iGuest 3 Report post Posted November 13, 2009 really InsecureSimple Php Login And Registration SystemThis script is more then insecure. Read something about sql-injections and xss-attacks. You should never ever use a $_Post variable directly in a sql query without checking the variable for sql-commands. https://en.wikipedia.org/wiki/SQL_injection-reply by illmat Share this post Link to post Share on other sites
koolazngy94 0 Report post Posted November 14, 2009 Wow this is actually the tutorial I been looking around for. I checked at google and no luck but lucky I found Xisto. Thank you Xisto (you saved my time). Anyways thanks for the tutorial! Share this post Link to post Share on other sites
alex198555 0 Report post Posted November 14, 2009 Can I have a link that that teach me how to create registration form with AJAX? Share this post Link to post Share on other sites
iGuest 3 Report post Posted February 28, 2010 Rgistration codeSimple Php Login And Registration Systemhello,,, can somebody help me about the codes of signing up, log in using html , php, mysql.. Just a simple one coz I'm just starting to learn the basic..Thank you..-reply by meshka Share this post Link to post Share on other sites
Darknight2199 0 Report post Posted June 12, 2010 http://forums.xisto.com/topic/72282-login-system-in-a-website-how-to-add-a-loginregister-system-to-my-website/ View this topic. Share this post Link to post Share on other sites
iGuest 3 Report post Posted April 25, 2011 really InsecureSimple Php Login And Registration System<p>This script is more then insecure.</p><p>Read something about sql-injections and xss-attacks.</p><p>You should <strong>never</strong> ever use a $_Post variable directly in a sql query without checking the variable for sql-commands.</p><p> http://en.wikipedia.org/wiki/SQL_injection by illmat Indeed. The vars need to be sanitised before ANY processing is done. ' Or 1 = 1 -- etc... It's OK as a simple beginner's guide to programming but should NEVER be used as any security system EVER. Share this post Link to post Share on other sites
Jez 1 Report post Posted June 3, 2011 (edited) Replace DB_HOST with the host of your database. This is usually “localhost”, but some hosts differThey only differ if the mysql server is on a seperate node to the php parser.As the HTTP server won't have a clue about what to do with MySQL connections, it's left up to PHP.You could replace in that instance say mysqluser@192.168.0.1 say if the mysql host is on a seperate computer this time 192.168.0.1.Or if you're like me and have a FQDN working on a local network, then you'd use something along the lines of databasehost.mydomain.comOr incase of MySQL mysqluser@mysql.mydomain.com, but you would need to allow for 3306 (which allot of hosting plans block anyways), I could open it up on my own server but prefer not to!Just thought I would give you a heads up on the comparison to the localhost var in the mysql_connect, quite essentially it's just where the mysql server is located compared to the PHP parser.$inf = "SELECT * FROM `comments` WHERE page = '".stripslashes($_SERVER['REQUEST_URI'])."' ORDER BY time ASC";You do not need to escape out of parsing with PHP at all, all you'd need to do on occasion is use mysql_real_escape_string($foo);This puts in what you want, also what you put in your logic is making your code (if you're opening it up to the public, if not then ignore this), your actually opening up your code for SQL injection attacks.When a hacker gets into your text boxes or creates some form of XSS attack (cross site scripting), and inject code into your variables potentially wiping your database off completely, reading data from it, that they should not be doing.mysql_real_escape_string() sends the variable in as a piece of text not a command like escaping out of parsing in PHP alone will make you prone to XSS attacks and not using mysql_real_escape_string leaves you open to SQL injection attacks.Just thought I would give you a word of warning.Very good tutorial though, but I would never use it for a productional system, you might want for instance to start thinking about using MySQL based sessions, trying to work out a set of logic for saving instead of filesystem based sessions, using MySQL saved sessions, so instead of a file the row in the database is the session and does go no where near the file system.It's a good idea when one uses hosting based solutions, they want to keep track of users actions or maybe even have a cluster of mysql servers. Edited June 3, 2011 by Jez (see edit history) Share this post Link to post Share on other sites
iGuest 3 Report post Posted June 18, 2011 I get this error on registering:Parse error: syntax error, unexpected '>' in /home/www/cwcity/hosting/s/t/stylerzz-css/htdocs/login/register.php on line 13I changed nothing, just the tablenames, and i dont have any idea..Please help me guys. Share this post Link to post Share on other sites
