PHP Login how to

[SBSP]

Hi

I started making a webpage for my self using PHP.

I have an index.php page with a form on it. The form consist out of a Username and Password field, with the
Submit login button.

E.G

Code: Select all

<html>
<body>

<form action="Home.php" method="post">
Name: <input type="text" name="username" />
Age: <input type="password" name="password" />
<input type="submit" value="Login" />
</form>

</body>
</html>

I then have a home.php page.

and the home.php page $_POST gets the username and password from the previous page.
It then connects to MySQL and does a select from where field = Username and if passprd in database is the same as password from previous submited page it then sets a variable to TRUE E.G $Authenticated="TURE"

I then use an if statement.

Code: Select all

If ($Authenticated=="TURE")
{

ALL the rest of the code goes here........

}
ELSE
{
Echo "Username or Password is incorrect.";

My Question is , Is this a good way of doing this ?
I'm not very good with PHP, I read somewhere that you are supposed to use sessions ?
But its to complicated for me.

Will the web server not handle each connection as its own session.
Whats the chances of a user somehow grab another users content ?

[DeathStrike]

Hi try this...

Code: Select all

session_start();
		//clear session
		foreach ($_SESSION as $key => $value)
		{
			unset($_SESSION[$key]);
		}

That will start the sessions and clear the old session data. Place that on the home.php page.

then you can set the sessions..

Code: Select all

$_SESSION["login"] = $userLogin;
		$_SESSION["expire"] = time() + 600;
		$_SESSION["username"] = $username;
		if ($userLogin == "0")
		{
			$_SESSION["admin"] = "";
					
		}
		else
		{
			$_SESSION["admin"] = True;
			
		}

This will set values if the user has admin rights or not and give a time for sessions to expire.

Then on every page you check if session expired and if the session expires unset the sessions and will automatically log out the users.

Code: Select all

session_start();
		$time = time();
             if ($time > $_SESSION["expire"])
		{
		
                       echo "<script language='javascript'> window.location='login.php?message=1'; </script>";
		}

Then on log in page you make an if statement display a logged out message depending on if message equals one

Code: Select all

<? if($_REQUEST[message] == 1){ 
               echo "Your Session Has Expired.";
          ?>

Hope that helps.

[SBSP]

ookay

I will give it a bash.

But i might come back asking more questions.

Thanks

[DeathStrike]

no problem. i'm here at least once a day. sorry i working during the day so i hardly get to come on pcf.. but then again i sure there are others that could help.

[abusinessfinder]

Hi SBSP,

Just a note when building your login script. It is possible for users to hack your website using SQL injection, therefore I would recommend using the addslashes() function to clean up the input.

username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);

I had to learn this the hard way...

[FrostiE]

abusinessfinder, just be careful with addslashes() and database escape string functions, they are far from bulletproof. Try and limit the data to what it has to be, and nothing more, ie. casting the posted data to an integer, if it's an integer only field.

Another thing would be to never deal with the original password directly. When a account is created, its a lot safer to store an encrypted version in the table, and on trying to log in, running the same method on the posted data and comparing the two. That way, no matter what happens, the original is never actually revealed.

[DeathStrike]

perhaps hide the usernames and passwords behind some md5 hash codes?

Code: Select all

md5($_POST['username'].{add user_id or date of birth or something.});

[FrostiE]

I used to do something similar, yeah. Generate a unique semi-timestamp based value when an account was created, then sha1 the submitted password and the 'salt' value, md5 that and store it.