Help me with Login System

**TheServant** · Nov 1 '09, 10:33 PM

Sure. Let us know if you have a question. This section of Bytes is really for people who need some help with something specific. As much as we'd like to read through your code and impart some wisdom and knowledge in layout, syntax and method, proof reading code is not really in the job description. If you get an error, or something is not working as it should, post relavent code and all error messages and a full explanation, so we don't have to spend half our day looking through irrelevant code trying to find an unidentified problem.

If you're wanting to write a tutorial, write it in PHP insights.

**Apostle** · Nov 6 '09, 10:17 AM

this is newbie start writting the script. So IWhat I wanted is criticism and suggestion. I want to end up with full secure login system. That is my intention and I believe it is in Job descriptin ;)

Sorry for being vague and welcome for help :)

**Dormilich** · Nov 6 '09, 10:30 AM

knowledge has its price… either money (if you hire someone) or effort (to learn it yourself).

**TheServant** · Nov 6 '09, 01:32 PM

Originally posted by Dormilich

knowledge has its price… either money (if you hire someone) or effort (to learn it yourself).

True. Apostle, you need to try and improve you script and come to us when you're stuck on something. Type in PHP login script, or login tutorial in Google and you'll have plenty of places to get the basics. Always start with the basics.

**dlite922** · Nov 7 '09, 12:13 AM

Originally posted by Apostle

this is newbie start writting the script. So IWhat I wanted is criticism and suggestion. I want to end up with full secure login system. That is my intention and I believe it is in Job descriptin ;)

Sorry for being vague and welcome for help :)

You need some major help!

What you had is not even a class. Here's what real class looks like:

Code:

<?php
/**
*  This class handles interactions for user access and registration
* 
* @date 11/06/2009
* @author  Apostle 
* @file LoginRegister.class.php	
*/

class LoginRegister
{

	/**
	* The DB object used to access the database
	*/
	private $DB; 


	/**
	* Constuctor
	* 
	*/
	function __construct()
	{
		$this->DB = new DB(); 
	}
	
	/**
	* Authenticates a username and password and returns true or false depending on validity
	* 
	* @access public
	* @param mixed $username
	* @param mixed $password
	* @return bool
	*/
	public function authenticateUser($username, $password)
	{
		// initialize and clean variables
		$cleanUser = mysql_real_escape_string($username); 
		$cleanPass = mysql_real_escape_string($password); 
		
		// Run query and get results
	    $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser' AND password = '$cleanPass' ";	    
	    $result = $this->DB->query($sql); 
	    
	    // Parse result
	    if(!empty($result)) // if not empty
	    {
		    if($result[0]['count'] == 1) { // make sure count is one and only one user with the same username and passwword.
	    		return true; 
		    }
	    }
	    	    
	    return false; 	    	    
	} 
	
	
	/**
	* Registers a new user name and password and returns true of successful and false if not. 
	* 
	* @access public
	* @param mixed $username
	* @param mixed $password
	* @return bool
	*/
	public function registerUser($username, $password)
	{
		// initialize and clean variables
		$cleanUser = mysql_real_escape_string($username); 
		$cleanPass = mysql_real_escape_string($password); 
		
		// first check if this user already exists
		if($this->checkUserExist($cleanUser))
		{
			die("Error: A user by this name already exists. You should have already run this check before and told the user before calling registerUser()"); 			
			exit(0); // make sure you exit!
		}
		else
		{
			// user doesn't exist, add him:
			$sql = "INSERT INTO users(username, password) VALUES('$cleanUser', '$cleanPass')";
			$result = $this->DB->query($sql); 
			if(empty($result)) 
			{
					die("Something went wrong. Was not able to add user"); 
			}
			
			return true;
		}
	
		return false;
	}

	
	/**
	* Checks if a user already exists, returns true if user already exists and false if no user exists with given username.
	* 
	* @access public
	* @param mixed $username
	* @return bool
	*/
	public function checkUserExist($username)
	{
		// initialize and clean variables
		$cleanUser = mysql_real_escape_string($username); 
	
		// query
	    $sql = "SELECT COUNT(*) AS count FROM users WHERE username = '$cleanUser'";
	    $result = $this->DB->query($sql); 
	    
	    // Parse result
	    if(!empty($result)) // if not empty
	    {
	    	// we dont' care about the content, if there is a result this user exists
		    return true
	    }
	    
	    return false; 	
	}	
}

All your other functions should be in a different file that use this class. I'll leave that for you to learn.

* YOUR BIGGEST MISTAKE *

You did not validate the user input before inserting them in an SQL.

Imagine if I tried to login to your used any bogus user name this for a password: hack' OR 1 = 1 LIMIT 1;

Thus your SQL would look like this when executed:

Code:

SELECT * FROM users WHERE username = 'hacker' AND password = 'hack' OR 1=1 LIMIT 1;' ";

Then your check, which says the number of results should be 1 return true because i'm sure you have at least one user name in your users table where the number 1 is always equal to 1. This is called

SQL INJECTION

Google the **** out of it. You're software is always unsecured without it.

I've done more than enough. I hope you learn PHP before you write unsafe software like this. I really REALLY hope you go read up on tutorials and practice programming and proper software testing before deploying any code.

Good luck,

Dan

**Apostle** · Nov 7 '09, 07:02 AM

Thanks Dan for Postive criticism.
I completely rewrote the whole thing and will post it here. For now I it is Here
I will post it here.

The reason I want to write from the scratch is to learn new thing as I go, and I know there are many experts that can drill and expose my ignorance on something and definitely improve my skills.

So feel free to criticize me or advice me on anything (code, good coding habits et al)

Thanks for your time guys :)

**TheServant** · Nov 7 '09, 09:05 AM

Writing from scratch is the best for learning, and that is what you should do. However, when you start spending time developing, you can't re-write everything (and have a life) so you will need to learn how to use and modify already tried and tested code.

Again, we're here to help when you get stuck, and generally we don't read through screens of code, but if you post snippets for specific problems, we'll mention any issues with the surrounding code no probs ;)

**Apostle** · Nov 7 '09, 11:11 AM

Any recommended code that I can build upon? As per say, I'm beginner in these things and security matters alot in web apps :)

**Dormilich** · Nov 7 '09, 11:27 AM

currently the best measure against SQL Injection is using Prepared Statements (implemented in PHP’s MySQLi & PDO classes)

**Apostle** · Nov 8 '09, 04:58 AM

I have learned a little on MYSQLi, I will check for PDO!
If you don't mind you can provide me a link. For now, I going to google

**Dormilich** · Nov 8 '09, 08:53 AM

MySQLi
PDO
_______________ __

**Apostle** · Nov 8 '09, 11:45 AM

Thanks I'm going to check

**dlite922** · Nov 9 '09, 06:19 PM

Learn OOP too while you're at it. Practice makes perfect. In the beginning working with already made code and reverse engineering it, modifying it, and especially improving and testing is the ultimate learning experience. That is how I learned PHP.

The reason I recommend OOP is I no longer see PHP as a scripting language and I use it for large applications.

In my opinion if someone wants to script, go learn Perl, PHP's sister. She's much much better at little scripts that make your life easier.

An advanced login script to me is an entry to a small to medium application. PHP/MySQL is a good choice for this.

Dan

Help me with Login System

Help me with Login System

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment