Page 1 of 1
Confusion for a newbie
Posted: Sat Jan 06, 2007 8:52 pm
by badgers
hello I searched this forum and I found this.
viewtopic.php?t=61184
viewtopic.php?t=61571
viewtopic.php?t=60805
I am sorry to say this so bluntly,
I am trying to learn how to write a secure login page and then carry that logged in user though the members only parts of the website.
can someone give me a link to an example from start to finish.
looking at the above posts I have a hard time telling what is good practice and what is frowned upon.
I am not looking for verifying the registration, yet.
I wanted to learn what is the proper way to deal with offering a login and password and then checking it.
thanks, if anyone has a link or some good tips I would appreciate it.
I learn best from examples of how to do something, demonstrating what not to do doesn't help me learn things as well.
thank you for your time and have a good day.
Posted: Sat Jan 06, 2007 10:16 pm
by Christopher
Unfortunately you are asking about one of the more complex problems in web site development. There are number of prerequisites, both in code such as a form controller) and in knowledge about the PHP and HTTP specifics. There is not all in one solution and large parts of your solution will be specific to your framework. If you break it down and go step by step here we can certainly go through many of the issues.
Posted: Sat Jan 06, 2007 10:52 pm
by badgers
are there any links for a good place to start.
I was looking at the first link and it is clear that it isn't something I should use as a reference.
lets start with this,
I have a username and a password in the database
I used md5('password') to put it in the database.
is that the way to store password hashes?
thanks
Posted: Sat Jan 06, 2007 10:54 pm
by badgers
looking at this site.
http://www.devshed.com/c/a/PHP/Creating ... in-Script/
is that something to start with?
it seemed a little old and I am using a site with PHP5
thanks
I guess I don't understand how to put these together in a overall page but I also don't know what PEAR is.
is that the best way to handle authentication with PEAR?
Posted: Sat Jan 06, 2007 11:04 pm
by feyd
You can choose other hashing algorithms for various reasons, but the concept is the same. MD5 has come under a lot of fire recently because its strength has been significantly weakened. SHA1 isn't too far behind, but is considered a bit more secure than MD5. Both are available natively and in many databases as well.
Another we like around here is SHA256. It's only available natively in newer versions of PHP, however there is a version available that works as far back as (likely) the early 4's written in PHP. It was written by yours truly. You can find it in Code Snippets.
Posted: Sun Jan 07, 2007 9:47 am
by badgers
thanks, I use dreamhost for my hosting. I will see what they support.
I think my problem is that there are different levels of security. I am looking for an framework of how to approach it. I think I will learn some of the finer details later.
It is hard to learn from fragemented examples and examples that show you how not to do something.
do you have any links to a baseline approach.
thanks
Posted: Sun Jan 07, 2007 9:49 am
by badgers
is PEAR the standard way to do logins?
I have read some tutorials on the net and they all seem to use PEAR.
thanks
Posted: Sun Jan 07, 2007 9:52 am
by feyd
PEAR is simply a framework. It's fairly accessible, quite modular and has been around for a long time; so there are plenty of people that use components from it. Whether it is the standard way or not, I can't say. I certainly don't use it, but I'm shouldn't be peoples' metric either.

Posted: Sun Jan 07, 2007 10:20 am
by badgers
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
thanks for everything.
I am starting with this(it is from this board)
[syntax="html"]<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">
<title>Example HTML to call login php script</title>
</head>
<body bgcolor="#E5E5E5" text="#000000" link="#006699" vlink="#006699">
<form action="login.php" method="post" target="_top">
<table width="100%" cellpadding="4" cellspacing="1" border="0" class="forumline" align="center">
<tr>
<th height="25" class="thHead" nowrap="nowrap">Please enter your username and password to log in.</th>
</tr>
<tr>
<td class="row1"><table border="0" cellpadding="3" cellspacing="1" width="100%">
<tr>
<td colspan="2" align="center"> </td>
</tr>
<tr>
<td width="45%" align="right"><span class="gen">Username:</span></td>
<td>
<input type="text" class="post" name="username" size="25" maxlength="40" value="" />
</td>
</tr>
<tr>
<td align="right"><span class="gen">Password:</span></td>
<td>
<input type="password" class="post" name="password" size="25" maxlength="32" />
</td>
</tr>
<tr align="center">
<td colspan="2"><span class="gen">Log me on automatically each visit: <input type="checkbox" name="autologin" /></span></td>
</tr>
<tr align="center">
<td colspan="2"><input type="hidden" name="redirect" value="" /><input type="submit" name="login" class="mainoption" value="Click Here For Login" /></td>
</tr>
</table></td>
</tr>
</table>
</form>
</td>
</tr>
</table>
</body>
</html>
I want to use this as the input page.
I removed this boards stuff to get this down to the simplest terms, of a login and an option to autologin in the future.
thanks for your help so far. I am assuming with this I can now start working on the login.php script that I assume gets called when I click the button.
feyd | Please use[/syntax]Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sun Jan 07, 2007 11:48 am
by timvw
I wouldn't say it's the simplest, since all you need is the form definition, the input fields and the submit button.
Code: Select all
<form action="login.php" method="post" target="_top">
<input type="text" class="post" name="username" size="25" maxlength="40" value="" />
<input type="password" class="post" name="password" size="25" maxlength="32" />
<input type="checkbox" name="autologin" />
<input type="hidden" name="redirect" value="" />
<input type="submit" name="login" class="mainoption" value="Click Here For Login" />
</form>
If the user clicks on the submit button, her browser will POST (value of the method attribute in the form tag) the values of the input fields to login.php (value of action attribute in the form tag).
Posted: Sun Jan 07, 2007 1:27 pm
by badgers
thanks everyone for your help so far.
I appreciate you fixing my post for the html tags.
have a good day
I am using the more reduced html form for posting the data.
UPDATE- I am using the simplified form as login.html and here is what I have as login.php
can you make comments on how it looks?
the password is an md5 hash in the database. Thats how it looks in phpadmin anyway.
but here is the problem it alway outputs the same thing given the right or wrong password
Code: Select all
<?php
if (!isset($_SESSION)) { session_start(); }
/// Quote variable to make safe-from mysql site
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
//Connect database.
$host="localhost"; // Host name.
$db_user="mysql"; // MySQL username.
$db_password="pass"; // MySQL password.
$database="users"; // Database name.
$link = mysql_connect($host,$db_user,$db_password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
//echo 'Connected successfully ';
mysql_select_db($database);//should there be some sort of error checking here?
// Make a safe query
$query = sprintf("SELECT COUNT('username') FROM member WHERE username=%s AND password=md5(%s)",
quote_smart($_POST['username']),
quote_smart($_POST['password']));
echo $query;
$result = mysql_query($query);
if (!$result){
die('the mysql query failed: ' .mysql_error());
}
echo " mysql query completed successfully '$result' " ;
// I would assume to have gotten this far I now have the correct user name and password
//from the mysql site it seemed like this was good practice.
mysql_close($link);
?>
here is the output in the web browser I added a return for clarity..
SELECT COUNT('username') FROM member WHERE username='webuser' AND password=md5('webpass')
mysql query completed successfully 'Resource id #3'
UPDATE2
what am I screwing up in the sql syntax?
thanks
I changed the sql section and eliminated the echo statements and now I can get it to work with the following
Code: Select all
// Make a safe query
$query = sprintf("SELECT * FROM member WHERE username=%s AND password=md5(%s)",
quote_smart($_POST['username']),
quote_smart($_POST['password']));
$result = mysql_query($query);
if(mysql_num_rows($result)!='0'){
}else{ // If not match.
echo "--- Incorrect Username or Password ---";
die;
}
// I would assume to have gotten this far I now have the correct user name and password
session_register("username"); // Craete session username.
header("location:lgwk.html"); //simple html page to know it worked
//from the mysql site it seemed like this was good practice.
mysql_close($link);
?>
[/syntax]