...

View Full Version : How to make a secure login



Kione
12-06-2005, 11:30 PM
I was wondering if any of you could help me out with a secure log in system? I already have A mysql. I just need to know how to make a secure log in, thanks.

windumi
12-07-2005, 09:38 AM
get the passwd and use MD5 or SHA1 or SHA256 and etc, to hash the passwd, if the hash result is same to what stored in the database, the user is vaild

Kione
12-07-2005, 04:09 PM
Ok, let me also state this. Me = n00bie.

pramsey
12-07-2005, 06:53 PM
I was wondering if any of you could help me out with a secure log in system? I already have A mysql. I just need to know how to make a secure log in, thanks.

Kione, here are some search results from this forum. I haven't looked through them, so I don't know how many actually have the code. http://www.codingforums.com/search.php?searchid=474297

Kione
12-07-2005, 10:16 PM
Could someone please write me a script? All I want, is a log in system.

A simple log in system is fine, all I need to do to edit it, is to be able to add usernames and passwords. Or let others register.

Al_90
12-07-2005, 11:01 PM
here is a basic membersystem which has a secure login
-=-=-=-=-=-=-=-=-=-=-=-
create table


CREATE TABLE `users` (
`id` bigint(20) NOT NULL auto_increment,
`user` varchar(30) NOT NULL default '',
`pass` varchar(30) NOT NULL default '',
`email` varchar(50) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `user` (`user`)
) TYPE=MyISAM AUTO_INCREMENT=5 ;


and conn.php


<?php
session_start();
$user_nam = "";
$pass_name = "";
$db_nam = "";
$conn = mysql_pconnect("localhost", "$user_nam", "$pass_nam") or die(mysql_error());
$db = mysql_select_db("$db_nam", $conn) or die(mysql_error());
?>


then register.php


<?php require("conn.php"); ?>
<div align="center">
<?php
if ($_GET['submit']) {
$pass = trim($_POST['pass']);
$pass2 = trim($_POST['pass2']);
$user = trim($_POST['user']);
$email = trim($_POST['email']);
$email2 = trim($_POST['email2']);
if ($pass != $pass2) {
print "Please confirm your password. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
exit;
}
elseif ($email != $email2) {
print "Please confirm your email. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
exit;
}
$pass = md5($pass);
$user_taken = mysql_num_rows(mysql_query("SELECT * FROM users WHERE user = '$user'"));
if ($user_taken > 0) {
print "Sorry, that username has already been taken. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
} elseif(mysql_query("INSERT INTO users VALUES('', '$user', '$pass', 'email')")) {
print "You have successfully registered. <br>Thank you for registering<br>";
} else {
print "An unknown error occured. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
}
}
if (!$_GET['submit']) {
?>
<br>
<table width="375" border="0" cellspacing="1" bgcolor="#666666">
<tr>
<td align="center" bgcolor="#EAEAEA">Sign Up!</td>
</tr>
<tr>
<td align="center" bgcolor="#EAEAEA"><form name="form1" method="post" action="?submit=true">
Choose Username:
<input name="user" type="text" id="user">
<br>
Choose Password:
<input name="pass" type="text" id="pass">
<br>
Confirm Password:
<input name="pass2" type="text" id="pass2">
<br>
Valid Email
<input name="email" type="text" id="email">
<br>
Confirm Email:
<input name="email2" type="text" id="email2">
<br>
<input type="submit" name="Submit" value="Loign>
<br>
</form></td>
</tr>
</table><? } ?>
<br>


and login.php


<? require("conn.php"); ?>
<div align="center">
<?php
if ($_GET['login']) {
$user = $_POST['user'];
$pass = md5($_POST['pass']);
$sql = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'", $conn) or die(mysql_error());
if (mysql_num_rows($sql) == 1) {
$error = false;
$_SESSION['user'] = $user;
print "<br> You are now logged in.<br>";
} else {
$error = "Incorrect username or password!";
}
}
?>
<div align="center">
<?php
if ($error) {
print $error;
}
?>
<?php if (!$_SESSION['user'] AND !$_GET['login']) { ?>
<table width="324" border="0" cellspacing="1" bgcolor="#666666">
<tr>
<td width="341" align="center" valign="top"> Login </td>
</tr>
<tr>
<td align="center" valign="top" bgcolor="#EAEAEA"><form name="form1" method="post" action="?login=true">
UserName:
<input name="user" type="text" id="user">
<br>
PassWord:
<input name="pass" type="password" id="pass">
<br>
<input type="submit" name="Submit" value="- Login -">
<br>
</form></td>
</tr>
<tr>
<td align="center" valign="top"> </td>
</tr>
</table>
<?php } elseif(!$_GET['login'] AND $_SESSION['user']) { print "<br>You are already logged in!<br>"; } ?>
</div>


