Jump to content
xisto Community
MiniK

Simple Php Login And Registration System

Recommended Posts

really InsecureSimple Php Login And Registration System

This script is more then insecure.

Read something about sql-injections and xss-attacks.

You should never ever use a $_Post variable directly in a sql query without checking the variable for sql-commands.

 https://en.wikipedia.org/wiki/SQL_injection

-reply by illmat

Share this post


Link to post
Share on other sites
Rgistration codeSimple Php Login And Registration System

hello,,,

can somebody help me about the codes of signing up, log in using html , php, mysql.. Just a simple one coz I'm just starting to learn the basic..Thank you..

-reply by meshka

Share this post


Link to post
Share on other sites

really InsecureSimple Php Login And Registration System<p>This script is more then insecure.</p><p>Read something about sql-injections and xss-attacks.</p><p>You should <strong>never</strong> ever use a $_Post variable directly in a sql query without checking the variable for sql-commands.</p><p> http://en.wikipedia.org/wiki/SQL_injection by illmat

 


Indeed. The vars need to be sanitised before ANY processing is done.

 

' Or 1 = 1 --

 

etc...

 

It's OK as a simple beginner's guide to programming but should NEVER be used as any security system EVER.

Share this post


Link to post
Share on other sites

Replace DB_HOST with the host of your database. This is usually “localhost”, but some hosts differ

They only differ if the mysql server is on a seperate node to the php parser.

As the HTTP server won't have a clue about what to do with MySQL connections, it's left up to PHP.

You could replace in that instance say mysqluser@192.168.0.1 say if the mysql host is on a seperate computer this time 192.168.0.1.

Or if you're like me and have a FQDN working on a local network, then you'd use something along the lines of databasehost.mydomain.com

Or incase of MySQL mysqluser@mysql.mydomain.com, but you would need to allow for 3306 (which allot of hosting plans block anyways), I could open it up on my own server but prefer not to!

Just thought I would give you a heads up on the comparison to the localhost var in the mysql_connect, quite essentially it's just where the mysql server is located compared to the PHP parser.

$inf = "SELECT * FROM `comments` WHERE page = '".stripslashes($_SERVER['REQUEST_URI'])."' ORDER BY time ASC";

You do not need to escape out of parsing with PHP at all, all you'd need to do on occasion is use mysql_real_escape_string($foo);

This puts in what you want, also what you put in your logic is making your code (if you're opening it up to the public, if not then ignore this), your actually opening up your code for SQL injection attacks.

When a hacker gets into your text boxes or creates some form of XSS attack (cross site scripting), and inject code into your variables potentially wiping your database off completely, reading data from it, that they should not be doing.

mysql_real_escape_string() sends the variable in as a piece of text not a command like escaping out of parsing in PHP alone will make you prone to XSS attacks and not using mysql_real_escape_string leaves you open to SQL injection attacks.

Just thought I would give you a word of warning.

Very good tutorial though, but I would never use it for a productional system, you might want for instance to start thinking about using MySQL based sessions, trying to work out a set of logic for saving instead of filesystem based sessions, using MySQL saved sessions, so instead of a file the row in the database is the session and does go no where near the file system.

It's a good idea when one uses hosting based solutions, they want to keep track of users actions or maybe even have a cluster of mysql servers.
Edited by Jez (see edit history)

Share this post


Link to post
Share on other sites

I get this error on registering:Parse error: syntax error, unexpected '>' in /home/www/cwcity/hosting/s/t/stylerzz-css/htdocs/login/register.php on line 13I changed nothing, just the tablenames, and i dont have any idea..Please help me guys.

Share this post


Link to post
Share on other sites

Hello,
I'm new to PHP myself and have what I hope is a basic question. I'd like to have password protected pages on my site. Simple have no more than 10 pages, each one with its own password. Is this doable with PHP, do I need MySQL installed for that?

Furthermore, if I see a server like the one provided by Xisto.com how can I install my PHP script on it?

You don't need MySQL. You just need this code:
<?phpif(isset($_POST[submit])){if($_POST['password'] == "password"){ //replace "password" (no quotes) with the password you want.echo "$display_page";} else {unset $_POST['submit'];echo "Wrong password! <a href=\"#\">Try again</a>.";}} else {echo "$enter_pass";}?><?php$enter_pass="<html><body<form method="POST" action="#"><h1>This page is password protected.</h1><p>Password: <input type="password" name="password"><br /><input type="submit" name="submit" value="submit"></p></form></body></html>";$display_page="//enter page content here"?>
I just made that in 5 minutes off the top of my head.
It's probebly wrong. I didn't test it. Anyway,
you will have to change some things like the
password and the content. You can save the page
as whatever you like. I hope you understand it.

Share this post


Link to post
Share on other sites

Hello Guys I need help about login.................. when the username writes the password without entering the username it works and I don't know why?for examplesusername: password: 1234 (which stored the database) when the username clicks submit it works without username Help me please

Share this post


Link to post
Share on other sites

Hello,
I'm new to PHP myself and have what I hope is a basic question. I'd like to have password protected pages on my site. Simple have no more than 10 pages, each one with its own password. Is this doable with PHP, do I need MySQL installed for that?

Furthermore, if I see a server like the one provided by Xisto.com how can I install my PHP script on it?


This tutorial only deals with the act of logging in, no the code that applies when you are logged in or not. In PHP you can use the sessions feature see http://php.net/manual/en/features.sessions.php to share data between pages. So set up a variable that indicated idf the user is logged in our out, share it between pages using sessions, and apply logic depending on logged in our out.

If all you want is to protect pages (i.e. no dynamic registration / logged in or out feature) it is much easier to do this iusing .htaccess see for example this blog http://forums.xisto.com/no_longer_exists/

Share this post


Link to post
Share on other sites

In the area of the protected part.EXAMPLE:

 

CODE

if ($password == $password2)

{

//PUT PASSWORD PROTECTED INFORMATION HERE

}

 

Can I replace the---PUT PASSWORD PROTECTED INFORMATION HERE ---with a file like <accounts.php> which I created

 

 

__________________________________________________________________________________________

 

Hello. This is my first web tutorial ever. This is basically a simple register and login script. Yes, I know it's a bit rubbish but I'm quite new to PHP/MySQL.

 

Here's the register form. This can be any file extension you like. I'd recommend calling it register.html.

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;<html xmlns="http://www.w3.org/1999/xhtml/;<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Register</title></head><body><h1>Register</h1><table><tr><form action=register.php method=post><td width="81">Username:</td><td width="247"><input name="username" size="30" autocomplete="off" value="" type="text" /></td></tr><tr><td>Password:</td><td><input name="password" size="30" type="password" /></td></tr><tr><td>First Name:</td><td><input name="firstname" size="30" type="text" /></td></tr><tr><td>Last Name:</td><td><input name="lastname" size="30" type="text" /></td></tr><tr><td>Age:</td><td><input name="age" size="30" maxlength="2" /></td></tr></table><p><input type="submit" class="button" value="Register" /></p></form></body></html>

Now create a MySQL database. Then create a file that will be called
mysql-connect.php
. Here is the file:

 

<?php$con = mysql_connect("DB_HOST","DB_USER","DB_PASS");mysql_select_db("DB_NAME", $con);?>

Replace DB_HOST with the host of your database. This is usually "localhost", but some hosts differ. Replace DB_USER with the username for your database, and DB_PASS with the password of your database and then replace DB_NAME with the name of your database. Enough with this file, let's get onto the actual registration script. Save this as
register.php
.

 

<?phpinclude 'mysql-connect.php';$username = $_POST['username'];$password = $_POST['password'];$firstname = $_POST['firstname'];$lastname = $_POST['lastname'];$age = $_POST['age'];$ip = $_SERVER['REMOTE_ADDR'];$result = mysql_num_rows(mysql_query("SELECT * FROM TABLENAME WHERE username='$username'"));if($result == 1)	{	echo '<h1>ERROR!</h1>The username you have chosen already exists!';	}else	{	mysql_query("INSERT INTO TABLENAME (username, password, firstname, lastname, age, ip)VALUES ('$username', '$password', '$firstname', '$lastname', '$age', '$ip')");	echo '<p>Congratulations! You have successfully registered! </p><p>Click <a href="login.php">here</a> to login.</p>';?>

OK, let's break this down:

 

include 'mysql-connect.php';

Include the database connection file.

 

$username = $_POST['username'];$password = $_POST['password'];$firstname = $_POST['firstname'];$lastname = $_POST['lastname'];$age = $_POST['age'];$ip = $_SERVER['REMOTE_ADDR'];

This part gets all of the variables: username, password, first name, last name, age and ip address.

 

$result = mysql_num_rows(mysql_query("SELECT * FROM TABLENAME WHERE username='$username'"));

This checks to see if the username already exists in the database. Make sure you change "TABLENAME" to the name of the table in which the user information is stored.

 

if($result == 1)	{	echo '<h1>ERROR!</h1>The username you have chosen already exists!';	}else	{	mysql_query("INSERT INTO TABLENAME (username, password, firstname, lastname, age, ip)VALUES ('$username', '$password', '$firstname', '$lastname', '$age', '$ip')");	echo '<p>Congratulations! You have successfully registered! </p><p>Click <a href="login.php">here</a> to login.</p>';

If the username already exists, display an error message, and if not, insert the user information into the database and display a login link. Make sure you change "TABLENAME" to the name of the table in which the user information is stored. Now onto the login form. This is quite simple. Just save it as login.php.

 

<html><head><title>Login</title></head><body><form name="login" action="login2.php" method="post"><table align="center"><tr><td class="title">Username</td><td><input name="user" size="30" autocomplete="off" value="" type="text" /></td></tr><tr><td class="title">Password</td><td><input name="pass" size="30" type="password" /></td></tr></table><p style="text-align:center;"><input type="submit" class="button" value="Login" /></p></form></body></html>

Basically, that asks for username and password, and sends them to another file called
login2.php
which we shall move onto now…

 

<?phpinclude 'mysql-connect.php';$username = $_POST['user'];$password = $_POST['pass'];$query1 = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");$result = mysql_num_rows($query1);if($result == 0){include '<h1>Error!</h1>The username you specified does not exist!';}else{$checkuser = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");			$row = mysql_fetch_array($checkuser);							$password2 = $row['password'];							$status = $row['status'];				if ($password == $password2)					{					//PUT PASSWORD PROTECTED INFORMATION HERE					}				else					{					echo '<h1>Error!</h1>The username and password combination you entered does not match the ones we have in the database.';					}}?>

Let's break this file down aswell.

$username = $_POST['user'];$password = $_POST['pass'];

This grabs the username and password that they entered.

 

$query1 = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");$result = mysql_num_rows($query1);

This checks to see if the user exists in the database. Make sure you change "TABLENAME" to the name of the table in which the user information is stored.

 

if($result == 0){include '<h1>Error!</h1>The username you specified does not exist!';}

If not, display an error message.

 

else{$checkuser = mysql_query("SELECT * FROM TABLENAME WHERE username='$username'");			$row = mysql_fetch_array($checkuser);

If the user does exist, get the information stored in the database about that user. Make sure you change "TABLENAME" to the name of the table in which the user information is stored.

 

$password2 = $row['password'];

Get the user's password.

 

if ($password == $password2)				{				//PUT PASSWORD PROTECTED INFORMATION HERE				}

If the password in the database matches the one they entered, display password protected information.

 

else				{					echo '<h1>Error!</h1>The username and password combination you entered does not match the ones we have in the database.';				}}

If not, display yet another error message.

 

OK, that's the script. Hope you liked it. It was for a website I was making but I have no need for it anymore, so I thought I would post it here so that other people can learn from it. Posted Image This /should/ work, but if it doesn't, just let me know and I can advise you on what is wrong and can edit it. We can ALL learn from our mistakes.

 


Share this post


Link to post
Share on other sites

Good work MiniK, thank you.

 

If I may add some general comments:

Comments on the code are really essential in tutorials as others mentioned

It would be very helpful if you specify the level of knowledge required to use your tutorial (well I forgot to do that in my last tutorial:)). Yoe'll need to specify a level such as beginner, elementary or advanced

You also could mention at the beginning something about the assumed knowledge. For example: familiarity with MySQL and DB queries


As for the system itself I understand that you said simple and you didn't say "secure". Learning from other advanced PHP programmer, I always include password hashing and user input sanitizing whenever I work with user input and database.That should achieve some level of security although I'll be always in doubt about the security of any code that I develop myself.

 

That doesn't underestimate the good work you have done.

Share this post


Link to post
Share on other sites

I am having a lot of trouble. The site wont let me login even though details are registered

 

Error

 

Notice: Resource id #5 in C:xampphtdocsDISlogin2.php on line 7

Notice: Undefined index: password in C:xampphtdocsDISlogin2.php on line 20

Notice: Undefined index: status in C:xampphtdocsDISlogin2.php on line 21

Error!

The username and password combination you entered does not match the ones we have in the database

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.