Multiple users login & password

**Dormilich** · Mar 30 '09, 05:16 PM

Originally posted by rsbgm

Also, will the script be a simple file saving type of script or would a database be required for this? Please advise.

the most secure solution is to save the login data (i.e. login name and hash value of the password) in a database, because a DB is least accessable from outside.

in PHP a login system is often (always?) handled by sessions.

**secmazec** · Mar 30 '09, 08:16 PM

You are on the right way. PHP is the best language for sessions and database access. All you need to do is create 1 database table with at least 2 columns (name and password). But I recommend at least 3, id at every table is very handy in long run or even better 4, for different user access rights.

Key parts of the code will look like something like this.

Code:

<?
@session_start();

//And store user rights in $_SESSION[rights] after login.

//On parts you want to access by all registered users just do something like:
if($_SESSION[rights])
{
 echo "blablabla secret";
}

//or your rights can be more advanced, I think numbers from 1 to 5 can do the job in 4th database column
?>

**Markus** · Mar 30 '09, 08:35 PM

Originally posted by secmazec

You are on the right way. PHP is the best language for sessions and database access. All you need to do is create 1 database table with at least 2 columns (name and password). But I recommend at least 3, id at every table is very handy in long run or even better 4, for different user access rights.

Key parts of the code will look like something like this.

Code:

<?
@session_start();

//And store user rights in $_SESSION[rights] after login.

//On parts you want to access by all registered users just do something like:
if($_SESSION[rights])
{
 echo "blablabla secret";
}

//or your rights can be more advanced, I think numbers from 1 to 5 can do the job in 4th database column
?>

Array keys, unless they're integers or constants, should be wrapped with single or double quotes.

rsbgm, what do you mean by 'multiple user logon'? Multiple users logging on from the same computer... ? Or are you speaking of a user registration system like Bytes.com's own?

**Dormilich** · Mar 30 '09, 08:45 PM

Originally posted by secmazec

All you need to do is create 1 database table with at least 2 columns (name and password).

better store passwords as their hash value, so the actual password cannot be cracked (even if someone hacks the DB or your script).

Originally posted by secmazec

Code:

@session_start();

better not supress errors*, a convenient script has its own error handling that will jump in on errors

Code:

session_start();

* and it's faster, too

**secmazec** · Mar 30 '09, 09:08 PM

Originally posted by Markus

Array keys, unless they're integers or constants, should be wrapped with single or double quotes.

rsbgm, what do you mean by 'multiple user logon'? Multiple users logging on from the same computer... ? Or are you speaking of a user registration system like Bytes.com's own?

I'm sorry, I disagree since I often use them in sql requests in one string, accepted by class function, so any quotes that don't have to be there are helpful in the speed I can create.

Originally posted by Dormilich

better store passwords as their hash value, so the actual password cannot be cracked (even if someone hacks the DB or your script).

Can you explain more, I have learned PHP all myself from net mostly, so I don't understand meaning "hash value", even I think I have a good idea.

**Markus** · Mar 30 '09, 09:17 PM

$_SESSION[key] is syntactically incorrect, not to mention heaps slower. Keep discussion on topic, please.

**Dormilich** · Mar 30 '09, 09:19 PM

Originally posted by secmazec

Can you explain more, I have learned PHP all myself from net mostly, so I don't understand meaning "hash value", even I think I have a good idea.

So have I.

a hash value is a kind of verification code returned by a hash function, of which MD5 and SHA1 are probably the best known. hash function – Wikipedia

**secmazec** · Mar 30 '09, 09:53 PM

Thank you VM, Dormilich.

**rsbgm** · Mar 31 '09, 02:57 AM

@Markus,

Yes, some kinda like Bytes.com's (or any other forums) multiple user login system. Like, if you're not registered, you can't post or see certain threads, kind of a deal.

@secmazec

It's good that you mentioned 'ID' and a fourth column for access level. This is a perfect setup.

@Dormilich

Thanks for the input on the 'HASH' value thingee. I've been hearing the md5 thing you mentioned. I'm going to read more on this one as it is vital that passwords are not hacked.

Again, thanks for the initial input. The concept is there already. I will be starting to make the code. A reference code should help me get going faster. Hehe... Do you have more expounded codes, secmazec?

rsbgm

**secmazec** · Mar 31 '09, 04:04 AM

Nice to hear some positive feedback. I started to realise that I can master the language only by sharing the knowledge and expanding it to fields I don't use for commercial uses.

So, please, be my guest and post another problem :)

But my heart is warm today and I want to share, so here's how a model logout.php should look like:

Code:

<?
 @session_start(); // @ works without problem, I had some when I hadn't use it

 session_destroy(); // <---- BAM

 header("location: ../"); // in case you have logout.php in some dir, like I have 
  or
 header("location: /"); // pretty universal, document_root aka base_dir

 exit; // just to be safe after doing headers ;)
?>

**Markus** · Mar 31 '09, 10:08 AM

A good set of articles can be found here - look for the 'table of contents' and read 'em all. ;)

**rsbgm** · Mar 31 '09, 03:53 PM

@secmazec

Thanks for the code.

@Markus

The link was a nice read and needs more reading.

What if there you use your full name as user name which would require a WHITESPACE for at least a two name name? The $_POST will read an error there, right? If you strip the whitespace, how do you compare it with those on the database?

What if email address is the login username?

rsbgm

**rsbgm** · Apr 1 '09, 04:51 AM

Guys! I can't thank you enough for all the inputs. I am able to gather enough info already. The rest is up to me to keep on learning.

I'm closing this thread. Hopefully, others will read and should learn from it.

uh... I don't know how to close a thread. And, if I close it, it will not disappear right? I just don't want other to reply anymore.

**Markus** · Apr 1 '09, 09:49 AM

The thread doesn't need closing (it can only be done by moderators).

Glad you got it working,

- Markus.

Multiple users login & password

Multiple users login & password

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment