PHP: Writing A Generic Login And Register Script

[Shag 0]

hello
i found this script on http://forums.xisto.com/no_longer_exists/

I cant find how it connecnts to DB
can u guide me where exactly it is? (i think there is not any DB connection setup. it just uses users in array)
and if you guys know any source where can find code which will help me to make the followingâŚ.
i whant to make users which can change the content of div element on the pageâŚ
something like this comment box..
but i whant to give this permission manualy to users and also activate there accounts manualy (like on forums)and secured as much as it posible
and with registration page security i have problems as well

i am noob in php.
i dont even know if this code is secured well
if u guys can help me with this

here is the code
maybe it will help other members as well =/

File name: login.php

<?php  ///////////////////////////////////////////////////////////////////////////// // // LOGIN PAGE // //   Server-side: //	 1. Start a session//	 2. Clear the session//	 3. Generate a random challenge string//	 4. Save the challenge string in the session//	 5. Expose the challenge string to the page via a hidden input field////  Client-side://	 1. When the completes the form and clicks on Login button//	 2. Validate the form (i.e. verify that all the fields have been filled out)//	 3. Set the hidden response field to HEX(MD5(server-generated-challenge + user-supplied-password))//	 4. Submit the form////////////////////////////////////////////////////////////////////////////////// session_start();session_unset();srand();$challenge = "";for ($i = 0; $i < 80; $i++) {	$challenge .= dechex(rand(0, 15));}$_SESSION[challenge] = $challenge;?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 	"http://forums.xisto.com/no_longer_exists/;	<head>		<title>Login</title>		<script type="text/javascript" src="http://pajhome.org.uk/crypt/md5/md5.js"></script>		<script type="text/javascript">			function login() {				var loginForm = document.getElementById("loginForm");				if (loginForm.username.value == "") {					alert("Please enter your user name.");					return false;				}				if (loginForm.password.value == "") {					alert("Please enter your password.");					return false;				}				var submitForm = document.getElementById("submitForm");				submitForm.username.value = loginForm.username.value;				submitForm.response.value = 					hex_md5(loginForm.challenge.value+loginForm.password.value);				submitForm.submit();			}		</script> 	</head>	<body>		<h1>Please Login</h1>		<form id="loginForm" action="#" method="post">			<table>				<?php if (isset($_REQUEST[error])) { ?>				<tr>					<td>Error</td>					<td style="color: red;"><?php echo $_REQUEST[error]; ?></td>				</tr>				<?php } ?>				<tr>					<td>User Name:</td>					<td><input type="text" name="username"/></td>				</tr>				<tr>					<td>Password:</td>					<td><input type="password" name="password"/></td>				</tr>				<tr>					<td> </td>					<td>						<input type="hidden" name="challenge" value="<?php echo $challenge; ?>"/>						<input type="button" name="submit" value="Login" onclick="login();"/>					</td>				</tr>			</table>		</form>		<form id="submitForm" action="authenticate.php" method="post">			<div>				<input type="hidden" name="username"/>				<input type="hidden" name="response"/>			</div>		</form>	</body>	</html>

File name: common.php

<?php//////////////////////////////////////////////////////////////////////////////// // // COMMON PAGE // //   Defines require_authentication() function: //	 If the user is not authenticated, forward to the login page //	 ////////////////////////////////////////////////////////////////////////////////  session_start();function is_authenticated() {return isset($_SESSION[authenticated]); amp;amp;$_SESSION[authenticated] == "yes";}function require_authentication() {if (!is_authenticated()) {header("Location:login.php?error=".urlencode("Not authenticated"));exit;}}?>

File Name: authenticate.php

<?php  ///////////////////////////////////////////////////////////////////////////// // // AUTHENTICATE PAGE // //   Server-side: //	 1. Get the challenge from the user session //	 2. Get the password for the supplied user (local lookup) //	 3. Compute expected_response = MD5(challenge+password) //	 4. If expected_response == supplied response: //		4.1. Mark session as authenticated and forward to secret.php //		4.2. Otherwise, authentication failed. Go back to login.php ////////////////////////////////////////////////////////////////////////////////// $userDB = array("john" => "abc123", "bob"  => "secret","anna" => "passwd");  function getPasswordForUser($username) {// get password from a simple associative array// but this could be easily rewritten to fetch user info from a real DBglobal $userDB;	 return $userDB[$username];}  function validate($challenge, $response, $password) {return md5($challenge . $password) == $response;}  function authenticate() {if (isset($_SESSION[challenge]) &&isset($_REQUEST[username]) &&isset($_REQUEST[response])) {$password = getPasswordForUser($_REQUEST[username]);if (validate($_SESSION[challenge], $_REQUEST[response], $password)) {$_SESSION[authenticated] = "yes";$_SESSION[username] = $_REQUEST[username];;unset($_SESSION[challenge]);} else {header("Location:login.php?error=".urlencode("Failed authentication"));exit;}} else {header("Location:login.php?error=".urlencode("Session expired"));exit;}}session_start();authenticate();header("Location:secret.php");exit();?>

File name: secret.php

<?php  //////////////////////////////////////////////////////////////////////////////// // // SECRET PAGE // //   Invokes require_authentication() to ensure that the user is authenticated //	 ////////////////////////////////////////////////////////////////////////////////  require("common.php"); require_authentication(); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"	  "http://forums.xisto.com/no_longer_exists/; <html>	 <head><title>Secret Page</title>	 </head><body>		 <h1>This is a Secret Page</h1><p>You must have successfully authenticated since you are seeing this page.</p><p><a href="<?php echo $_SERVER[PHP_SELF]; ?>">View again?</a></p><p><a href="login.php">Logout?</a></p></body></html>

I would appreciate it
p.s sorry for english =/
Edited November 28, 2009 by yordan
replaced codbox tag by code tag (see edit history)

[fredted40x 0]

Hi,how easy is it to add the register page, cant see the code here?thanks

[yordan 10]

Hi,

 

how easy is it to add the register page, cant see the code here?

 

thanks

read again the starter post of the present topic, you will see the code :

Lets continue by creating the script where our users will register. Open your favorite text editor and enter the following:

 

CODE<?php

 

?>

 

This tells the webserver that we are starting a php code section. You can have more than one in a script and you can include HTML in your code files as well, more on that later. Lets create a function that will actually do the work of adding the user to the database. Lets call it registerUser, now enter the following in between the php tags:

 

CODEfunction registerUser() {

mysql_connect('server', 'username', 'password', 'database');

$username = $_POST['username'];

$password = md5($_POST['password']);

 

$sql = "INSERT INTO tblUsers (fldUsername, fldPassword) VALUES ($username, $password);";

 

mysql_query($sql);

}

[iGuest 3]

SecurityPHP: Writing A Generic Login And Register Script

I'm suprised this tutorial takes no account into SQL injection

The best thing to do is run all user-input through mysql_real_escape_string().

It would be no problem for the password, as this is being MD5'ed, so can't contain any SQL language characters.

 

$username = mysql_real_escape_string($_POST['username']);

$sql = "SELECT fldId, fldPassword FROM tblUsers WHERE fldUsername = '$username';";

 

Becouse if I were to try and login with a username containing the following

' OR fldId = 1; --

 It would result into the following query:

  SELECT fldId, fldPassword FROM tblUsers WHERE fldUsername = '' OR fldId = 1;--';

The '--' means the rest of the query is considered a comment.

This way MySQL will return a row where the id is 1, which is always a valid user, and in the worst case, a administrator user.

 These patches should ofcourse also apply on the other queries.

http://xkcd.com/327/

-reply by Dennis de Greef

 

[iGuest 3]

How do I verify email and password through sql?PHP: Writing A Generic Login And Register Script

I am working on a successful register and login for my website. So I created a successful registeration with email confirmation but I don't know how to create a login that will verify the info.

When a person registers it saves in a database named eventdatabase.

It has the table registered_members.

It has the following rows:

CREATE TABLE `registered_members` (`id` int(4) NOT NULL auto_increment,`name` varchar(65) NOT NULL default '',`email` varchar(65) NOT NULL default '',`password` varchar(65) NOT NULL default '',`country` varchar(65) NOT NULL default '',PRIMARY KEY (`id`)) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

I want a login that asks for the email and password and then verifies it through eventdatabase and then through registered_members.

Then after login if it is successful I want to redirect it to https://www.1and1.com/website-builder

Thank you, Billy

-reply by Billy

[iGuest 3]

i have a problemPHP: Writing A Generic Login And Register Script

It says fatal error by the last part of the login script afterThe last part at$row = ...What do I do?

-reply by chatroverse

[iGuest 3]

Stop following this useless and poorly scripted tutorial!PHP: Writing A Generic Login And Register Script

Replying to iGuestThe reason = $row line doesn't work is because its trying to make a assign to a function.If (md5($password) = $row['fldPassword']) {Should beIf (md5($password) == $row['fldPassword']) {Remember when using a = inside a if statement that assigns the right hand side value to the left hand variable.And == is a bool checkMost of what they have posted is very poor formating of SQL and PHPSorry but thats my view!

-reply by Dazaster

[iGuest 3]

Now there are basically 3 functions that a user management system provides: login, register, and protection. A user management system can do more than this but that is all that this tutorial will be covering. I will try to explain what I am doing as I go along but to fully understand what is happening you should have a basic knowledge of PHP, SQL, and HTML. This tutorial assumes you are using MySQL, adjust accordingly for a different DBMS.

 

First off lets define the database table where our users will be stored. Using phpMyAdmin run this statement to create our table:

CREATE TABLE tblUsers  (   fldId INT NOT NULL AUTO_INCREMENT,   fldUsername VARCHAR(40) NOT NULL,   fldPassword VARCHAR(40) NOT NULL);

Now a little explanation as to what this will do. It will create a table in your database called tblUsers with fields fldId, fldUsername, and fldPassword. The last two fields are self explanitory they contain the username and password of the user. The fldId is the user id automatically assigned by the database. For more information on the syntax read the MySQL documentation.

 

Lets continue by creating the script where our users will register. Open your favorite text editor and enter the following:

 

<?php?>

This tells the webserver that we are starting a php code section. You can have more than one in a script and you can include HTML in your code files as well, more on that later. Lets create a function that will actually do the work of adding the user to the database. Lets call it registerUser, now enter the following in between the php tags:

 

function registerUser() {   mysql_connect('server', 'username', 'password', 'database');   $username = $_POST['username'];   $password = md5($_POST['password']);   $sql = "INSERT INTO tblUsers (fldUsername, fldPassword) VALUES ($username, $password);";   mysql_query($sql);}

We now have a very basic registration function. Now we need to create the form the user will see. So below the ?> lets start our HTML. It should look a bit like this:

 

<html>   <head>       <title>Registration</title>   </head>   <body>       <form action="<?php $_SERVER['PHP_SELF']."?register=true" ?>" method="post">           Username: <input type="text" name="username">           Password: <input type="password" name="password">           <input type="submit" value="Register">       </form>   </body></html>

Now this HTML defines a form with 2 input fields and a button. The thing to look at though is the action attribute of the form tag. Here we have another php code section. This puts the path of the current script as our action with the variable register equal to true. We will deal with that in our code later. For now your code should look like this:

 

<?phpfunction registerUser() {   mysql_connect('server', 'username', 'password', 'database');   $username = $_POST['username'];   $password = md5($_POST['password']);   $sql = "INSERT INTO tblUsers (fldUsername, fldPassword) VALUES ($username, $password);";   mysql_query($sql);}?><html>   <head>       <title>Registration</title>   </head>   <body>       <form action="<?php $_SERVER['PHP_SELF']."?register=true" ?>" method="post">           Username: <input type="text" name="username">           Password: <input type="password" name="password">           <input type="submit" value="Register">       </form>   </body></html>

There is one more thing left to do. Handle the variable we passed to the script called register. Lets do that now. Here is the code:

 

<?phpif ($_GET['register'] == 'true') {   registerUser();}function registerUser() { ....

Here we use an if statement to check and see if it has been set to true if it is we call the function we defined earlier.

 

That is all I will be doing for today. Later we will go over how to login, protect your pages and some basic error checking.

 

I dont get the last part.

<?phpif ($_GET['register'] == 'true') {   registerUser();}function registerUser() { ....

Can you post the final source please

[iGuest 3]

http://forums.xisto.com/no_longer_exists/
'>@coder2000 i like this [pst and i am using your code to my new custome email sending and tickting system.
hope it works find. finger crossed.