PDA

View Full Version : Basic Login System



sniko
11-07-2010, 12:13 AM
Overview
A login system is a way to filter unwanted activity in area's you dont want that activity to be, for such, a comment system. When making a login system, it is vital that you make it secure from any type attacks or bypassing, otherwise, there really is no point having one.

What do you need to learn
Sessions (http://www.php.net/sessions)
Mysql Functions (http://www.php.net/mysql)
mres (http://www.php.net/mysql_real_escape_string)
unset (http://www.php.net/unset)
Switch (Possibly) (http://www.php.net/switch)
connect to the database (http://uk.php.net/manual/en/function.mysql-connect.php)

What you need

Knowledge of using a database (to hold users information)
Database management system, For example phpmyadmin


Psuedo code In plain English, what do you need to do?
connect to the database
start sessions
show a form, where the user types in their credentails
secure input data from the user
check user inputs against database
show any errors at all
start login session
show success text

Ways of going about creating a login system
There are many ways of creating the login system. Using the switch function or the predefined variable $_GET/isset you can create the whole login and register system in one file. You can also add jQuery/Ajax effects to make it more user friends and customise it with css.

Skeleton Code

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
mysql_select_db('foo', $link);
session_start();
if(isset($_POST['submit'])) //pressed the submit button
{
* //do more
}
else
{
*//show form
}
?>

Creating the form
I assume you know the pre-defined variable $_POST and how to use it.

<form action='' method='post'>
* * * * *Login Name: <input type='text' name='login' length='5' maxlength='15' />
* * * * *Passcode: <input type='password' name='passcode' length='5' maxlength='25' />
* * * * *<input type='submit' name='submit' value='Login!'>
</form>


Skeleton Code [Update w/ Form]

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
mysql_select_db('foo', $link);
session_start();
if(isset($_POST['submit'])) //pressed the submit button
{
* //do more
}
else
{
* echo "<form action='' method='post'>
* * * * *Login Name: <input type='text' name='login' length='5' maxlength='15' />
* * * * *Passcode: <input type='password' name='passcode' length='5' maxlength='25' />
* * * * *<input type='submit' name='submit' value='Login!'>
* * * * *</form>";
}
?>

Assigning the inputs to variables and securing them

<?php
$login_name = htmlspecialchars(mysql_real_escape_string($_POST['login']));
$passcode = md5($_POST['passcode']); //Its best to use an alternative encryption method rather than md5 as it can be decrypted
?>

Checking to see if their inputted data exists on the database (assuming you have already created one)

<?php
$exists = mysql_query("SELECT `key` FROM `tablename` WHERE `fieldname`='$login_name' AND `fieldname`='$passcode'");
if(mysql_num_rows($exists) == 0)
*{
* * *echo "You do not exist!";
* }
?>

Skeleton Code Updated (w/ Form, $_POST and checking)

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
mysql_select_db('foo', $link);
session_start();
if(isset($_POST['submit'])) //pressed the submit button
{
*$login_name = htmlspecialchars(mysql_real_escape_string($_POST['login']));
*$passcode = md5($_POST['passcode']); //Its best to use an alternative encryption method rather than md5 as it can be decrypted
*$exists = mysql_query("SELECT `key` FROM `tablename` WHERE `fieldname`='$login_name' AND `fieldname`='$passcode'");
*if(mysql_num_rows($exists) == 0)
* *{
* * *echo "You do not exist!";
* * }
*else
* *{
* * * //They exist
* * }
}
else
{
* echo "<form action='' method='post'>
* * * * *Login Name: <input type='text' name='login' length='5' maxlength='15' />
* * * * *Passcode: <input type='password' name='passcode' length='5' maxlength='25' />
* * * * *<input type='submit' name='submit' value='Login!'>
* * * * *</form>";
}
?>

Assigning a session

<?php
$u = mysql_fetch_array(mysql_query("SELECT `key` FROM `tablename` WHERE `fieldname`='$login_name' AND `fieldname`='$passcode'"));
$_SESSION['user'] = $u['key'];
?>


Skeleton Code - Finished

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
mysql_select_db('foo', $link);
session_start();
if(isset($_POST['submit'])) //pressed the submit button
{
*$login_name = htmlspecialchars(mysql_real_escape_string($_POST['login']));
*$passcode = md5($_POST['passcode']); //Its best to use an alternative encryption method rather than md5 as it can be decrypted
*$exists = mysql_query("SELECT `key` FROM `tablename` WHERE `fieldname`='$login_name' AND `fieldname`='$passcode'");
*if(mysql_num_rows($exists) == 0)
* *{
* * *echo "You do not exist!";
* * }
*else
* *{
* * * $u = mysql_fetch_array(mysql_query("SELECT `key` FROM `tablename` WHERE `fieldname`='$login_name' AND `fieldname`='$passcode'"));
* * * $_SESSION['user'] = $u['key'];
* * * echo "You have loggedin!";
* * }
}
else
{
* echo "<form action='' method='post'>
* * * * *Login Name: <input type='text' name='login' length='5' maxlength='15' />
* * * * *Passcode: <input type='password' name='passcode' length='5' maxlength='25' />
* * * * *<input type='submit' name='submit' value='Login!'>
* * * * *</form>";
}
?>

Now that they have loggedin, you can then do the following with all other pages that require them to be loggedin

<?php
session_start();
if(!isset($_SESSION['user']))
{
* echo "You need to login";
* exit;
}
?>

Thanks for reading, if you have any other questions, Please reply or PM

-sniko

Jordan Palmer
11-07-2010, 12:35 AM
Looking good sniko :)

Well done mate :)

03laceys
11-07-2010, 03:11 AM
Nice to see people posting tutorials again. Good work sniko.

On a side note nice to see the community posting more, may it not be in the mccodes section as before it does meaning that with more posts the forum will become alive again. Also it is nice to see the posts are looking at different areas than just good ole mccodes.

Spudinski
11-07-2010, 03:21 PM
Very nice tutorial sniko.

I would just suggest adding a complete script and sample table structure for a login system.
I think it would help people a little bit more to see a complete script, and and you could possibly also add for a next tutorial why input filtering is needed, and the correct uses of it.

BlackScorp
01-11-2011, 06:09 PM
well this is a basic login script, i dont personally like to check if user is online via Sessions, checking user on this way allows multilogin. in your script i would personally suggest to save session_id() in the database and to check if user is online, just get the userID WHERE session = session_id(),

for all your mysql_* functions i would suggest to add or die(mysql_error()); at the end.

MD5 can be decrypted with a Rainbow Table ('http://en.wikipedia.org/wiki/Rainbow_table') just add a personal salt and add it to the password , but dont forget to add it in the Database on creating user.

But what is really positive, is that this Tutorial is really short AND it have mysql_real_escape_string function.. most ppl forget it, but you didnt;) great

Best regards BlackScorp

Paul Evans
01-12-2011, 04:29 AM
Very insightful Sniko, well done.