Jump to content
xisto Community
Sign in to follow this  
FirefoxRocks

Help Improving My Login Script Code The code works okay...just not the authorization part

Recommended Posts

I have developed a piece of code :P that is going to work as my login script for my website. I need some help making improvements and creating additional features.

 

Here is my code:

<?phpsession_start();$name = $_POST['username'];$password = $_POST['password'];$con = mysql_connect("localhost","myDbUser","myDbPassword");	if(!$con)		{		die('Sorry, the XKingdom Center database has encountered an error right now. Please try again later or contact the website administrator. The MySQL error is: ' . mysql_error());		}mysql_select_db("myDb", $con);$result = mysql_query("SELECT * FROM myTable WHERE name='$name' and password = '$password'");$auth = mysql_query("SELECT auth FROM myTable");$rowcheck = mysql_num_rows($result);if($rowcheck==1)	{	while($auth_check = mysql_fetch_array($auth))		{		if($auth_check==YES)			{			$_SESSION['db_is_logged_in'] = true;			setcookie("user", "$name", time()+86400);			header('Location: moderate.php');			header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');			}		elseif($auth_check==NO)			{			$error="You are not authorized as an XKingdom Member yet. Please try again later. If this problem persists for more than 24 hours, please contact the website administrator.";  			}		}	}elseif($rowcheck>1){$error="You have entered an incorrect username/password combination. Please try again. If you forgot your password, contact the website administrator.";		header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');}header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');mysql_close();?>

It doesn't work. Also the $error variable isn't echoing properly in a <p> tag in the body.

 

This code works:

<?phpsession_start();$name = $_POST['username'];$password = $_POST['password'];$con = mysql_connect("localhost","myDbUser","myDbPassword");	if(!$con)		{		die('Sorry, the XKingdom Center database has encountered an error right now. Please try again later or contact the website administrator. The MySQL error is: ' . mysql_error());		}mysql_select_db("myDb", $con);$result = mysql_query("SELECT * FROM myTable WHERE name='$name' and password = '$password'");$rowcheck = mysql_num_rows($result);if($rowcheck==1)	{		$_SESSION['db_is_logged_in'] = true;		setcookie("user", "$name", time()+86400);		header('Location: moderate.php');		header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');	}elseif($rowcheck>1){$error="You have entered an incorrect username/password combination. Please try again. If you forgot your password, contact the website administrator.";		header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');}header('(anti-spam-(anti-spam-content-type:)) text/html;charset=iso-8859-1');mysql_close();?>

I have removed the authorization stuff, and the $error variable isn't echoing properly here either.

 

1st priority: Get the authorized users right to log in, unauthorized users to wait.

2nd priority: Display a message if(...).

3rd priorities:

Lost Password

IP address logging at logon

Ability to enter more information (optional)

Could someone help me achieve my goal please?

Thank you,

Share this post


Link to post
Share on other sites

First I believe that using the condition

elseif($rowcheck > 1)
to check if the user entered the wrong user or password is a mistake. Your sql query
"SELECT * FROM name='$name' AND password='$password'"
returns the number of rows resulted from the query which in most cases will return 1 or less than one unless of course there are multiple entry in your database in which user name is not unique meaning there are name entries with the same name. It should not be the case. User name should be unique and only password can have duplicate but never the user name. The right condtion statement should be, assuming that user name is unique.

if($rowcheck == 1){	//user name and password is ok}else{	//wrong password or username}


About the error report.. use <pre></pre> instead of <p></p> tag. The difference between the two is that the <pre> tag is sensitive to spaces and new lines. What ever space or new line inside the tag will be reflected or displayed. The <p> tag does not allow new line or <br /> since its in pharagraph formating which means there should be no new line inside the tag.
So for pre-formatted text use <pre></pre>.

For logging the IP address I believe there is a global variable that holds it or maybe a function that returns the IP address, I forgot about it. You could visit PHP.net they have good ducmentation in their website.

About the lost password feature. First you must have a record or entry in your Members database about their e-maill address. The common way for this to work is to ask the e-mail address of the user which it supplied when he register to your website. Then you check if the supplied e-mail address match to the user in your database. If it match then use the mail() function to e-mail the new generated password.

By the way about your password. I noticed that you get the one supplied by the user from $_POST[] directly then compared it directly in your query without encryption. This only mean that you havent encrtypted the password. For better security you should encrypt your password and the recommended one is the one way encryption. Here is how it works.

1. During registration you get the desired password then encrypt it using the crypt() function and save the result encrypted data to your database. crypt() function is a one way encrytion. Meaning you can not decrypt anymore what is encrtypted using the crypt() function.

2.To verify password during log-in, first you have to encrypt the supplied password using crypt(). The result encrypted data is the one used to check if it matches the encrypted password save in the database;

$pass = crypt($_POST['password']);$query = "SELECT * FROM members WHERE userName LIKE '$name' AND password LIKE '$pass'"
in this way.. even if the database is compromised the password will still not be stolen since it is encrtypted using one way encryption. They may have the encrypted password but there is no way for them to know what are the actual values unless if they are the CIA or NSA.

Share this post


Link to post
Share on other sites

Presumably, you are running the script from a form on a web-site, hence the $_POST variable.
One precaution is to check that the $_POST variable has been provide by checking the query-string by using the ISSET().

if ( !isset($_POST['variable']) {// do this stuff here. ie: transfer them back to the form page for completion}else {// continue with the processing// possibly passing control on errors}// pass control to the 'logged-in' page here
The 'variable' used in the initial IF statement checking the isset() is typically a hidden value from the Form itself.

Share this post


Link to post
Share on other sites

Now I have a message appearing if the user is not authorized, incorrect username/password, etc.

Also, unauthorized users can now log in. For example, please log into XKingdom Member Center with the username Xisto and password 123. That user is supposed to be unauthorized, but it can still go through. Why is that?

 

My revised code is:

<?phpsession_start();$name = $_POST['username'];$password = $_POST['password'];$con = mysql_connect("localhost","myDbUser","myDbPassword");	if(!$con)		{		die('Sorry, the XKingdom Center database has encountered an error right now. Please try again later or contact the website administrator. The MySQL error is: ' . mysql_error());		}mysql_select_db("myDb", $con);$result = mysql_query("SELECT * FROM myTable WHERE name='$name' and password = '$password'");$rowid = mysql_query("SELECT id FROM myTable WHERE name='$name' and password = '$password'");$auth = mysql_query("SELECT auth FROM myTable");$rowcheck = mysql_num_rows($result);if($rowcheck==1)	{	$row=mysql_result($auth,$rowid);		if($row==YES||yes||Yes)			{			$_SESSION['db_is_logged_in'] = true;			setcookie("user", "$name", time()+86400);			header('Location: moderate.php');			header('(anti-spam-content-type:) text/html;charset=iso-8859-1');			}		elseif($row==NO||no||No)			{			$error="You are not authorized as an XKingdom Member yet. Please try again later.n If this problem persists for more than 24 hours, please contact the website administrator.";  			}	}else{$error="You have entered an incorrect username/password combination. Please try again.n If you forgot your password, contact the website administrator.";		header('(anti-spam-content-type:) text/html;charset=iso-8859-1');}header('(anti-spam-content-type:) text/html;charset=iso-8859-1');mysql_close();?>

I don't care if the incorrect username/password message appears at first visit. It isn't a priority right now.

As for lost password, I whipped up something that can be used. It does use the mail() function. And users NEED to provide an email address when registering.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.