1

login.html

<html>
<head>
<title>
 login
</title>    
</head>

<body>
<fieldset>
    <legend title=login>login</legend>
    <form action="login.php" method="post">

    Username:<br /> 
    <input type="text" name="username" value="" /> 
    <br /><br /> 
    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 
    <input type="submit" value="Login" />

</form>
</fieldset>
<a href="register.html">Register</a>
<a href="forgotpassword.php">Forgot Password</a>
</body>
</html>

login.php

<?php
    session_start();
    require("DBconnect.php");   
    $username =$_POST[ 'username' ];
    $password=$_POST[ 'password' ];
    if(!empty($_POST)) 
    { 
        // This query retreives the user's information from the database using 
        // their username. 
        $query = " SELECT  user_id,username,password,salt,email FROM users WHERE username ='$username'";
        $result = mysql_query($query);

        if ($result)
         {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($result);
         echo $row[0];

          if($row) 
          { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row[3]); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row[3]); 
            } 

            if($check_password == $row[2]) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
          } 
         }
        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            //unset($row['salt']); 
            //unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            //$_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?>

***

errors***
Undefined index: username in C:\wamp\www\Authentication system\login.php on line 4
Undefined index: password in C:\wamp\www\Authentication system\login.php on line 5

4
Contributors
8
Replies
27
Views
4 Years
Discussion Span
Last Post by broj1
-1

hello sikha header doesn't work after <html> Tag. can u tell me how to check user is login or not before to write comments....

Edited by pp0007

0

This is strange. It works fine for me. Can you put this code on the very beginning of the lgin.php:

die(print_r($_POST, 1));

This will display contents of the $_POST array and stop the script.

0
<?php
    session_start();
    require("DBconnect.php");   
    if(!empty($_POST['username']) && !empty($_POST['password']))
    {
            $user =$_POST[ 'username' ];
            $pass=$_POST[ 'password' ];
            $qry = " SELECT  user_id,username,password,salt,email FROM users WHERE username ='$user'";
            $result = mysql_query($qry);
            if ($result)
            {
                $row = mysql_fetch_array($result);
                echo $row[0];

            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database.
            $check_password = hash('sha256', $_POST[ 'password' ] . $row[3]); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row[3]); 
            } 

            if($check_password == $row[2]) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true;
                echo "successful login";
            } 

         }
        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            //unset($row['salt']); 
            //unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            //$_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $user = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?>

***
error***
Undefined variable: login_ok

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.