password = (isset($_POST['userPassword'])) ? hash('sha512', $_POST['userPassword']) : '';
    
  # Sanity Check - Validation goes here
    if(empty($username))
      throw new Exception('Incorrect Username or Password');
      
  # Build SQL Query
    $query = sprintf("SELECT `role` FROM `user` WHERE `username`='%s' AND `password`='%s' LIMIT 1;",
                     mysql_real_escape_string($username),
                     mysql_real_escape_string($password));
                     
  # Fetch Resultset from the database
    $result = mysql_query($query);
    
  # Fetch User's Role from the Resultset
    if($result && mysql_num_rows($result) == 1) {
      $user = mysql_fetch_assoc($result);
      
      if($user['role'] == 0) {
        $role = 'Admin';
      } else {
        $role = 'User';
      }
    } else {
      throw new Exception('Incorrect Username or Password');
    }
?>
decpariem
Forum Newbie
Posts: 4
Joined: Sun Mar 14, 2010 8:03 am

Re: Login users

Post by decpariem »

thanks your post is very useful. for the post method it seems that with flash and utf-8 is not working.
that's why i can't use it. and i use utf-8 cause i have greek text. i'll follow the other advice though.
thank you
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Login users

Post by flying_circus »

decpariem wrote:it seems that with flash and utf-8 is not working.
As long as both your form and flash use the same character set, I cant see why it would make a difference.
decpariem
Forum Newbie
Posts: 4
Joined: Sun Mar 14, 2010 8:03 am

Re: Login users

Post by decpariem »

I've been dealing with the same question. I've tried everything else.
Worked only with POST.
Can't understand why! But now it's working.
Post Reply