Jump to content

User Authentication page

portabletelly

By portabletelly
in PHP Coding Help

 Share

Recommended Posts

portabletelly Member

portabletelly

Posted
Posted

Hi Im not sure if this is a php issue or a mysql issue. Im running php5 and mysql5.

 

I have a basic login page which has a form that sends test name and password to process_password.php. Basically only this bit of code runs on the first page. I havent tidyied the first page up yet

if(!isset($name)&&!isset($password))
  {
  echo test;
    //Visitor needs to enter a name and password

echo '<h1>Please Log In</h1>';
echo 'his page is secret.';
	echo '<form method = post action = "process_password.php">';
    echo '<table border = 1>';
    	echo '<tr>';
      	echo '<th> Username </th>';
      	echo '<td> <input type = text name = name> </td>';
    	echo '</tr>';
    	echo '<tr>';
      	echo '<th> Password </th>';
      	echo '<td> <input type = password name = password> </td>';
    echo '</tr>';
    echo '<tr>';
      echo '<td colspan =2 align = center>';
        echo '<input type = submit value = "Log In">';
      echo '</td>';
    echo '</tr>';
    echo '</form>';
  }

 

My issues which I think maybe either syntax or the way im storeing data into the auth table. When subbmiting to the second page the page work fine except when a password is stored into the mysql auth table as a 'password'. Pass has been defined as char 41. If i add a password to a user in clear text the user can log in however if its stored as  insert into auth values ('testuser', password('test123')); The user will not be able to login.

 

 

<?php
   include("connect.php");
   include("selectdb.php");
   // $name = htmlspecialchars($_POST['name']);
  //$password = htmlspecialchars($_POST['password']);

  if(!isset($name)&&!isset($password))
  {
  echo test;
    //Visitor needs to enter a name and password

echo '<h1>Please Log In</h1>';
echo 'his page is secret.';
	echo '<form method = post action = "process_password.php">';
    echo '<table border = 1>';
    	echo '<tr>';
      	echo '<th> Username </th>';
      	echo '<td> <input type = text name = name> </td>';
    	echo '</tr>';
    	echo '<tr>';
      	echo '<th> Password </th>';
      	echo '<td> <input type = password name = password> </td>';
    echo '</tr>';
    echo '<tr>';
      echo '<td colspan =2 align = center>';
        echo '<input type = submit value = "Log In">';
      echo '</td>';
    echo '</tr>';
    echo '</form>';
  }
  else
  {


echo "in the else statement";
    // connect to mysql
   // $mysql = mysql_connect( 'localhost', 'root', '*****' );
   // if(!$mysql)
   // {
   //   echo 'Cannot connect to database.';
   //   exit;
   // }
   // select the appropriate database

    //$mysql = mysql_select_db( 'auth' );
    //if(!$mysql)
    //{
    //  echo 'Cannot select database.';
    //  exit;
    //}

    // query the database to see if there is a record which matches
    $query = "select count(*) from auth where name ='$name' and pass ='$password'";

    echo $name;
    echo $pass;

    $result = mysql_query($query, $link);
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }

    $count = mysql_result( $result, 0, 0 );

    if ( $count > 0 )
    {
      // visitor's name and password combination are correct
      echo "<h1>Here it is!</h1>";
      echo "I bet you are glad you you can see this secret page.";
    }
    else
    {
      // visitor's name and password combination are not correct
      echo "<h1>Go Away!</h1>";
      echo "You are not authorized to view this resource.";
    }
  }
?>

 

****************process_password.php********************

<?php
   include("connect.php");
   include("selectdb.php");

$name = htmlspecialchars($_POST['name']);
$password = htmlspecialchars($_POST['password']);

echo $name;
echo $password;

$query = "select count(*) from auth where name ='$name' and pass ='$password'";

$result = mysql_query($query, $link);
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }

    $count = mysql_result( $result, 0, 0 );

    if ( $count > 0 )
    {
      // visitor's name and password combination are correct
      echo "<h1>Here it is!</h1>";
      echo "I bet you are glad you you can see this secret page.";
    }
    else
    {
      // visitor's name and password combination are not correct
      echo "<h1>Go Away!</h1>";
      echo "You are not authorized to view this resource.";
    }


?>

 

Hope this makes sense as its getting pretty late and im out of coffea

Link to comment
Share on other sites
lewis987 Member

lewis987

Posted
Posted

ok, well i dont understand ya very well, but it looks like you want to make alogin page that goes to another page? why not comple it into one page with if, elseif, else statements?

 

here is my login/register page:

 

<?
// Use session variable on this page. This function must put on the top of page.
session_start();

////// Logout Section. Delete all session variable.
session_destroy();

$message="";

////// Login Section.
$Login=$_POST['Login'];
if($Login){ // if clicked on Login button.
$username=$_POST['username'];
$md5_password=md5($_POST['password']); // Encrypt password with md5() function. 

