PDA

View Full Version : Need a non-functional PHP login box


ragejg
04-12-07, 08:38 AM
Hi guys. A site I'm building is using a Unix hosting package, and if I want a login box, it needs to be PHP.

I know nothing of PHP at this point, as I develop in MS Expression Web, which supports the ASP.NET flavors but not PHP.

I'm willing to learn some PHP, but in the meantime, I need to place a non-functional login box (this is for looks only, until around july or so) on www.financeforce.com

So could someone help me with a code snippet?

Thanks.

superklye
04-13-07, 09:30 AM
Check out www.pixel2life.com

I can guarantee you that you'll find at least one tutorial walking you through how to do it. :)

Q
04-13-07, 09:37 PM
Check out www.pixel2life.com

I can guarantee you that you'll find at least one tutorial walking you through how to do it. :)

One hell of a site you posted there.

superklye
04-14-07, 02:04 PM
It's one of my favorites :D

t3hl33td4rg0n
04-16-07, 03:10 AM
Hmm, I ripped some code from some Dreamweaver scripts I have somewhere, its not too complicated....

Damn, I forgot my server is offline while I'm out of town.

If you're using PHP, im assuming you have a database to connect to? If so, what kind? I will write it assuming you're using MySQL.

I'm a little rusty, I could use a primer... I will post something soon, But I can only use a local debugger, so if it has problems

t3hl33td4rg0n
04-16-07, 03:42 AM
Well, I dont know if this will work since I dont have my server, but here you go :)

This will assume you have MySQL table for users and passwords are stored with MD5 checksums.

<?php
// This goes in the login (main) page. Tailor the variables as needed

$dbserv = 'localhost';
$dbuser = 'dbuser';
$dbpass = '***********';
$utbl = 'users';

$LoginSuccess = './admin.php';
$LoginFail = './index.php';

// Assume Table of type: UID | USER | PASS [MD5] | LASTLOGIN

session_start();

mysql_connect($dbserv, $dbuser, $dbpass) or die(E_USER_ERROR);

if($_POST['username']) {
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';
$q = mysql_query($s) or die(mysql_error());
if (mysql_num_rows($q) > 0) {
$Auth = true;
session_register($Auth);
header("Location: ./admin.php");
} else {
$Auth = false;
header("Location: ./index.php");
}
}
?>

<html>
<!-- THIS IS THE LOGIN PAGE -->
<head>

</head>
<body>
<?php if($Auth = false) { echo '<b>Username or password did not match, please try again...</b>'; } ?>
This is the login page, place a form with POST method using a text field and password field named "Username" and "Password" respectively.
</body>
</html>


-----------------------------------------------------------------------------------------------


<?php
// This goes in any page that is restricted to only logged in users

session_start();

if ($_SESSION['Auth'] = true) { ?>
<html>
<head>

</head>
<body>

</body>
</html>
<? } else {
echo "This page is restricted. Please login properly.";
}
?>

evilghost
05-03-07, 01:51 PM
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.

In his example, the below code:


$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';

Should become:

$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';

This will prevent SQL injection, else, SQL injection could occur.

superklye
05-03-07, 09:23 PM
showoff.

t3hl33td4rg0n
05-17-07, 04:27 PM
What about $_POST['password']

Honestly, I've never used mysql_escape_string(), perhaps i should.

But its funny, thats the first script ive written in over a year and havent written a single line since.

evilghost
05-17-07, 04:32 PM
What about $_POST['password']

Honestly, I've never used mysql_escape_string(), perhaps i should.

But its funny, thats the first script ive written in over a year and havent written a single line since.

No need to escape it because it's being md5'd:

md5($_POST['password'])

If it were not first being MD5'd then I would mysql_escape_string() it.

t3hl33td4rg0n
05-18-07, 02:48 AM
Kuul, thanks!

atriq
05-23-07, 12:27 PM
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.Beat me to it; I actually got a bit of a nervous feeling in my stomach seeing an unsanitized, anonymously set variable going directly to a database.

*shudders*

ViN86
05-23-07, 02:02 PM
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.

In his example, the below code:


$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';

Should become:

$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';

This will prevent SQL injection, else, SQL injection could occur.
evilghost -

i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?

this is what i planned to use in my MySQL database.

evilghost
05-23-07, 02:07 PM
evilghost -

i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?

this is what i planned to use in my MySQL database.

What's the password() method? crypt()? I like MD5 because it's a one-way hash and to test for successful login all you have to do is:

if(md5($user_supplied_password) == $md5_value_from_db)
//auth_ok
else
//auth_failed

ViN86
05-23-07, 06:07 PM
What's the password() method? crypt()? I like MD5 because it's a one-way hash and to test for successful login all you have to do is:

if(md5($user_supplied_password) == $md5_value_from_db)
//auth_ok
else
//auth_failed
the password() function is a hash function as well. it's inside MySQL i believe.

EDIT:
http://dev.mysql.com/doc/refman/5.0/en/user-names.html

actually, it appears to be its own encryption function in MySQL. i found a way to call the function outside of MySQL. i assume i just use that function instead of the md5() call?
http://us.php.net/mysql

evilghost
05-23-07, 07:56 PM
the password() function is a hash function as well. it's inside MySQL i believe.

EDIT:
http://dev.mysql.com/doc/refman/5.0/en/user-names.html

actually, it appears to be its own encryption function in MySQL. i found a way to call the function outside of MySQL. i assume i just use that function instead of the md5() call?
http://us.php.net/mysql

This really comes down to preference but I prefer md5 as a one-way hash versus an encrypted string for two reasons, first is there isn't a decryption method (aside from brute-force or something like an md5 dictionary) and second because if I md5() user input I am also successfully escaping it and preventing SQL injection as opposed to having to call mysql_escape_string() and then pass the escaped sequence for encryption against the database.

Again, all preference.