Page 1 of 2

login form help...

Posted: Sat Dec 04, 2010 8:43 am
by rajke88
hi to all i just started learning PHP that means im total newbie, and i have hard times understanding it. i watched this tutorial here
http://www.youtube.com/watch?v=4oSCuEtxRK8 part one!
http://www.youtube.com/watch?v=y7ae_cZahPs part two!

and im stuck at part 2 part one works fine with me...
i didnt wanted to write the code as he did, can someone explain me why this code doesnt work???? (THIS IS MY CODE I MODIFIED THE TUTORS CODE FROM PART 2)


Code: Select all

<?php
$username = $_POST['username'];
$password = $_POST['password'];


if ($username&&$password)//proverava da si su vrednosti iz index.php prebacene u promenjive na ovoj strani
{

$connect = mysql_connect("localhost","root","") or die("Logovanje na sistem nije uspesno");
mysql_select_db("vezba") or die ("Baza sa tim imenom nije pronadjena");//mysql select db je built in function zato se ne deklarise

$query = mysql_query("SELECT * FROM * user WHERE username='$username'");
$dbusername = $query['username'];
if ($username==$dbusername)
{
echo "Ur logged in";
}
else die ("Inncorect user or password!");

}

else  die ("Must fill in form");

?>
WHEN EVER I PUT SOMETHING THERE IN THE FIELDS I GET MESSAGE INCORECT USER OR PASSWORD, even when i try to put user and password that are there in the database!!! :( this is my code, can you help me out how to put the
username from the database in the PHP VARIABLE and then to try to match the PHP VARIABLES . if variable 1 == variable 2 , echo you are logged in. can someone explain me how to achieve this. p.s this dude in his tutorials uses the rows to find out if user is in database or not, and i perssonaly didnt liked that method. thanks guys.

Re: login form help...

Posted: Sat Dec 04, 2010 1:49 pm
by curlybracket

Code: Select all

$query = mysql_query("SELECT * FROM * user WHERE username='$username'");
$query = mysql_fetch_array($query); // you forgot about this
$dbusername = $query['username'];

Re: login form help...

Posted: Sat Dec 04, 2010 2:07 pm
by califdon
In addition to the important omission pointed out by curlybracket, there are several other things you probably will need to correct in your script.

In your query, you fail to specify a table name. Using just an * doesn't work, as far as I know.

When using an * for the field names (meaning, ALL fields in the table), there is no purpose in repeating the name of a field.

You are only checking for the username, don't you want to check for both username and password??

So your query should look more like this (using the name of your table, of course):

Code: Select all

"SELECT * FROM MyUserTableName WHERE username='$username' AND password='$password'"
You also are missing a final bracket just before the ?> tag at the end.

Re: login form help...

Posted: Sat Dec 04, 2010 6:08 pm
by rajke88
guys thank you very much!!! it works now, i listened to both advices and it works like a charm! p.s i did't know about this command mysql_fetch_array it proved as very good. i am very noob when it comes to php, and thank you guys very much for helping me out :) :D one question i have, since this method was from my head, i was wondering, is this secure method for authenticating user? or do i have to implement some other fragments in my code as well?

Re: login form help...

Posted: Sat Dec 04, 2010 7:00 pm
by curlybracket
After you will add password check to your SQL as califdon said it will be quite good method. One more thing you can easly change to improve security: use md5() to encrypt passwords in your database.

Re: login form help...

Posted: Sat Dec 04, 2010 7:46 pm
by califdon
One more very important security measure:

For ANY input you receive from a web page, especially logins, you should never just accept the value in the $_POST array as-is. That allows anyone to do what is called "SQL Injection" which means instead of entering their username, for example, they could enter ' OR '1 = 1' and when that is sent to the database, it will match every username, since "1" always equals "1". There is much more to it than that, look up sql injection on Google! There is a built-in PHP function that will defeat SQL injection, so always use it, like this:

Code: Select all

<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
This adds backslash escape characters to certain characters, to defeat the exploit. Read about this in the manual: http://php.net/manual/en/function.mysql ... string.php, it's really important.

You can only use this function after you have connected to a MySQL server, so it must be at a later place in your script than the first call to mysql_connect().

Re: login form help...

Posted: Sun Dec 05, 2010 4:12 am
by rajke88
you two are gods :) i used mysql_real_escape_string to change the parameters of the user or password if nessesery (cuz thats how i understood how that function works), and my login form works like a charm!!! + i implemented session_start(); in my every page and session_destroy() as a logout (and it is situated in my logout.php that isn't showed down) so i could prevent abuse of the login system i created ;P and i suppose it is much more secure with ANTY SQL INJECTION FUNCTION AND Session functions in it . only thing i can't figure how to use it that md5 password cripting method.

here is my code just to show how i did it, and what i have changed.

Code: Select all

<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];


if ($username&&$password)//proverava da si su vrednosti iz index.php prebacene u promenjive na ovoj strani
{

$connect = mysql_connect("localhost","root","") or die("Logovanje na sistem nije uspesno");
mysql_select_db("vezba") or die ("Baza sa tim imenom nije pronadjena");//mysql select db je built in function zato se ne deklarise

$query = mysql_query("SELECT * FROM user WHERE username='$username' AND password='$password'");
//ako pronadje iz te tabele podatak on je pronaso red, ne sme da ima 0 redova jer to ce znaciti da nije pronasao podatke koji se od njega traze
$query = mysql_fetch_array($query);
$dbusername = $query['username'];
mysql_real_escape_string($username);//zastita od hakovanja(SQL injection)
mysql_real_escape_string($password);//zastita od hakovanja(SQL injection)


if ($username==$dbusername)
{
echo "Ulogovani ste pod imenom $username <a href='member.php'>Klikni ovde</a>";
$_SESSION['username']=$username;

}
else die ("Inncorect user or password!");

}

else  die ("Must fill in form");

?>

Re: login form help...

Posted: Sun Dec 05, 2010 2:29 pm
by califdon
It sounds like you're making real progress. Let me try to address 2 issues:

1. mysql_real_escape_string():

You are still accepting the $_POST data without escaping it. Move your mysql_connect() statement up to the top, right under session_start(). THEN get the values for $username and $password, using the mysql_real_escape_string() function, so your variables will immediately be "cleaned". Like this:

Code: Select all

<?php
session_start();

$connect = mysql_connect("localhost","root","") or die("Logovanje na sistem nije uspesno");
mysql_select_db("vezba") or die ("Baza sa tim imenom nije pronadjena");

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
Now you have connected to the database AND got your "cleaned" $username and $password variables, so you don't need to repeat that later in your script.

2. MD5 encryption:

The idea is to avoid storing a password in plain text, even in your own database, because it is always possible for someone to gain access to your database. By storing only an encrypted version, even if someone gets into your database, they won't be able to read the passwords. But if it's encrypted, how does the user know what to enter? Easy: the user doesn't need to know the encrypted version! The user just enters the password, which you put into a variable, then you encrypt the password and compare it with the stored encrypted version. So your script doesn't even KNOW what the real password is, it only compares the encrypted version of what the user entered to the encrypted version of the real password that's stored in the database! Even you, the webmaster and sysadmin for your database, can't determine what the real password is. You can only test what the user entered and determine if it's the same or not. Notice, however, that unless you are using a Secure server (https://)--which is expensive--whatever the user enters will be sent over the Internet in plain text! So all you're doing here is protecting your database so that passwords cannot be stolen from it. There's a good tutorial on this at: http://www.webcheatsheet.com/php/md5_en ... swords.php

Re: login form help...

Posted: Sun Dec 05, 2010 5:00 pm
by rajke88
hole day i was stuck with the if statements in my registration.php , and finaly i figured out how the system works :) thanks for this lines man , i will implement it in my login.php, and i'll post my final result here what i have done, in my next post.


i will try to implement that code of yours + to implement md5 encription, since i found some useful articles on the internet, and i will post here my hole test system in a zip file if someone wants to test it out, + i will translate it all to english :) so u know what the error message is all about, i'm starting to like PHP :) doesn't seems to be too hard for learning, and gives user a security+space to be creative:)

califdon you really helped me a lot, i would probably spent too many hours to figure out how to manage simple things in my code and you saved them for me, and you gave me will for work, because every start is hard, especialy when you are alone :) and i want just to say sorry for my bad English language, im from Serbia in Europe, and English is not my native languate, but i hope you understand me :P i can't wait to see your final judge on my very first php test project :) cheers! and best regards from me!

Re: login form help...

Posted: Mon Dec 06, 2010 6:18 am
by rajke88
I cleaned all the mess! and did everything you have adviced me to do :- )
thanks once again. and this is the result of my work!!! feel free to test it and to use it how ever you want :) i gave you credits in the readme.txt as well! :) :!: :mrgreen:
p.s i translated it all to the English so you can understand the comments i made while programming, as well as error messages that you can encounter if you do something wrong.
i want to see your oppinion of my work, thanks once again! :)

Re: login form help...

