user login script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

Post by monkeymafia »

Stryks wrote:Well ... in your case it appears to be.

I cant speak for everyone, but for myself, I tend to have a auto increment primary key in the users table, and I use this primary key for internal reference to the user. I guess there is nothing stopping you doing it your way though.

I guess my point was that if you are saving the userid (or whatever you use internally to identify a user) to the session, then passing it in the URL is kind of redundant. You take the trouble of passing it as a $_GET variable, when it's already in $_SESSION.

(probably less important for the password - assuming you are planning on saving and checking a hash of the submitted value. You are aren't you?)


Cheers.
hi i understand what your saying. how would i go about doing this in terms of code. im abit lost. thanks for any help
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Post by Stryks »

Well .. lets see.

If you wanted to adjust the user handling to reference them by an ID instead of login name, then you would just modify your database a little. In the user table, you'd just add a new column named say, U_PK or something depending on the way you handle naming. I try to keep abbreviations capitalized and the rest lowercase. In this case, U_ID would mean User Primary Key.

Anyhow, the field would be an Int(11) auto incrementing primary key. You can set all that up in a few seconds in phpMyAdmin or the like.

Then you could use the database access code helpfully provided my califdon, with a simple change to the SQL, as below.

Code: Select all

$sql="SELECT U_PK, memberid FROM members WHERE memberid='$memberid' AND password='$pwd' ";
Actually ... let's step back a step or two. When saving the users password to the database, you should hash the password first. And to do it right, they say you should salt it. The following is from a book called Essential PHP Security by Chris Shiflett - a really enlightening book I would suggest you read.

Code: Select all

$salt = "Something you choose";
$password_hash = md5($salt . md5($_POST['password']));
You do the exact same procedure on the password entered when login is attempted, and compare $password_hash to the value you stored in the database previously.

In order to store it, you will probably need to adjust your password column in the database. I think I use a varchar(64). If it's too short, you'll truncate the hash and it'll be next to useless to you.

Anyhow, when you save a users record, you should see 64 alpha-numeric characters instead a plaintext password.

Then, when you get to the success part of califdon's code, you'd just do something along the lines of the following:

Code: Select all

         $_SESSION['logged'] = true;
         $_SESSION['username'] = $memberid; //(optional)
         $_SESSION['user_id'] = $U_PK;
 
(You can access the variables $memberid and $U_PK because of the call to extract() in califdon's code. I wouldnt do it this way to be honest, but then again, I've never seen it done this way, so I cant give any reasoning behind my decision).

Then when you do a header redirect to "userpage.php", you start the page with session_start(); and then show user content based on $_session['user_id'] instead of $_GET['userId'];

I'll leave you to absorb this, along with whatever others may wish to post, and you can work up some code. Post back if you need a hand after you have had a go and we'll see if we can move it a bit further along for you.

You do have a pretty big SQL injection issue going on, as pointed out by Mordred, but as long as you arent using this in production, you should be alright to get the basics working, and then we'll help you lock it all down.

Hope this helped.
monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

Post by monkeymafia »

thanks stryks. very informative.

im definitely going to go down the route of your suggestion, its exactly what I intend to achieve. ive run into problems with the login script.
but started a new thread on it as its a new problem. thanks again
Post Reply