then just include


<?php if( !$_SESSION['user'] ){ ?>
content here
<?php } ?>

where you want the user to be logged in to be able to view content

lansing
12-18-2005, 12:31 AM
here is a basic membersystem which has a secure login
-=-=-=-=-=-=-=-=-=-=-=-
create table


CREATE TABLE `users` (
`id` bigint(20) NOT NULL auto_increment,
`user` varchar(30) NOT NULL default '',
`pass` varchar(30) NOT NULL default '',
`email` varchar(50) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `user` (`user`)
) TYPE=MyISAM AUTO_INCREMENT=5 ;


and conn.php


<?php
session_start();
$user_nam = "";
$pass_name = "";
$db_nam = "";
$conn = mysql_pconnect("localhost", "$user_nam", "$pass_nam") or die(mysql_error());
$db = mysql_select_db("$db_nam", $conn) or die(mysql_error());
?>


then register.php


<?php require("conn.php"); ?>
<div align="center">
<?php
if ($_GET['submit']) {
$pass = trim($_POST['pass']);
$pass2 = trim($_POST['pass2']);
$user = trim($_POST['user']);
$email = trim($_POST['email']);
$email2 = trim($_POST['email2']);
if ($pass != $pass2) {
print "Please confirm your password. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
exit;
}
elseif ($email != $email2) {
print "Please confirm your email. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
exit;
}
$pass = md5($pass);
$user_taken = mysql_num_rows(mysql_query("SELECT * FROM users WHERE user = '$user'"));
if ($user_taken > 0) {
print "Sorry, that username has already been taken. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
} elseif(mysql_query("INSERT INTO users VALUES('', '$user', '$pass', 'email')")) {
print "You have successfully registered. <br>Thank you for registering<br>";
} else {
print "An unknown error occured. <br> <a href=\"javascript:history.back(-1)\">Go Back</a>";
}
}
if (!$_GET['submit']) {
?>
<br>
<table width="375" border="0" cellspacing="1" bgcolor="#666666">
<tr>
<td align="center" bgcolor="#EAEAEA">Sign Up!</td>
</tr>
<tr>
<td align="center" bgcolor="#EAEAEA"><form name="form1" method="post" action="?submit=true">
Choose Username:
<input name="user" type="text" id="user">
<br>
Choose Password:
<input name="pass" type="text" id="pass">
<br>
Confirm Password:
<input name="pass2" type="text" id="pass2">
<br>
Valid Email
<input name="email" type="text" id="email">
<br>
Confirm Email:
<input name="email2" type="text" id="email2">
<br>
<input type="submit" name="Submit" value="Loign>
<br>
</form></td>
</tr>
</table><? } ?>
<br>


and login.php


<? require("conn.php"); ?>
<div align="center">
<?php
if ($_GET['login']) {
$user = $_POST['user'];
$pass = md5($_POST['pass']);
$sql = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'", $conn) or die(mysql_error());
if (mysql_num_rows($sql) == 1) {
$error = false;
$_SESSION['user'] = $user;
print "<br> You are now logged in.<br>";
} else {
$error = "Incorrect username or password!";
}
}
?>
<div align="center">
<?php
if ($error) {
print $error;
}
?>
<?php if (!$_SESSION['user'] AND !$_GET['login']) { ?>
<table width="324" border="0" cellspacing="1" bgcolor="#666666">
<tr>
<td width="341" align="center" valign="top"> Login </td>
</tr>
<tr>
<td align="center" valign="top" bgcolor="#EAEAEA"><form name="form1" method="post" action="?login=true">
UserName:
<input name="user" type="text" id="user">
<br>
PassWord:
<input name="pass" type="password" id="pass">
<br>
<input type="submit" name="Submit" value="- Login -">
<br>
</form></td>
</tr>
<tr>
<td align="center" valign="top"> </td>
</tr>
</table>
<?php } elseif(!$_GET['login'] AND $_SESSION['user']) { print "<br>You are already logged in!<br>"; } ?>
</div>


then just include


<?php if( !$_SESSION['user'] ){ ?>
content here
<?php } ?>

where you want the user to be logged in to be able to view contentI got the sample script you provided in & working partly. I just can't login. I keep getting the bad un/pw message: Incorrect username or password! I double checked the files. They are exactly like you posted, just with my DB informatoin.