// Connect database. 
$host="localhost"; // Host name.
$db_user="root"; // MySQL username.
$db_password="lancer"; // MySQL password.
$database="login"; // Database name.
mysql_connect($host,$db_user,$db_password);
mysql_select_db($database);

// Check matching of username and password.
$result=mysql_query("select * from users where username='$username' and password='$md5_password'");
if(mysql_num_rows($result)!='0'){ // if match.
session_register("username"); // Craete session username.
header("location:main.php"); // Re-direct to main.php
exit;
}else{ // if not match.
$message="--- Incorrect Username or Password ---";
}

} // End Login authorize check.
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<style type="text/css"> 
<!-- 
body  {
font: 100% Verdana, Arial, Helvetica, sans-serif;
background: #000000;
margin: 0; /* it's good practice to zero the margin and padding of the body element to account for differing browser defaults */
padding: 0;
text-align: center; /* this centers the container in IE 5* browsers. The text is then set to the left aligned default in the #container selector */
color: #000000;
}
.twoColFixLtHdr #container { 
width: 780px;  /* using 20px less than a full 800px width allows for browser chrome and avoids a horizontal scroll bar */
background: #FFFFFF;
margin: 0 auto; /* the auto margins (in conjunction with a width) center the page */
border: 1px solid #000000;
text-align: left; /* this overrides the text-align: center on the body element. */
} 
.twoColFixLtHdr #header { 
background: #000000; 
padding: 0 10px 0 20px;  /* this padding matches the left alignment of the elements in the divs that appear beneath it. If an image is used in the #header instead of text, you may want to remove the padding. */
} 
.twoColFixLtHdr #header h1 {
margin: 0; /* zeroing the margin of the last element in the #header div will avoid margin collapse - an unexplainable space between divs. If the div has a border around it, this is not necessary as that also avoids the margin collapse */
padding: 10px 0; /* using padding instead of margin will allow you to keep the element away from the edges of the div */
}
.twoColFixLtHdr #sidebar1 {
float: left; /* since this element is floated, a width must be given */
width: 200px; /* the actual width of this div, in standards-compliant browsers, or standards mode in Internet Explorer will include the padding and border in addition to the width */
background: #EBEBEB; /* the background color will be displayed for the length of the content in the column, but no further */
padding: 15px 10px 15px 20px;
}
.twoColFixLtHdr #mainContent { 
margin: 0 0 0 250px; /* the left margin on this div element creates the column down the left side of the page - no matter how much content the sidebar1 div contains, the column space will remain. You can remove this margin if you want the #mainContent div's text to fill the #sidebar1 space when the content in #sidebar1 ends. */
padding: 0 20px; /* remember that padding is the space inside the div box and margin is the space outside the div box */
} 
.twoColFixLtHdr #footer { 
padding: 0 10px 0 20px; /* this padding matches the left alignment of the elements in the divs that appear above it. */
background:#000000; 
} 
.twoColFixLtHdr #footer p {
margin: 0; /* zeroing the margins of the first element in the footer will avoid the possibility of margin collapse - a space between divs */
padding: 10px 0; /* padding on this element will create space, just as the the margin would have, without the margin collapse issue */
}
.fltrt { /* this class can be used to float an element right in your page. The floated element must precede the element it should be next to on the page. */
float: right;
margin-left: 8px;
}
.fltlft { /* this class can be used to float an element left in your page */
float: left;
margin-right: 8px;
}
.clearfloat { /* this class should be placed on a div or break element and should be the final element before the close of a container that should fully contain a float */
clear:both;
    height:0;
    font-size: 1px;
    line-height: 0px;
}
--> 
</style><!--[if IE 5]>
<style type="text/css"> 
/* place css box model fixes for IE 5* in this conditional comment */
.twoColFixLtHdr #sidebar1 { width: 230px; }
</style>
<![endif]--><!--[if IE]>
<style type="text/css"> 
/* place css fixes for all versions of IE in this conditional comment */
.twoColFixLtHdr #sidebar1 { padding-top: 30px; }
.twoColFixLtHdr #mainContent { zoom: 1; }
/* the above proprietary zoom property gives IE the hasLayout it needs to avoid several bugs */
</style>
<![endif]--></head>

<body class="twoColFixLtHdr">

<div id="container">
  <div id="header">
    <h1 align="center"><img src="header.jpg" width="640" height="160" /></h1>
  <!-- end #header --></div>
  <div id="sidebar1">
  <?php
  if(isset($_GET['done'])){
  echo ">Start Registration<br />
  <b>>Finish Registration</b>";
  echo "<h3>Thanks, you can now login</h3>";
  echo $message; 
  echo "<form id=\"form1\" name=\"form1\" method=\"post\" action=\"$PHP_SELF\">";
  echo  "<table>";
  echo    "<tr>";
  echo      "<td>Username : </td>";
  echo    "</tr>";
  echo    "<tr>";
  echo      "<td><input name=\"username\" type=\"text\" id=\"username\" /></td>";
  echo    "</tr>";
  echo    "<tr>";
  echo      "<td>Password : </td>";
  echo    "</tr>";
  echo    "<tr>";
  echo      "<td><input name=\"password\" type=\"password\" id=\"password\" /></td>";
  echo    "</tr>";
  echo  "</table>";
  echo  "<input name=\"Login\" type=\"submit\" id=\"Login\" value=\"Login\" />";
  echo "</form>";
  }elseif(isset($_GET['reg'])){
  echo "<h3>.:.:Registration:.:.</h3><br>
  <b>>Start Registration</b><br />
  >Finish Registration<br><br>
  Accidentally click the registration link?<br>
  <a href=\"?\">click here to go back</a>";
  }else{
  echo "<h3>Please Login</h3>
  <p>When loged in you can find many great features!</p>
  <p>Havent got a login yet?<br />
  <a href=\"?reg\">Register Now!</a>";
  } ?>
  <!-- end #sidebar1 --></div>
  <div id="mainContent">
   
    <p><?php

// Replace the variable values below
// with your specific database information.
$host = "localhost";
$user = "xxxxxxxx";
$pass = "xxxxxxxxxx";
$db   = "xxxx";
$ID = '';
$USR = $_POST["usr"];
$PWD = md5($_POST["pwd"]);

// This part sets up the connection to the 
// database (so you don't need to reopen the connection
// again on the same page).
$ms = mysql_connect($host, $user, $pass);
if ( !$ms )
{
echo "Error connecting to database.\n<br><br>";
}

// Then you need to make sure the database you want
// is selected.
mysql_select_db($db,$ms);
$result = mysql_query("SELECT username FROM users WHERE username = '$USR'");

if(mysql_num_rows($result) !== 0){?>
<h1> .:.:.ERROR.:.:. </h1><br><?
die("Sorry! The user exists already <br><a href=\"?reg\">Back to register page</a>");
}

//Input vaildation and the dbase code
if ( isset($_GET["registration"]) )
{
$bInputFlag = false;
foreach ( $_POST as $field )
  {
  if ($field == "")
   {
   $bInputFlag = false;
   }
  else
   {
   $bInputFlag = true;
   }
  }
// If we had problems with the input, exit with error
if ($bInputFlag == false)
  {
  die( "Problem with your registration info. "
   ."Please go back and try again.");
  }
//  Run query
$r = mysql_query("INSERT INTO xxx( id, username, password ) VALUES ('', '$USR', '$PWD')");

// Make sure query inserted user successfully
if ( !mysql_insert_id() )
  {
  die("<h1>.:.:Error:.:.</h1><br>User not added to database.<br><a href=\"index.php?reg\">Back to registration form</a>");
  }
else
  {
  // Create User folder and add user to the database
$FTP_con = ftp_connect("xxx.xxx.xxx.xxx",);
ftp_login($FTP_con,"xxx","xxxxx");
ftp_mkdir($FTP_con,"$USR");
ftp_mkdir($FTP_con, "$USR/Pic");
ftp_mkdir(FTP_con, "$USR/Music");
ftp_close($FTP_con);
mysql_query("CREATE TABLE ".$USR." (
`Name` VARCHAR( 50 ) NOT NULL ,
`Size` INT NOT NULL ,
`Type` VARCHAR( 5 ) NOT NULL ,
PRIMARY KEY ( `Name` ) 
) ENGINE = MYISAM ;");
echo "<a href=\"?done\">Complete Registration</a>";
  }
} // end if
elseif(isset($_GET['done'])){
echo "<h1>.:.:Well Done:.:.</h1><br />
    <p>Registration Complete!<br />Login with your details in the form on the left!</p>";
}
elseif(isset($_GET['reg'])){
echo "<h1> Registration:</h1>";
echo "<form action=\"?registration\" method=\"POST\">\n";
echo "<table>";
echo "<TR>";
echo "<td><b>Username: </b></td>";
echo "<td><input name=\"usr\" MAXLENGTH=\"16\"></td>\n";
echo "</tr>";
echo "<tr>";
echo "<td>";
echo "<b>Password: </b></td>"; 
echo "<td><input type=\"password\" name=\"pwd\" MAXLENGTH=\"16\"><td>\n";
echo "</tr>";
echo "<tr>";
echo "<td><input type=\"submit\"></td>\n";
echo "</table>";
echo "</form>\n";
}
// EOF
else
{
echo "<h1> Login:</h1>";
echo $message; 
echo "<form id=\"form1\" name=\"form1\" method=\"post\" action=\"$PHP_SELF\">";
echo  "<table>";
echo    "<tr>";
echo      "<td>User : </td>";
echo      "<td><input name=\"username\" type=\"text\" id=\"username\" /></td>";
echo    "</tr>";
echo    "<tr>";
echo      "<td>Password : </td>";
echo      "<td><input name=\"password\" type=\"password\" id=\"password\" /></td>";
echo    "</tr>";
echo  "</table>";
echo  "<input name=\"Login\" type=\"submit\" id=\"Login\" value=\"Login\" />";
echo "</form>";
}
?>
<!-- end #mainContent --></div>
<!-- This clearing element should immediately follow the #mainContent div in order to force the #container div to contain all child floats --><br class="clearfloat" />
  <div id="footer">
    <p>Footer</p>
  <!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>

