Log In Page

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Log In Page

Post by richo »

What methods would I use for a simple log-in page.

- i don't need database action for multiple users, just one username and password.
- i understnad i may need to use a simple if statement for username/ password but is there any extra things i need for security?
- would I use session cookie or something to stop people from bypassing the login page?

Any help much appreciated.

Richo
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

couldn't you use HTTP authentication or do you actually need to create the interface?
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Do you understand how HTML forms work and how a PHP Form Controller works?
(#10850)
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

Yes, i've done posts before and using the posted variable, also detecting if the form has been submitted.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Do you want to do it OOP or procedural?
(#10850)
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

If you using apache as web server, a .htaccess file will be very suitable in this case.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

The Ninja Space Goat wrote:
wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
Technically, you can use HTTP Authentication WITH an html form..
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I posted the basics for a form controller here. We could expand that to do a login pretty easily with a few classes. If you see it step by step it will make sense.
(#10850)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

We could expand that to do a login pretty easily with a few classes
Or with no classes at all...Image
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Weirdan wrote:Or with no classes at all...Image
Well at least some functions ;) otherwise you will end up with this which is fine for one form, but provides zero code reuse -- so you end up hand coding if statements for every form. I guess if you like that kind of thing...
(#10850)
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.

I just need a simple login/ session methodology, i'm also interested in best practise security issues.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

richo wrote:I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.

I just need a simple login/ session methodology, i'm also interested in best practise security issues.
You can use OOP fine in PHP4. Here is the code from a previous post modified slightly for login:

logintemplate.php

Code: Select all

<h1>Log-in</h1>
<p>Please enter your username and password and click Login.</p>
<span style="color:red"><?php echo implode('', $errors); ?></span>
<form action="myformpage.php" method="post">
<input type="hidden" name="submit" value="yes"/>     <!-- use hidden so Enter works in IE -->
<input type="text" name="username" value=""/>
<br/>
<input type="text" name="password" value=""/>
<br/>
<input type="submit" name="login" value="Login"/>
<br/>
</form>
So the PHP code would looks something like this:

login.php

Code: Select all

$errors = array();

// only do login check if form has been submitted
if (isset($_POST['submit'])) {

    // filter the value from the form to only all letters and numbers (add any other characters you want to allow)
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);

    // check the name based on some rules and set errors if there are problems
    if ($username == '') {
        $errors[] = 'Please enter a username. ';
    }
    if ($password == '') {
        $errors[] = 'Please enter a password. ';
    }

    if (! $errors) {
    // check if username/password are valid here
    // this could also easily be a database lookup
        if ($username == 'abcdefg') && ($password == '1234567') {
            session_start();

            $_SESSION['User']['isvalid'] = 1;
            $_SESSION['User']['username'] = $username;

            // write and close the session before redirect
            session_write_close();

            // redirect to another page if all required fields are acceptable
            header('Location: http://www.mysite.com/mynextpage.php');

            exit();    // no more output

        } else {
            $errors[] = 'Invalid username and password. ';
        }
    }

}
// show the form if there are errors
include 'logintemplate.php';
I have not run this code so it probably has errors. See if you can get it to work. We still need to add Log-out functionality and the Access Control code that you would include in protected pages.
(#10850)
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

That looks fantastic arborint, many thanks. I guess i need to look up OOP, i didn't realise that kind of stuff was.

All the code makes sense to me other than the:


Code: Select all

preg_replace('/[^a-zA-Z0-9]/', '',
I can see what it's doing ,just don't really understand what's going in the syntax.


I'll try the page out and let you know if it works.

thanks.
Post Reply