[SOLVED] Login Form Basic Security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

[SOLVED] Login Form Basic Security

Post by furiousweebee »

I have a login page on my site but it virtually has no security (or so I'm told). Also it only contains a password field because I'm not sure how to require both a username and password, or how to mask the password as it's being typed. I tried to look through these forums before asking this because I'm sure it's very simple, but there were 83 pages of results so it would have taken me a while... anyway, here's the code I have:

Code: Select all

<?php
session_start();
if ($_POST['password'] == 'my_password'){
	$_SESSION['admin'] = md5('my_password');
	header("Location: index.php");
}
$login_form = '
	<form action="?" method="post">
		<table>
			<tr>	
				<td>Admin Password:</td>
				<td><input type="text" name="password" cols="70" size="65"></td>
			</tr>
			<tr>
				<td>&nbsp;</td>
				<td><input type="submit" value="Submit"></td>
			</tr>
		</table>
	</form>
';
?>
Would I add an input to my page's form called "username" and change the first line of my code to something like this?

Code: Select all

if ($_POST['password'] == 'my_password' && $_POST['username'] == 'admin'){
Any help on adding the username requirement and having the password hidden behind asterisks would be very greatly appreciated. Thank you (especially feyd for putting up with my stupid questions :lol:).
litebearer
Forum Contributor
Posts: 194
Joined: Sat Mar 27, 2004 5:54 am

Post by litebearer »

My personal preference is to use two separate pages


the html page

Code: Select all

&lt;html&gt;
&lt;head&gt;
&lt;title&gt; login.html&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form action="login.php" method="post"&gt;
&lt;table border=0&gt;
  &lt;tr&gt;
    &lt;td&gt;enter your user name&lt;/td&gt;
    &lt;td&gt;&lt;input type="text" name="username" size="20" maxlength="20" value=""&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;enter your password&lt;/td&gt;
    &lt;td&gt;&lt;input type="password" name="password" size="10" maxlength="10" value="default value"&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td colspan=2 align=center&gt;&lt;input type="submit" value="submit"&gt;&lt;/td&gt;
  &lt;/tr&gt;
&lt;/table&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
the php page

Code: Select all

<?PHP
session_start(); 
header("Cache-control: private"); // IE 6 Fix.
// the above code begins your sessions for your site. It is used for added security
// the could MUST be at the top of each page


// get the data from the form

$username = $_POST['username'];
$password = $_POST['password'];

// see if it is a valid username and password
// you can use a database of usernames and passwords (preferred method), or
// a flat file (2nd choice), or
// you can hard code them (last choice)

// for this little example we will hard code it

$gooduser = "samspade";
$goodpass = "maltese";

if ($username == $gooduser && $password == $goodpass) {

  // send them to a successful login page or whatever here
} else {
  ?>
  You have entered an invalid name andor password<br>
  Please try again!<br>
  <a href="login.html">Continue</a>
  <?PHP
}
?>
Lite...


feyd | switched php code to

Code: Select all

tags[/color]
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Re: Login Form Basic Security

Post by McGruff »

furiousweebee wrote:I tried to look through these forums before asking this because I'm sure it's very simple, but there were 83 pages of results so it would have taken me a while...
It also takes me a while to read your code, understand the problem and write up a solution. I'm at work right now taking a tea break. I'm very busy and don't have much time to progress my own coding projects never mind keep an eye on the forum, answer questions etc.

So, if you can't be bothered to read through search results I'm afraid I'm not very motivated to help.

You are of course welcome to post at any time but please make an effort to look for similar, previous posts first and then ask a question if you are still not sure what to do.
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Post by furiousweebee »

I actually went through 10 or 12 of the 83 pages of results and read through the posts that looked relevant but as I said, I'm not a programmer so simply reading some other code which may or may not relate to my problem doesn't help me too much. I understand and appreciate the time it takes to read my question and code and then try to find a solution, so any help you can offer me is great. Sorry to step on your toes. :oops:
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

Didn't put down much effort into the following, but I just wanted to show some of the things you can play around with. Test, try and lookup the things used in the manual for more examples and ideas.

Code: Select all

session_start();
// check if the form's inputs are either blank or not correctly filled
    if ( (((empty($_POST['username']) or empty($_POST['password'])) or ($_POST['username'] != 'foo' and $_POST['password'] != 'bar')))
                and
// check if the session allready is granted
           (empty($_SESSION['loggedin']) or $_SESSION['loggedin'] != 1) ) {
// neither was, show the login form
        display_login_part();
    } else {
// either was, echo 'success' and (re)set the session
        echo 'success';
        $_SESSION['loggedin'] = 1;
        // header() or whatever...
    }
        
    function display_login_part() {
        echo '
            <form method="post">
             <input type="text" name="username" />
             <!-- this is what we use to "hide" what the user types: password -->
             <input type="password" name="password" />
             <input type="submit" />
            </form>';
    }
Good luck.
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Post by furiousweebee »

Thanks guys, I'll try all this stuff out. :D
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Post by furiousweebee »

It all went without a hitch, thank you very much for the help. :)
Post Reply