iGuest 3 Report post Posted October 23, 2011 Hello,I'm new to PHP myself and have what I hope is a basic question. I'd like to have password protected pages on my site. Simple have no more than 10 pages, each one with its own password. Is this doable with PHP, do I need MySQL installed for that? Furthermore, if I see a server like the one provided by Xisto.com how can I install my PHP script on it?You don't need MySQL. You just need this code:<?phpif(isset($_POST[submit])){if($_POST['password'] == "password"){ //replace "password" (no quotes) with the password you want.echo "$display_page";} else {unset $_POST['submit'];echo "Wrong password! <a href=\"#\">Try again</a>.";}} else {echo "$enter_pass";}?><?php$enter_pass="<html><body<form method="POST" action="#"><h1>This page is password protected.</h1><p>Password: <input type="password" name="password"><br /><input type="submit" name="submit" value="submit"></p></form></body></html>";$display_page="//enter page content here"?>I just made that in 5 minutes off the top of my head.It's probebly wrong. I didn't test it. Anyway,you will have to change some things like thepassword and the content. You can save the pageas whatever you like. I hope you understand it. Share this post Link to post Share on other sites
iGuest 3 Report post Posted November 18, 2011 Hello Sir,Can I run this two file in one page.cause i want output in same page.pls help me sir. Share this post Link to post Share on other sites
iGuest 3 Report post Posted February 21, 2012 Hello Guys I need help about login.................. when the username writes the password without entering the username it works and I don't know why?for examplesusername: password: 1234 (which stored the database) when the username clicks submit it works without username Help me please Share this post Link to post Share on other sites
iGuest 3 Report post Posted March 23, 2012 Hello,I'm new to PHP myself and have what I hope is a basic question. I'd like to have password protected pages on my site. Simple have no more than 10 pages, each one with its own password. Is this doable with PHP, do I need MySQL installed for that?Furthermore, if I see a server like the one provided by Xisto.com how can I install my PHP script on it? This tutorial only deals with the act of logging in, no the code that applies when you are logged in or not. In PHP you can use the sessions feature see http://php.net/manual/en/features.sessions.php to share data between pages. So set up a variable that indicated idf the user is logged in our out, share it between pages using sessions, and apply logic depending on logged in our out.If all you want is to protect pages (i.e. no dynamic registration / logged in or out feature) it is much easier to do this iusing .htaccess see for example this blog http://forums.xisto.com/no_longer_exists/ Share this post Link to post Share on other sites
iGuest 3 Report post Posted September 28, 2012 In the area of the protected part.EXAMPLE: CODE if ($password == $password2) { //PUT PASSWORD PROTECTED INFORMATION HERE } Can I replace the---PUT PASSWORD PROTECTED INFORMATION HERE ---with a file like <accounts.php> which I created __________________________________________________________________________________________ Hello. This is my first web tutorial ever. This is basically a simple register and login script. Yes, I know it's a bit rubbish but I'm quite new to PHP/MySQL. Here's the register form. This can be any file extension you like. I'd recommend calling it register.html. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;<html xmlns="http://www.w3.org/1999/xhtml/;<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Register</title></head><body><h1>Register</h1><table><tr><form action=register.php method=post><td width="81">Username:</td><td width="247"><input name="username" size="30" autocomplete="off" value="" type="text" /></td></tr><tr><td>Password:</td><td><input name="password" size="30" type="password" /></td></tr><tr><td>First Name:</td><td><input name="firstname" size="30" type="text" /></td></tr><tr><td>Last Name:</td><td><input name="lastname" size="30" type="text" /></td></tr><tr><td>Age:</td><td><input name="age" size="30" maxlength="2" /></td></tr></table><p><input type="submit" class="button" value="Register" /></p></form></body></html> Now create a MySQL database. Then create a file that will be called mysql-connect.php. Here is the file: <?php$con = mysql_connect("DB_HOST","DB_USER","DB_PASS");mysql_select_db("DB_NAME", $con);?> Replace DB_HOST with the host of your database. This is usually "localhost", but some hosts differ. Replace DB_USER with the username for your database, and DB_PASS with the password of your database and then replace DB_NAME with the name of your database. Enough with this file, let's get onto the actual registration script. Save this as register.php. <?phpinclude 'mysql-connect.php';$username = $_POST['username'];$password = $_POST['password'];$firstname = $_POST['firstname'];$lastname = $_POST['lastname'];$age = $_POST['age'];$ip = $_SERVER['REMOTE_ADDR'];$result = mysql_num_rows(mysql_query("SELECT * FROM TABLENAME WHERE username='$username'"));if($result == 1) { echo '<h1>ERROR!</h1>The username you have chosen already exists!'; }else { mysql_query("INSERT INTO TABLENAME (username, password, firstname, lastname, age, ip)VALUES ('$username', '$password', '$firstname', '$lastname', '$age', '$ip')"); echo '<p>Congratulations! You have successfully registered! </p><p>Click <a href="login.php">here</a> to login.</p>';?> OK, let's break this down: include 'mysql-connect.php'; Include the database connection file. $username = $_POST['username'];$password = $_POST['password'];$firstname = $_POST['firstname'];$lastname = $_POST['lastname'];$age = $_POST['age'];$ip = $_SERVER['REMOTE_ADDR']; This part gets all of the variables: username, password, first name, last name, age and ip address. $result = mysql_num_rows(mysql_query("SELECT * FROM TABLENAME WHERE username='$username'")); This checks to see if the username already exists in the database. Make sure you change "TABLENAME" to the name of the table in which the user information is stored. if($result == 1) { echo '<h1>ERROR!</h1>The username you have chosen already exists!'; }else { mysql_query("INSERT INTO TABLENAME (username, password, firstname, lastname, age, ip)VALUES ('$username', '$password', '$firstname', '$lastname', '$age', '$ip')"); echo '<p>Congratulations! You have successfully registered! </p><p>Click <a href="login.php">here</a> to login.</p>'; If the username already exists, display an error message, and if not, insert the user information into the database and display a login link. Make sure you change "TABLENAME" to the name of the table in which the user information is stored. Now onto the login form. This is quite simple. Just save it as login.php. <html><head><title>Login</title></head><body><form name="login" action="login2.php" method="post"><table align="center"><tr><td class="title">Username</td><td><input name="user" size="30" autocomplete="off" value="" type="text" /></td></tr><tr><td class="title">Password</td><td><input name="pass" size="30" type="password" /></td></tr></table><p style="text-align:center;"><input type="submit" class="button" value="Login" /></p></form></body></html> Basically, that asks for username and password, and sends them to another file called login2.php which we shall move onto now… <?phpinclude 'mysql-connect.php';$username = $_POST['user'];$password = $_POST['pass'];$query1 = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");$result = mysql_num_rows($query1);if($result == 0){include '<h1>Error!</h1>The username you specified does not exist!';}else{$checkuser = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'"); $row = mysql_fetch_array($checkuser); $password2 = $row['password']; $status = $row['status']; if ($password == $password2) { //PUT PASSWORD PROTECTED INFORMATION HERE } else { echo '<h1>Error!</h1>The username and password combination you entered does not match the ones we have in the database.'; }}?> Let's break this file down aswell. $username = $_POST['user'];$password = $_POST['pass']; This grabs the username and password that they entered. $query1 = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");$result = mysql_num_rows($query1); This checks to see if the user exists in the database. Make sure you change "TABLENAME" to the name of the table in which the user information is stored. if($result == 0){include '<h1>Error!</h1>The username you specified does not exist!';} If not, display an error message. else{$checkuser = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'"); $row = mysql_fetch_array($checkuser); If the user does exist, get the information stored in the database about that user. Make sure you change "TABLENAME" to the name of the table in which the user information is stored. $password2 = $row['password']; Get the user's password. if ($password == $password2) { //PUT PASSWORD PROTECTED INFORMATION HERE } If the password in the database matches the one they entered, display password protected information. else { echo '<h1>Error!</h1>The username and password combination you entered does not match the ones we have in the database.'; }} If not, display yet another error message. OK, that's the script. Hope you liked it. It was for a website I was making but I have no need for it anymore, so I thought I would post it here so that other people can learn from it. This /should/ work, but if it doesn't, just let me know and I can advise you on what is wrong and can edit it. We can ALL learn from our mistakes. Share this post Link to post Share on other sites
mamer 0 Report post Posted January 27, 2013 Good work MiniK, thank you. If I may add some general comments: Comments on the code are really essential in tutorials as others mentionedIt would be very helpful if you specify the level of knowledge required to use your tutorial (well I forgot to do that in my last tutorial:)). Yoe'll need to specify a level such as beginner, elementary or advancedYou also could mention at the beginning something about the assumed knowledge. For example: familiarity with MySQL and DB queries As for the system itself I understand that you said simple and you didn't say "secure". Learning from other advanced PHP programmer, I always include password hashing and user input sanitizing whenever I work with user input and database.That should achieve some level of security although I'll be always in doubt about the security of any code that I develop myself. That doesn't underestimate the good work you have done. Share this post Link to post Share on other sites
iGuest 3 Report post Posted April 26, 2013 I am having a lot of trouble. The site wont let me login even though details are registered Error Notice: Resource id #5 in C:xampphtdocsDISlogin2.php on line 7Notice: Undefined index: password in C:xampphtdocsDISlogin2.php on line 20Notice: Undefined index: status in C:xampphtdocsDISlogin2.php on line 21 Error! The username and password combination you entered does not match the ones we have in the database Share this post Link to post Share on other sites