Osiris
12-18-2005, 12:59 AM
Delete your old login row from the MySQL database and instead run this query:


INSERT INTO users (user, pass, email) VALUES ('your_user_name', MD5('your_password'), 'your_email');


That should get it working.

lansing
12-18-2005, 04:49 PM
Delete your old login row from the MySQL database and instead run this query:


INSERT INTO users (user, pass, email) VALUES ('your_user_name', MD5('your_password'), 'your_email');


That should get it working.The register.php page works. I can register & then view the information in the db. It just wont let me login when I use the login.php. It say the username & password are incorrect.

Velox Letum
12-20-2005, 02:06 AM
In order to further secure it, I'd use a sha1 hashing and append a salt to the end of the password, so that even if someone were to get your user table, and someone used the password 'password', a SHA1 bruteforce attack wouldn't decode it. It would need the salt in order to proceed. The basic theory is to use a long, random string, SHA1 it, then when you put the password into the db, or checked the password, you'd append it to the password. For example:

User logs in (user: foo, password: bar) -> password becomes bar8c76020bbc646f4f7cd29ad36a5a1a236b68a282 -> sha1 password -> check db.

User registers (user: foo2, password: bar2) -> password becomes bar28c76020bbc646f4f7cd29ad36a5a1a236b68a282 -> sha1 password -> insert row.

The "salt" appended to the password stays the same no matter what...it's just a security feature to prevent anyone from easily bruteforcing the passwords should they manage to get a copy of the users table. This does not prevent it from your application.

ausnrl
12-20-2005, 03:02 AM
Ok so if i was to make a tipping comp with the database could i just like put in the results and then like it would calculate everyones results through the database and tips they put in automatically?

MarvinHalliwell
12-20-2005, 03:36 AM
So with that code all i have to edit is put in the name of the MSQL database and user and pass?

lansing
12-20-2005, 08:02 PM
So with that code all i have to edit is put in the name of the MSQL database and user and pass?I tried that. I can't get it to work for me.

I have been testing different things. I think I have narrowed it down to a MD5 problem. I tested this & it works. I inserted a user & pass into MySQL DB via phpMyAdmin. The pass isn't in the MD5 format. It is regular plain text. I then removed the MD5 string from the Register & Login. I can register & login just fine now. I added the MD5 string back to the Register & Login pages. I keep getting this error displayed when I test the login with the MD5 in the Login page...


Connected successfully to Database!

Incorrect username or password! I added that Connected successfully to Database so that I could tell if I was getting connected & that was my problem. I am connecting just fine.


<? require("conn.php"); ?>
<div align="center">
<?php

if ($_GET['login']) {
$user = $_POST['user'];
$pass = $_POST['pass'];
$sql = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'", $conn) or die(mysql_error());
if (mysql_num_rows($sql) == 1) {
$error = false;
$_SESSION['user'] = $user;
print "<br> You are now logged in.<br>";
} else {
$error = "Incorrect username or password!";
}
}
?>
<div align="center">
<?php
if ($error) {
print $error;
}
?>
<?php if (!$_SESSION['user'] AND !$_GET['login']) { ?>
<table width="324" border="0" cellspacing="1" bgcolor="#666666">
<tr>
<td width="341" align="center" valign="top"> Login </td>
</tr>
<tr>
<td align="center" valign="top" bgcolor="#EAEAEA"><form name="form1" method="post" action="?login=true">
UserName:
<input name="user" type="text" id="user">
<br>
PassWord:
<input name="pass" type="password" id="pass">
<br>
<input type="submit" name="Submit" value="- Login -">
<br>
</form></td>
</tr>
<tr>
<td align="center" valign="top"> </td>
</tr>
</table>
<?php } elseif(!$_GET['login'] AND $_SESSION['user']) { print "<br>You are already logged in!<br>"; } ?>
</div>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum