Description
This little tutorial shows new users how to make a simple user login with a login form and database query.
Snippet
login_page.php
1
2
3
4
5
6
7
2
3
4
5
6
7
<form action="verify.php" method="post">
User Name:<br>
<input type="text" name="username"><br><br>
Password:<br>
<input type="password" name="password"><br><br>
<input type="submit" name="submit" value="Login">
</form>
verify.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
if(isset($_POST['submit'])){
$dbHost = "localhost"; //Location Of Database usually its localhost
$dbUser = "xxxx"; //Database User Name
$dbPass = "xxxxxx"; //Database Password
$dbDatabase = "db_name"; //Database Name
$db = mysql_connect($dbHost,$dbUser,$dbPass)or die("Error connecting to database.");
//Connect to the databasse
mysql_select_db($dbDatabase, $db)or die("Couldn't select the database.");
//Selects the database
/*
The Above code can be in a different file, then you can place include'filename.php'; instead.
*/
//Lets search the databse for the user name and password
//Choose some sort of password encryption, I choose sha256
//Password function (Not In all versions of MySQL).
$usr = mysql_real_escape_string($_POST['username']);
$pas = hash('sha256', mysql_real_escape_string($_POST['password']));
$sql = mysql_query("SELECT * FROM users_table
WHERE username='$usr' AND
password='$pas'
LIMIT 1");
if(mysql_num_rows($sql) == 1){
$row = mysql_fetch_array($sql);
session_start();
$_SESSION['username'] = $row['username'];
$_SESSION['fname'] = $row['first_name'];
$_SESSION['lname'] = $row['last_name'];
$_SESSION['logged'] = TRUE;
header("Location: users_page.php"); // Modify to go to the page you would like
exit;
}else{
header("Location: login_page.php");
exit;
}
}else{ //If the form button wasn't submitted go to the index page, or login page
header("Location: index.php");
exit;
}
?>
users_page.php
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
<?php
session_start();
if(!$_SESSION['logged']){
header("Location: login_page.php");
exit;
}
echo 'Welcome, '.$_SESSION['username'];
?> 
header(\"Location: login_page.php\");
exit;
Keep up the good work...
Thanks for bringing this up
Its all fixed and working perfectly,
Keep up the good work,
I agree with the previous poster, mysql_real_escape_strting() is the best way to prevent SQL injection.
Also, if using PHP5, I would strongly recommend using PHP's hash() function with SHA-512, Whirlpool, or Ripemd5-160. All of those hashes are 512 bits in length, compared to md5()s 40.
Correcting those two will fix the prominent security holes.
Cheers! Hope it helps!
1. addslashes() is not sufficient enough to prevent SQL injection. Use mysql_real_escape_string().
2. You are not enclosing your values in quotes, this just means they need to have a space in their submission to inject SQL.
3. You should not ever echo out mysql_error() to an end user. Log it for your own purposes, but show the user a generic error message.
Your query would be better off like this:
<?php
$sql = mysql_query("SELECT * FROM users_table
WHERE username='".mysql_real_escape_string($_POST['username'])."' AND
password='".mysql_real_escape_string($_POST['password'])."' LIMIT 1")or die('Sorry, there has been a database error. The webmaster has been notified of the error. Please try again later.');
?>
The following have variables in quotes. You don't need the quotes, in fact it makes your script slow (albeit only slightly slower).
Also, again with my suggestion about error messages. Don't let the visitor know it couldn't connect to the database. They don't need to know this information. Log it for your own use (write to a file) and just tell them there is a problem with the website and to try again later.
<?php$db = mysql_connect("$dbHost","$dbUser","$dbPass")or die("Error connecting to database.");
//Connect to the databasse
mysql_select_db("$dbDatabase", $db)or die("Couldn't select the database.");
?>
Would be better off as:
<?php
$db = mysql_connect($dbHost,$dbUser,$dbPass)or die("The site is currently experiencing some problems. The issue will be dealt with shortly. Please try again at a later time.");
//Connect to the databasse
mysql_select_db($dbDatabase, $db)or die("The site is currently experiencing some problems. The issue will be dealt with shortly. Please try again at a later time.");
?>
One *last* thing. You're saving the passwords as plain text. BAD idea, especially with the SQL injection problems you have. Someone with the right knowledge can easily steal all your user's passwords.
I'd recommend using md5() to has the passwords (at very least md5, though sha1 would be nicer).
Try this:
<?php$sql = mysql_query("SELECT * FROM users_table
WHERE username='".mysql_real_escape_string($_POST['username'])."' AND
password=md5('".mysql_real_escape_string($_POST['password'])."') LIMIT 1")or die('Sorry, there has been a database error. The webmaster has been notified of the error. Please try again later.');
?>
And make sure you md5() the passwords when you insert them into the database initially.
I'm getting this error message:
Unknown column 'Gravlund' in 'where clause'
what is wrong?
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at D:\websites\template_96\HTML\verify.php:9) in D:\websites\template_96\HTML\verify.php on line 38
Did you change these?<br /><?php
$dbHost = "localhost"; //Location Of Database usually its localhost<br />
$dbUser = "xxxx"; //Database User Name<br />
$dbPass = "xxxxxx"; //Database Password<br />
$dbDatabase = "db_name"; //Database Name ?>
Help Please
Newbie!