You are viewing our Forum Archives. To view or take place in current topics click here.
[PHP] Secure PHP Login System [PHP]
Posted:
[PHP] Secure PHP Login System [PHP]Posted:
Status: Offline
Joined: Sep 06, 201212Year Member
Posts: 64
Reputation Power: 3
Status: Offline
Joined: Sep 06, 201212Year Member
Posts: 64
Reputation Power: 3
Secure PHP Login System
Getting Started
Begin with creating your login form. This is the form that the user sees when he/she is logging or creating an account. Create a new HTML file, next fill it with this code.
Now what this does is allow a user to enter their desired credentials into the text boxes, next it redirects them to the page "login.php".
Storing Our Data
We can't just process our data just yet! We have to store it in a MYSQL Database first. Create a Database then execute this SQL query via phpMyAdmin.
SQL Query:
This SQL query creates a table in the database called "users" and adds 3 columns with the names of "ID, Username and Password". The passwords are also encrypted in "Salt" to maximize the security.
Registering a User
Nope, we still aren't able to process any data yet! We first have to create it!
Create a new PHP file called "register" and insert the following PHP code into it.
Login Form
Seriously this time. Our login processor will pull the login data from post and compare it to the database values.
Credits
Me
Tinsology.net
Getting Started
Begin with creating your login form. This is the form that the user sees when he/she is logging or creating an account. Create a new HTML file, next fill it with this code.
<form name="login" action="login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Login" />
</form> Now what this does is allow a user to enter their desired credentials into the text boxes, next it redirects them to the page "login.php".
Storing Our Data
We can't just process our data just yet! We have to store it in a MYSQL Database first. Create a Database then execute this SQL query via phpMyAdmin.
SQL Query:
CREATE TABLE users (
id INT NOT NULL AUTO_INCREMENT,
username VARCHAR(30) NOT NULL UNIQUE,
password VARCHAR(64) NOT NULL,
salt VARCHAR(3) NOT NULL,
PRIMARY KEY(id)
); This SQL query creates a table in the database called "users" and adds 3 columns with the names of "ID, Username and Password". The passwords are also encrypted in "Salt" to maximize the security.
Registering a User
Nope, we still aren't able to process any data yet! We first have to create it!
Create a new PHP file called "register" and insert the following PHP code into it.
<?php
//retrieve our data from POST
$username = $_POST['username'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($pass1 != $pass2)
header('Location: register_form.php');
if(strlen($username) > 30)
header('Location: register_form.php');
hash = hash('sha256', $pass1);
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
dbhost = 'localhost';
$dbname = 'DATABASENAME;
$dbuser = 'DATABASEUSER';
$dbpass = 'DATABASEPASS';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname, $conn);
$username = mysql_real_escape_string($username);
$query = "INSERT INTO users ( username, password, salt )
VALUES ( '$username' , '$hash' , '$salt' );";
mysql_query($query);
mysql_close();
header('Location: login_form.php'); Login Form
Seriously this time. Our login processor will pull the login data from post and compare it to the database values.
$username = $_POST['username'];
$password = $_POST['password'];
//connect to the database here
$username = mysql_real_escape_string($username);
$query = "SELECT password, salt
FROM users
WHERE username = '$username';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such user exists
{
header('Location: login_form.php');
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
header('Location: login_form.php');
} Credits
Me
Tinsology.net
The following 1 user thanked Opticate for this useful post:
Odin (09-19-2012)
#2. Posted:
Status: Offline
Joined: Jan 14, 201014Year Member
Posts: 37
Reputation Power: 1
Status: Offline
Joined: Jan 14, 201014Year Member
Posts: 37
Reputation Power: 1
Remember to escape all strings you are going to use in the MySQL query; this is to remove characters which will cause a MySQL syntax error - use in both the register and login scripts.
FYI: using prepared statements removes the need for escaping (search for PDO).
Additionally if you have magic quotes enabled, you should disable it (as its deprecated), and use stripslashes() before using mysql_real_escape_string().
FYI: using prepared statements removes the need for escaping (search for PDO).
Additionally if you have magic quotes enabled, you should disable it (as its deprecated), and use stripslashes() before using mysql_real_escape_string().
- 1useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Dec 18, 201112Year Member
Posts: 33
Reputation Power: 1
Status: Offline
Joined: Dec 18, 201112Year Member
Posts: 33
Reputation Power: 1
This seems really quick and badly coded, you should use MySQLi as MySQL is being deprecated in php6
- 0useful
- 0not useful
#4. Posted:
Status: Offline
Joined: Oct 07, 201014Year Member
Posts: 247
Reputation Power: 9
Status: Offline
Joined: Oct 07, 201014Year Member
Posts: 247
Reputation Power: 9
You actually have a problem with this. Your salt will be different every time you call the script, if your salt is different than the salt used on a password in the database you'll get a missmatch error and no one will be able to log in. It's a good idea to use the same salt every time or store it in another table in the database.
And as a general note, you should salt both ends of the password before hashing.
And as a general note, you should salt both ends of the password before hashing.
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.