Login script with user only pages

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
giga
Forum Newbie
Posts: 4
Joined: Thu Apr 21, 2011 4:38 am

Login script with user only pages

Post by giga »

LOGIN.PHP:

Code: Select all

<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="globalbattle"; // Database name
$tbl_name="usersystem"; // Table name

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$username=$_POST['username'];
$password=$_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("username");
session_register("password");
header("location:main.php");
}
else {
echo "Wrong Username or Password";
}
?>
I have registered username and password for main.php.

MAIN.PHP:

Code: Select all

<?
session_start();
if(!session_is_registered(username)){
echo "Welcome";
}
?>
Why does the message "Welcome" come up when i have not logged on?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Login script with user only pages

Post by Apollo »

In login.php you didn't do session_start().

Furthermore, you should NEVER EVER store a password anywhere! You store a hash of the password + some random salt string (so you keep only an irreversible checksum), NOT the original password.

Finally, you ask why the message "Welcome" appears when you have not logged on: well that's exactly what main.php does :) (check the if)
giga
Forum Newbie
Posts: 4
Joined: Thu Apr 21, 2011 4:38 am

Re: Login script with user only pages

Post by giga »

Apollo wrote:In login.php you didn't do session_start().
Why would i need to put session_start in login.php?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Login script with user only pages

Post by Apollo »

giga wrote:Why would i need to put session_start in login.php?
Because you're doing session_register("username").

Which is deprecated by the way, it's better to use $_SESSION['some_name'] = 'some_value';

(edit) oh, I just noticed in the manual that session_start is called implicitly if you didn't do so yourself. But, with the function being deprecated and all, I'd stick to $_SESSION nonetheless.
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

Re: Login script with user only pages

Post by Pazuzu156 »

First of all, this login is terrible. There is no security in the login. For your query you should use sprintf(); Also as mentioned before you need to md5 hash the password in both the login process and in the database it's stored in. easy enough: $password = md5($password); Also you need to begin the session in the login page and start the session based on the username: session_start(); to begin the session and $_SESSION['user'] = $username; So the session holds a value while the user is logged in. If you want an example of a login script I made with full explanations, follow this link: viewtopic.php?f=1&t=129897

Hope all this helps you.
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Login script with user only pages

Post by Apollo »

Pazuzu156 wrote:$password = md5($password);
Except...
1. Don't use md5, but a stronger hash (like sha512 or whirlpool).
2. Use salt, to avoid rainbow table attacks.
Post Reply