DaniWeb Forum Index > Web Development > PHP

PHP Login Script

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

DealthRune DealthRune is offline

Offline Aug 22nd, 2009, 1:07 pm |

Here is a simple login script

Show Printable Version

Code Snippet

•

PHP Syntax

Toggle Plain Text

<?php
$con = mysql_connect('localhost', 'root', '');
$db_select = mysql_select_db('db_name', $con);
if(!db_select){
die("Error: No DataBase Selected.\n");
}
if(!$con){
die("Error: ".mysql_error()."\n");
}
?>
<form action='./login.php' method='POST'>
<table border='0' align='center'>
<tr><td>Username </td><td><input type='text' name='user'></td></tr>
<tr><td>Password </td><td><input type='password' name='pass'></td></tr>
<tr><td colspan='2' align='right'><input type='submit' name='login' value='Login'></td></tr>
</table>
</form>
<?php
$u = $_POST['user'];
$p = $_POST['pass'];
$log = $_POST['login'];
if($log){
$sql = mysql_query("SELECT count(id) FROM `users` WHERE `username` = '$u' AND `password` = '$p'");
$result = mysql_result(sql, 0);
if($result!=1){
die("Invalid Login Information\n");
}else{
echo "Welcome ".$u."! You are now logged in.\n";
}
}
?>

Code Snippet Comments

vijaysankarbhat vijaysankarbhat is offline

Offline | Sep 22nd, 2009

•

great!! what an effort wonderful!!

kkeith29

Offline | Sep 23rd, 2009

•

SQL injection holes. Not secure at all. I wouldn't use it.

-1

phong1040572 phong1040572 is offline

Offline | Sep 29th, 2009

•

it's not useful. SQL injection.!

sureronald sureronald is offline

Offline | Sep 30th, 2009

•

Hey! this script i'm sure is meant for beginners. If you know about SQL injection then I guess you are not a beginner and you can even do this community a favour by posting another version of the script with SQL injection holes well taken care of.
Happy times!

ayesha789

Offline | Sep 30th, 2009

•

nice ? but how we can add secret pages for different users

leviathan185 leviathan185 is offline

Offline | Sep 30th, 2009

•

mysql_real_escape_string(); will prevent injections.

e.g.

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
$string = 'user input';
$safer = mysql_real_escape_string($string);
// the variable $safer is less likely to cause you any problems from your users input.
?>
<?php
$string = 'user input';
$safer = mysql_real_escape_string($string);
// the variable $safer is less likely to cause you any problems from your users input.
?>

it is always best practice to hash your passwords as well {sha1($string) }. when you create the user, hash the password into the data base. when you check against it hash the password and that will give you the same result but with safer password storage.

Last edited by leviathan185; Sep 30th, 2009 at 8:35 am. Reason: forgot something

kkeith29

Offline | Sep 30th, 2009

•

If you are wanting a better login script look here:

http://www.daniweb.com/forums/post95...tml#post951182

cwarn23

Offline | Oct 1st, 2009

•

This script not only suffers from security holes but also has a but in recording incorrect data. If magic quotes are enabled then every recording of a slash be recorded. This means if you record the username te"s't then when you retrieve it from the database it will display te\"s\'t. To solve that you will need to use the stripslashes() function if magic quotes are enabled. Also note that the mysql_real_escape_string() function not only fixes security holes but also validates the string from potential bugs/errors. So the following is how to convert a variable ready for mysql.

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
$data = mysql_real_escape_string(stripslashes($_POST['data']));
?>
<?php
$data = mysql_real_escape_string(stripslashes($_POST['data']));
?>