Frezzwar Posted March 18, 2011 Share Posted March 18, 2011 Hi. I'm new to this forum so it may be the wrong place i am posting. In school I'm working on a project where i have to make website with php and a database in MySQL. I have made one project. It was good (for one with my lack of skills), but now my teacher asks me to do it in another way. Problem is, I have no way how I can improve it. Right now i'm stuck on my login part. I figure that i have to post my code somewhere if I want some help, but how is the easiest way of doing that? Don't get me wrong. I'm not asking for anyone to make my project. All i need is a nod in the right direction Quote Link to comment Share on other sites More sharing options...
Eyewash01 Posted March 18, 2011 Share Posted March 18, 2011 Well some code would be useful - however a login check is fairly simple: <!-- THE HTML (login.php) --> <form action="login_proc.php" method="post"> <input type="text" name="username" /> <input type="text" name="password" /> <input type="submit" value="Login" /> </form> <?php // THE PROCESSING PAGE (login_proc.php) extract ($_POST); if ($username == "Admin" && $password = "biscuit"){ header("Location: admin.php"); } else{ header("Location: login.php"); } ?> This is obviously very simplified, but it is a starting point. You would then need to set a flag somewhere (either a session variable or an entry in a database) to tell the system the user is logged in, and then check this when they access any of the pages on the site. Quote Link to comment Share on other sites More sharing options...
Frezzwar Posted March 18, 2011 Author Share Posted March 18, 2011 Okay, my old code is a bit more advanced (please don't mind the danish words): <form action="logged-in.php" method="post"> <input type='text' name='username'> <input type='password' name='password'> <input type="submit" value="Log ind"/> </form> html><body> <?php session_start(); $username = $_POST['username']; $password = $_POST['password']; if ($username&&$password) { $connect = mysql_connect ("localhost","root","") or die("error"); mysql_select_db("projekt-kage") or die("error2"); $query = mysql_query("SELECT * FROM users WHERE username='$username'"); $numrows = mysql_num_rows($query); if ($numrows!=0) { while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; } if ($username==$dbusername&&md5($password)==$dbpassword) { $_SESSION['username']=$username; echo "<a href='logged-in_list.php'>Du trykkede rigtigt! Tryk her for at komme videre.</a>"; } else echo "Forkert kode!"; } else { die("Denne bruger eksisterer ikke!"); } } else { die ("Du skal indtaste både brugernavn og kode!"); } ?> <?php ?> </body></html> Quote Link to comment Share on other sites More sharing options...
Frezzwar Posted March 18, 2011 Author Share Posted March 18, 2011 Damn...! Is there no edit button? I'm not asking for a login from scratch. All i wonder is how i can improve it. Make it "better", more secure or something in that way. Quote Link to comment Share on other sites More sharing options...
mcjon77 Posted March 18, 2011 Share Posted March 18, 2011 I'm a noob here and with PHP (previously worked with Java and databases), so take my suggestions with more than a grain of salt. 1) SECURITY - I notice that you are taking raw user input data (the username info) and inserting it directly into your SQL query. This leaves your database wide open to an SQL injection attack (see http://unixwiz.net/techtips/sql-injection.html for more info). Personally, I would clean that data up with mysql_real_escape_string() (and probably trim() to get rid of excess whitespace) before inserting it into my query. 2) SCALABILITY - If you have several php files in your application that are connecting to your DB, you may want to put the DB connection variables (hostname, username, password, database name) as constants in a separate php file and use require_once() to include that file and those constants at the beginning of any php file that needs to connect to a database. This way, if you move your project from your home computer to a live server you don't have to search through ever php file and find where you had "localhost" listed as the hostname and change it to your new hostname, etc. With a separate file containing your DB connection info you only have to make a change in one place for your entire application. Hope this helps. To the PHP experts, if I gave any bad advice let me know. I am here to learn as well. Quote Link to comment Share on other sites More sharing options...
Frezzwar Posted March 18, 2011 Author Share Posted March 18, 2011 1) I don't know much about hacking, but i have been told that it is safe to SQL injection. I'm not sure, but you just made me start reading 2) I'm not 100% sure i understand this, but it rely sounds smart! I'm planing to upload this project at some point (after my exam), so i think it will be helpful! Thanks for the help! More help is still appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.