 

Basiclly it shows the login box then once the correct details are entered it shows "main.php" unless the register link is pressed, then it shows the registration box, once details entered it adds the user to the database and creates a folder in the root of the server named after the user. once created and all its done then you can login. simple huh?

 

tell me if you learned anything

Link to comment
Share on other sites
portabletelly Member

portabletelly

Posted
  • Author
Posted

Thanks for you post lewis.

 

It was kinda late last night and I dont think I explained the problem very well so I will repost. mysql5 and php 5 are being used.

 

I have a login page called seceretdb.php this page has form which submits 'name' and 'password' to process_password.php

 

I have a database call auth. The auth database has a table called auth. The table has two colums name and pass.

 

The crux of the problem is that users can login fine against the table. When the value of their pass in mysql auth table is stored as a char value.

 

However if a users password has been definend in the mysql auth table with the function of 'password' the value becomes encrypted in the mysql table eg. *E6CC90B878B948C35E92B003C792C46C58C4AF40 and the user cannot authenticate.

 

*********************secretdb.PHP**************************************

<?php
   include("connect.php");
   include("selectdb.php");
   // $name = htmlspecialchars($_POST['name']);
  //$password = htmlspecialchars($_POST['password']);

  if(!isset($name)&&!isset($password))
  {
  echo test;
    //Visitor needs to enter a name and password

echo '<h1>Please Log In</h1>';
echo 'his page is secret.';
	echo '<form method = post action = "process_password.php">';
    echo '<table border = 1>';
    	echo '<tr>';
      	echo '<th> Username </th>';
      	echo '<td> <input type = text name = name> </td>';
    	echo '</tr>';
    	echo '<tr>';
      	echo '<th> Password </th>';
      	echo '<td> <input type = password name = password> </td>';
    echo '</tr>';
    echo '<tr>';
      echo '<td colspan =2 align = center>';
        echo '<input type = submit value = "Log In">';
      echo '</td>';
    echo '</tr>';
    echo '</form>';
  }
?>

 

******************process_password.php*******************************

<?php
   include("connect.php");
   include("selectdb.php");

$name = htmlspecialchars($_POST['name']);
$password = htmlspecialchars($_POST['password']);

echo $name;
echo $password;

$query = "select count(*) from auth where name ='$name' and pass ='$password'";

$result = mysql_query($query, $link);
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }

    $count = mysql_result( $result, 0, 0 );

    if ( $count > 0 )
    {
      // visitor's name and password combination are correct
      echo "<h1>Here it is!</h1>";
      echo "I bet you are glad you you can see this secret page.";
   //if you get in this if statment the user has logged in
   }
    else
    {
      // visitor's name and password combination are not correct
      echo "<h1>Go Away!</h1>";
      echo "You are not authorized to view this resource.";
   //if you do not get in the user has not logged in successfully.
   }


?>

Lewis looking at your post I may need to incorporate this $md5_password=md5($_POST['password']); I hope this explains the problem a bit better.

 

Link to comment
Share on other sites
lewis987 Member

lewis987

Posted
Posted

ahh now i get it, youve encrpted the password as MD5 in your database but your login form doesnt encrypt the password at all meaning it doesnt compare with the one in the database. You need to use something like $pass = md5($_POST['password']);

 

try this then:

 

$password = md5($_POST['password']);

 

instead of:

 

$password = htmlspecialchars($_POST['password']);

Link to comment
Share on other sites
lewis987 Member

lewis987

Posted
Posted

yea MD5 is pretty strong

 

and for sessions, use this on the login page:

 

session_start(); // USE AT VERY TOP OF YOUR PAGE!

 

 

session_register(" *YOUR VARIABLE FOR USERNAME* "); // Sets Session and use when user = logged in

//Do not use $username, instead use username

 

and use this on the index:

 

session_start(); // Use session variable on this page. This function must put on the top of page.

 

if(!session_is_registered(" * YOUR VARIABLE FOR USERNAME * ")){ // if session variable "" does not exist.

 

header("location:login.php"); // Re-direct to login.php

}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.