Posted: Mon Dec 06, 2010 3:31 pm
by califdon
That's very nice of you to credit curlybracket and me in your readme.txt file. Thank you.

The main thing I would tell you is that you need to do the same thing in your register.php script as you did in your login.php script. ANY time you are going to insert data into your database from data input by a user, you need to use mysql_real_escape_string() to defeat attempts to use SQL insertion strategy to damage your data.

You might want to think about adding other functionality to this registration/login process. One technique that is often used to have better control over users is this: Require users to provide their email address (then you will have some way to contact them later, if you need to), and instead of having them provide their own password, your script can generate a good password and send it to them in an email (as well as storing it in the database). This is an extra step for the user, but it gives better security, since nobody can login unless they have received the email, so you know you have a valid email address. Your script could even send another email to YOU every time someone new registers, so you could check on who is registering. It's up to you how secure you want your site to be.

If you are interested in doing something like that, you can read the PHP manual about using the built-in PHP function mail() (See h[url]ttp://email.about.com/od/emailprogrammingtips/qt/How_to_Send_Email_from_a_PHP_Script.htm[/url]). If you have an SMTP server running on the same host that runs the web server, it's very simple. If you don't have a local SMTP running, you will need to make some PHP.ini configuration changes, as described in the above reference.

Re: login form help...

Posted: Mon Dec 06, 2010 3:59 pm
by rajke88
if would told you that i have taught exact the same thing today , you wouldn't beleave me :P.. i agree totaly with you!.. i was thinking about username or email instead and i came to conclusion (email is harder to remember by the others , and username can be easily remembered+ email can serve you as a contact info so email wins definitely ) do you have some messenger? or something like that so i can stay in touch with you, maybe ask you for some advice in programming? ill pm you mine msn and if you have it you can add me if you wish of course, i use msn and skype as well.

thanks for this useful talk and for your advices!!

Re: login form help...

Posted: Mon Dec 06, 2010 5:32 pm
by califdon
I created a silly demo website several years ago that has a registration/login system that might give you some ideas. I will attach the 2 scripts that are involved, in a .zip file. You can visit the site at http://poatree.org and see the code attached here.

There are several slightly more advanced things I did, while trying to develop techniques to use on other, more useful, sites. I did implement sending a predetermined password to the registrant by email, and I incorporated a password generator based on a MySQL database table that consists of hundreds of short words (6 to 8 characters) and I use a random selection of 2 words with a random number between them, to make the password. It's easier to remember than just letters and numbers. Also, I validate the data input in the browser, using AJAX (Javascript that requests data from the server without refreshing the page), so you will see a lot of Javascript code in the first script.

I also use a CAPTCHA image that helps to insure that data is being input by a human, not a robot. This isn't 100% foolproof, but it greatly reduces the robot registrations. I'm no expert on CAPTCHA and just downloaded some scripts from the web. There are lots of free scripts available. The script I attached here won't work without the referenced CAPTCHA file.

The first script, poareg.txt (.php) is what is used when a user clicks on "Register" on the index page. The second script, newreg.txt (.php) is the action script that accepts data from poareg.php.

This should give you some ideas of what can be done for user registration and login.

[Edit: oops, the forum doesn't accept .txt files, I'll have to change it.]

Re: login form help...

Posted: Mon Dec 06, 2010 5:35 pm
by curlybracket
Your readme.txt is very nice, thank you.

Re: login form help...

Posted: Tue Dec 07, 2010 4:27 am
by rajke88
that is just great , i'm amazed by that what you did califdon. thanks for shareing that with the rest of the world here i really appreciate that. i started to create my own web site in dreamweaver and that will me a real exercise for me, where i will try to implement my php with bunch of html codes all around , and for me that is a challange since i have never done that, i know that it is not hard but i suppose it will be fun to do. Also i will implement that email sender to user on reg, i will write everything by myself from scratch, and if i have any problems i will post here a problem, or i will try to use your logic califdon from that file you shared with us. p.s curlybracket no need to thank me :) you deserved it !


1 question: is it better to build website useing tables? div tags? or apdiv tags? (i very much liked the idea of apdiv tags, but in css you have to put them to relative and autocentered so they can work proper ) thats ur oppinion on all that?