0

Hi..
I've just finished built my website,and now what left is to create the login page so that i could do the admin things..
For this website i just have one user only that is me..

So ,should i create the database for the login page or not?
is that i could just simply do like :

if ($password=="password"){
......
}

because i scared if i create the database, my codes for handling that database will not be secure enough..

so in my case,which one is better?
create the database or not create the database?

Thank You :)

5
Contributors
20
Replies
22
Views
6 Years
Discussion Span
Last Post by swilliamrobert
Featured Replies
  • [QUOTE=samsons17;1339820]Oh ya,after corrected it,this is my login.php for now : [CODE] <?php ob_start(); require_once("../../includes/connection.php"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $encrypted=sha1($mypassword); // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $password = sha1("thisismypassword"); if($encrypted == $password) … Read More

0

By creating a database you could store alot more users, but if your idea was just that you personally could log in, then the first option is probably the safest.
Edit: By using the first option you'll minimize the risk to get hacked by so called SQL-injections, and a security-tip is to set a good strong password.

Regards

Edited by FredrikDuwell: n/a

0

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

0

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

0

They can't hijack strings.
You could use something like:

$password = md5("your password");

if(md5($_POST['password']) == $password) {
    /* Your Login Content */
}

Have you got a login-form?

When I look at your code I see that the two strings are the same..

$password == $password

That will make everyone get access to your admin-panel with a single click.
Use the code I made above.

Regards

Edited by FredrikDuwell: n/a

0

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

0

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

No wonder someone could get hold of your file list and download the php file...

Keep the directories of your webserver password protected so that nobody could download the file. Rest what you are doing is ok. Its not easy to hijack a string variable in PHP.

0

No wonder someone could get hold of your file list and download the php file...

Keep the directories of your webserver password protected so that nobody could download the file. Rest what you are doing is ok. Its not easy to hijack a string variable in PHP.

Sorry..but how should i keep the directories of my webserver password protected?
dont really understand what you mean..

0

They can't hijack strings.
You could use something like:

$password = md5("your password");

if(md5($_POST['password']) == $password) {
    /* Your Login Content */
}

Have you got a login-form?

When I look at your code I see that the two strings are the same..

$password == $password

That will make everyone get access to your admin-panel with a single click.
Use the code I made above.

Regards

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

Edited by samsons17: n/a

0

Hi,

If you want create login page for one user only, I think no need to create database for that. You just creat one text file and create name and password like(admin#adminpass).So you need to write cod, get values and explode this values from text file using php. Then u can assign session for username, then redirect to your page as u want.

Thanks
William

1

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

Why are you using $_POST if you have only one user i.e admin to edit the website.

Also to password protect your directories on a webserver your control panel will have an option to do that, if not I recommend you change your web hosting provider.

Also what William has sugggested is good.

Votes + Comments
Good information, very well written.
0

There's no need to use database for a single login, better to use an MD5 or SHA1-protected string as password.
To protect your directories, just add index.html in every folder or try using .htaccess.

Regards,
F. Duwell

0

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

the reason why i use $POST is because i actually got to page which is the main_login.php(where user need to enter username and password) and the other one is check_login.php(where it checks wheather or not the correct informations have been entered)..

So,is it okay i am using two page for this?
or i using one page is better?
but wait..how i am gonna to use only one page for retrieving the inputs and also validates them?is it possible?

0

Hi,

If you want create login page for one user only, I think no need to create database for that. You just creat one text file and create name and password like(admin#adminpass).So you need to write cod, get values and explode this values from text file using php. Then u can assign session for username, then redirect to your page as u want.

Thanks
William

Oh, only one text file??
cod?how do i do this?
could you show some examples for me please?

Thank You...

0

Hi,

Ok... Below code here

create Login.php
----------------
<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
    ?>
---------------------
creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page
----------------------

create login.txt
--------
vaibhav1983 vaibhavpass
----------


above name like username then SPACE and password
username : vaibhav1983
password : vaibhavpass
------------

thats all....

Edited by Dani: Formatting fixed

0

Hi,

Ok... Below code here

create Login.php

<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
?>

creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page

create login.txt

vaibhav1983 vaibhavpass

above name like username then SPACE and password

username : vaibhav1983
password : vaibhavpass

thats all....

Oh i see...
meaning,storing our username and password int the .txt file is the best way right?

SO,thank you so much for helping :)

Edited by mike_2000_17: Fixed formatting

0

Hi,

Ok... Below code here

create Login.php

<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
?>

creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page

create login.txt

vaibhav1983 vaibhavpass

above name like username then SPACE and password

username : vaibhav1983
password : vaibhavpass

thats all....

As I said earlier in this thread, Why do u need to store anything in a file. If somebody gets into your webserver and gets that text files, he gets your admin username and password. Also why do you need to decrease the performance of your application by reading a file, when you have the option of hard-coding it.

Edited by mike_2000_17: Fixed formatting

0

As I said earlier in this thread, Why do u need to store anything in a file. If somebody gets into your webserver and gets that text files, he gets your admin username and password. Also why do you need to decrease the performance of your application by reading a file, when you have the option of hard-coding it.

wait2...
williamrobert said that i need to store the username and password in a file,and you said dont..and as you said that what williamrobert shown me will decreasing the performance right?
So,this means i just need to continue what i've done before right and not as what williamrobert told me?
i dont know,but you two made me confusing..anyway thank you for you all :)

p/s : i just need to be very sure about this..

0

yes definately you should create database becoz whenever you want to change anything the data content about your page then you can log in as a administrator & change it as you can wish.just you need to create session & if you close the page then immediately the session will exit such type of logic...further more information on coding you can mail me to this mail id.....Have a good day

0

yes definately you should create database becoz whenever you want to change anything the data content about your page then you can log in as a administrator & change it as you can wish.just you need to create session & if you close the page then immediately the session will exit such type of logic...further more information on coding you can mail me to this mail id.....Have a good day

I guess you haven't read the full thread. Creating a DB for just one user won't be advisable.

Reading a file would definitely decrease the performance...

@dipanjan
Please read the complete thread and respond.

0

Hi,

What kind of website you are doing now. You can do whatever you want whether text file or DB. If you have phpmyadmin panel, just create table for login. Otherwise How you going to use login page man, even for one user. If you think performance level, just leave it text file cocept. thats all....

thanks
william

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.